[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                          SCHOLARS OR SPIES: 
                   FOREIGN PLOTS TARGETING AMERICA'S
                        RESEARCH AND DEVELOPMENT

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON OVERSIGHT &
                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 11, 2018

                               __________

                           Serial No. 115-54

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 


       Available via the World Wide Web: http://science.house.gov

              
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
29-781PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].            
              
              
              
              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  AMI BERA, California
THOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut
JIM BRIDENSTINE, Oklahoma            MARC A. VEASEY, Texas
RANDY K. WEBER, Texas                DONALD S. BEYER, JR., Virginia
STEPHEN KNIGHT, California           JACKY ROSEN, Nevada
BRIAN BABIN, Texas                   JERRY McNERNEY, California
BARBARA COMSTOCK, Virginia           ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana         BILL FOSTER, Illinois
DANIEL WEBSTER, Florida              MARK TAKANO, California
JIM BANKS, Indiana                   COLLEEN HANABUSA, Hawaii
ANDY BIGGS, Arizona                  CHARLIE CRIST, Florida
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
                                 ------                                

                       Subcommittee on Oversight


                  RALPH LEE ABRAHAM, Louisiana, Chair
FRANK D. LUCAS, Oklahoma             DONALD S. BEYER, Jr., Virginia
BILL POSEY, Florida                  JERRY McNERNEY, California
THOMAS MASSIE, Kentucky              ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia            EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California           JACKY ROSEN, Nevada
RALPH LEE ABRAHAM, Louisiana         SUZANNE BONAMICI, Oregon
DANIEL WEBSTER, Florida              AMI BERA, California
JIM BANKS, Indiana                   DONALD S. BEYER, JR., Virginia
ROGER W. MARSHALL, Kansas            EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
                            
                            
                            C O N T E N T S

                             April 11, 2018

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Ralph Lee Abraham, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     5
    Written Statement............................................     7

Statement by Representative Donald S. Beyer, Jr., Ranking Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     9
    Written Statement............................................    11

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    13
    Written Statement............................................    15

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    17
    Written Statement............................................    18

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research and Technology, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    20
    Written Statement............................................    22

                               Witnesses:

The Honorable Michael Wessel, Commissioner, U.S.-China Economic 
  and Security Review Commission
    Oral Statement...............................................    24
    Written Statement............................................    27

The Honorable Michelle Van Cleave, former National 
  Counterintelligence Executive
    Oral Statement...............................................    39
    Written Statement............................................    42

Mr. Daniel Golden, Author, Spy Schools
    Oral Statement...............................................    50
    Written Statement............................................    53

Mr. Crane Hassold, Director of Threat Intelligence, PhishLabs
    Oral Statement...............................................    68
    Written Statement............................................    70

Discussion.......................................................   104

             Appendix I: Answers to Post-Hearing Questions

The Honorable Michael Wessel, Commissioner, U.S.-China Economic 
  and Security Review Commission.................................   128

The Honorable Michelle Van Cleave, former National 
  Counterintelligence Executive..................................   130

Mr. Daniel Golden, Author, Spy Schools...........................   131

Mr. Crane Hassold, Director of Threat Intelligence, PhishLabs....   132

            Appendix II: Additional Material for the Record

Documents submitted by Representative Donald S. Beyer, Jr., 
  Ranking Member, Subcommittee on Oversight, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..   134

 
                           SCHOLARS OR SPIES:
                   FOREIGN PLOTS TARGETING AMERICA'S
                        RESEARCH AND DEVELOPMENT

                              ----------                              


                       WEDNESDAY, APRIL 11, 2018

                  House of Representatives,
                      Subcommittee on Oversight and
            Subcommittee on Research and Technology
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 10:01 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Ralph 
Abraham [Chairman of the Subcommittee on Oversight] presiding.

