Bill Mellon of the University of Wisconsin said that when he set out to overhaul computer security recently, he was stunned by the sheer volume of hacking attempts.
“We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system,” said Mellon, the associate dean for research policy. “There are also a lot from Russia, and recently a lot from Vietnam, but it’s primarily China.”
Other universities report a similar number of attacks and say the figure is doubling every few years. What worries them most is the growing sophistication of the assaults.
For corporations, cyberattacks have become a major concern, as they find evidence of persistent hacking by well-organized groups around the world — often suspected of being state-sponsored — that are looking to steal information that has commercial, political or national security value. The New York Times disclosed in January that hackers with possible links to the Chinese military had penetrated its computer systems, apparently looking for the sources of material embarrassing to China’s leaders.
This kind of industrial espionage has become a sticking point in US-China relations, with the Obama administration complaining of organized cybertheft of trade secrets, and Chinese officials pointing to revelations of US spying.
Like major corporations, universities develop intellectual property that can turn into valuable products like prescription drugs or computer chips. University systems are harder to secure, with thousands of students and staff members logging in with their own computers.
Shaw said that he and many of his counterparts had accepted that the external shells of their systems must remain somewhat porous. The most sensitive data can be housed in the equivalent of smaller vaults that are harder to access and harder to move within, use data encryption, and sometimes are not even connected to the larger campus network, particularly when the work involves dangerous pathogens or research that could turn into weapons systems.
“It’s sort of the opposite of the corporate structure, which is often tougher to enter but easier to navigate,” said Paul Rivers, manager of system and network security at the University of California, Berkeley. “We treat the overall Berkeley network as just as hostile as the Internet outside.”
Berkeley’s cybersecurity budget, already in the millions of dollars, has doubled since last year, responding to what the associate vice chancellor and chief information officer Larry Conrad said were “millions of attempted break-ins every single week.”
“I’ve had no resistance to any increased investment in security that I’ve advocated so far,” said Shaw, who arrived at Purdue last year.
Mellon said his university was spending more than US$1 million to upgrade computer security in just one program, which works with infectious diseases.
Along with increased spending has come an array of policy changes, often after consultation with the FBI. Every research university contacted said it was in frequent contact with the bureau, which has programs specifically to advise universities on safeguarding data. The FBI did not respond to requests to discuss those efforts.
Not all of the potential threats are digital. In April, a researcher from China who was working at the University of Wisconsin’s medical school was arrested and charged with trying to steal a cancer-fighting compound and related data.