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. Good morning. The Subcommittee on 
Oversight and Research and Technology will come to order.
    Without objection, the Chair is authorized to declare 
recess of the Subcommittee at any time.
    This hearing will be entitled ``Scholars or Spies: Foreign 
Plots Targeting America's Research and Development.'' I'm going 
to recognize myself for five minutes for an opening statement.
    Again, good morning. Welcome to the joint Oversight and 
Research and Technology hearing ``Scholars or Spies: Foreign 
Plots Targeting America's Research and Development.'' This 
hearing is an opportunity to address the vulnerability of U.S. 
academic institutions to the threat of foreign exfiltration of 
valuable science and technology research and development.
    Exfiltration is a new word being used to describe the 
surreptitious removal of data, as well as R&D, both of which 
we'll discuss today. We look forward to hearing from former 
government and private sector experts about the magnitude and 
consequences of this threat. We are also interested in learning 
what actions must be taken to prevent or mitigate this threat 
in the future without stifling the collaborative research 
activities that are critical to the United States academic 
sector.
    Over the past few years, case after case has been reported 
at our universities and colleges, all with similar themes. 
After obtaining access to data and other valuable information, 
individuals, including professors, students, researchers and 
visitors--some with strong ties to a foreign nation--attempt to 
take that knowledge to foreign governments, universities, or 
companies.
    As a medical doctor myself, I found one case particularly 
concerning. A former associate professor at New York 
University, specializing in MRI technology, had been working on 
research sponsored by a grant from the National Institutes of 
Health. According to prosecutors in the initial charges, this 
individual colluded with representatives from a Chinese-
sponsored research institute and concealed the fact that he 
patented technology developed with NIH funds for the purpose of 
licensing it to a Chinese medical imaging company for literally 
millions of dollars.
    This case and others demonstrate the targeting of the 
innovation and intellectual property from our country's 
greatest minds and institutions and, in some cases, the ability 
for foreign nations to gain easy access by exploiting the lax 
security posture of our academic institutions.
    The Science Committee has continuously engaged in vigorous 
oversight of federally funded basic research and technology, 
particularly research with a clear path to commercialization 
and a direct benefit for U.S. businesses and government. A 
significant amount of academic research and development is 
funded by the American taxpayers. Just last year, the Federal 
Government spent approximately $1.5 billion on research and 
development, in addition to the even larger amount of funding 
provided by private sector U.S. companies and universities.
    If this nefarious activity is aimed at recipients of 
federal grant programs, then it is the American taxpayers that 
are unwittingly funding the technological advancements and 
innovative breakthroughs that allow foreign nations to 
improperly gain a competitive economic advantage.
    China has publicly proven itself to be the most aggressive 
in the targeting of U.S. research over the past decade. China 
has heavily invested increasing amounts of financial and 
physical resources to support a science and technology industry 
that is based on the transfer of basic science, which allows 
that country to prioritize advanced development and 
commercialization over basic and fundamental research. 
Essentially, China steals our fundamental research and quickly 
capitalizes by commercializing the technology.
    While much of the discussion and examples used in today's 
hearing may focus on China, I want to be clear that this 
committee is very concerned about all foreign nations and 
agents that are inappropriately attempting to take advantage of 
America's research and development. China's efforts in 
particular have provided useful examples to analyze, mainly 
because of their open and aggressive tactics. However, the 
recent DOJ charges based on Iran's actions are further 
confirmation that this problem is not confined just to China, 
and we should assume a number of other bad actors are also 
making similar attempts.
    Taking that into account, bolstering the cybersecurity of 
federal information systems has been among the Committee's top 
priorities. I am hopeful that the discussion here today will 
highlight efforts to accomplish this objective and make 
prevention a priority of all recipients of taxpayer dollars. 
Whether physical or cybersecurity threats, it is clear that our 
academic institutions are not taking all the necessary steps to 
adequately protect this vital research.
    I look forward to the insight of our witnesses today, which 
will help us assess these important issues and determine 
whether additional questions need to be asked of our partners 
in the executive branch, as well as in academia. We hope to 
better understand the next steps that must be taken to 
safeguard the competitiveness and security of federally funded 
research and development, especially the role of U.S. academic 
institutes.
    [The prepared statement of Chairman Abraham follows:]

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. I now recognize the Ranking Member of the 
Oversight Committee, the gentleman from Virginia, Mr. Beyer, 
for an opening statement.
    Mr. Beyer. Thank you, Mr. Chairman. I'd like to thank you 
and Chairwoman Comstock for holding this hearing.
    Vigilance against espionage threats is important on all 
fronts from cybersecurity breaches to intelligence gathering by 
covert operatives on the ground.
    As a committee, we've conducted numerous bipartisan 
investigations into cyber breaches. Our June hearing on 
WannaCry, for instance, gave us context into the recent Iranian 
attacks on hundreds of domestic and foreign universities. 
Hacking, however, is but one tool in a suite of techniques used 
by intelligence agencies to target U.S. universities.
    In cases of academic-related espionage, student researchers 
are recruited by a foreign government to study or do research 
at an American institution and pass along sensitive scientific 
research and technology to the foreign government. American 
universities play a critical role in driving fundamental 
research and developing innovative technologies for our nation. 
The loss of this sort of data can have tremendous economic 
consequences, endanger our national security, and diminish our 
technological lead in critical technologies.
    Although an essential tenet of academia is this open 
pursuit of scientific research professors, students, university 
scientists need to understand the potential value of their 
research to foreign adversaries. They should be properly 
educated about potential espionage threats and trained on how 
to take appropriate security measures, whether they're online 
or at an international conference presenting their research 
findings.
    What I do not believe what we want to do, however, is pull 
the welcome mat from under the more than 1 million foreign 
students to come to America to study every year, contributing 
more than $36 billion to our economy annually, and creating 
hundreds of thousands of U.S. jobs and contributing to 
America's academic leadership. And having just finished paying 
for the third college education, I'm so grateful for the full 
tuitions that foreign students pay, holding down at least a 
little bit the price that we have to pay.
    The media has recently painted a poor picture of the 
academic community being disinterested or naive about the 
potential security threats they face. I'm not sure this is an 
accurate portrait. The higher education community has several 
vehicles they use to identify threats and train their members 
to take actions to mitigate their vulnerabilities to attack. 
These include the Research and Education Network, Information 
Sharing and Analysis Center, the Higher Education Information 
Security Council, and the newly formed Omni Security Operations 
Center described as, quote, ``a pioneering initiative that 
helps higher education institutions reduce the impact of 
cybersecurity threats.'' The new group that's based in Indiana 
University includes collaboration with Northwestern University, 
Purdue University, Rutgers, and the University of Nebraska 
Lincoln.
    Cooperation in the security arena is critical, and I'm glad 
to see this sort of cooperation emerging between universities. 
However, these universities also need the cooperation from the 
law enforcement and the intelligence community to help ensure 
that they're apprised of specific threats or risks.
    In 2005, to help foster better lines of communication 
between the FBI and the U.S. academic community, the FBI 
created the National Security Higher Education Advisory Board 
originally composed of 15 Presidents and Chancellors of leading 
universities. But, unfortunately, this past February, the 
members of this board received a letter from the FBI announcing 
their decision to disband it. The letter praised the 
cooperation between intelligence agencies, law enforcement, and 
academia and said the FBI was exploring the creation of a new 
board. Officials in the academic community, however, believe 
the board played an important role in helping universities 
understand the intelligent risks they face and were both 
surprised and disappointed this board was disbanded with no 
clear plan to replace it.
    So, Mr. Chairman, I'm attaching this letter to my 
statement, as well as a letter from the Association of American 
Universities, the Association of Public and Land Grant 
Universities, the American Council on Education, and the 
Council on Governmental Relations all regarding this important 
issue.
    Chairman Abraham. Without objection.
    Mr. Beyer. Thank you.
    [The information appears in Appendix II]
    Mr. Beyer. Balancing legitimate security risks with 
international scientific cooperation is critical to ensure that 
we address real risks appropriately and thoroughly while not 
diminishing the benefits we have obtained by opening our doors 
to foreign students and collaborating with international 
partners. We don't stop using computers because they're 
vulnerable; we take steps to make them safer. Likewise, we 
cannot let concern over academic espionage crowd out the 
multitude of benefits from the international exchange of 
scholarship.
    America's leadership in science and technology is highly 
dependent upon its openness to scholars from around the globe. 
Any action we take to respond to the threat of academic 
espionage must take into account the value of cooperation. The 
intelligence community and the academic community should not be 
at odds but rather working together to secure our sensitive 
research.
    So I'm looking forward to hearing from our witnesses today 
about how we can balance these two important issues regarding 
security and scholarship. Thank you, Mr. Chairman. I yield 
back.
    [The prepared statement of Mr. Beyer follows:]

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you. And I now recognize the 
Chairman of the full committee, the gentleman from Texas, Mr. 
Lamar Smith.
    Chairman Smith. Thank you, Mr. Chairman. Also, I want to 
thank Chairwoman Comstock for letting me jump in ahead of her. 
I have a bill before the Judiciary Committee this morning 
that's being marked up, so I'm going to need to excuse myself 
shortly, but I will be back to ask questions.
    Mr. Chairman, foreign countries' attempts to access and 
steal U.S. research and development pose an acute risk to our 
national and economic security. In recent months, the public 
has become aware that we are under attack from foreign 
governments that want to steal our technological secrets and 
scientific discoveries and use them for their own purposes.
    Just last month, the U.S. Department of Justice showed how 
serious the threat is. DOJ indicted nine Iranian nationals for 
breaking into university computer systems and stealing 
information and intellectual property worth billions of 
dollars. This brazen theft was on behalf of the Iranian 
government and universities in Iran. This was a widespread and 
concentrated campaign. Attackers hacked nearly 4,000 accounts 
of professors across 144 U.S. universities. According to 
informed sources, the attackers specifically targeted 
universities engaged in science, technology, and medical 
research.
    According to the Justice Department, U.S. universities 
spent more than $3.4 billion on creating and developing the 
scientific information, academic data, and intellectual 
property that was stolen. Nearly $3.5 billion of U.S. research, 
some of which was funded by American taxpayers, was illegally 
taken and is now in the hands of a hostile foreign nation. This 
is just one example.
    Unfortunately, Iran is not the only threat. China has 
actively and aggressively targeted research and development at 
U.S. academic institutions for years. The Chinese Government 
has been very clear about its long-range plans for achieving 
global domination in critical areas of science and technology. 
China, however, has been less than forthright about its 
methods, which include theft of confidential information and 
technological secrets from U.S. companies, cyber attacks, and 
other forms of spying to undermine our national security and 
putting sleeper agents at our own research universities to 
steal our scientific breakthroughs.
    Chinese efforts are concentrated in the areas that it has 
prioritized: artificial intelligence, medical science, and 
national security. By understanding China's priorities and the 
lengths to which it is prepared to go, we can adopt an 
effective approach, but the first step is recognizing the risks 
we face.
    The intelligence community has warned about these threats 
for years, ranging from cyber attacks to human manipulation to 
break-ins. We know that foreign agents routinely target 
American students and educators in their priority areas. 
Faculty and administrators must be alert and educated to spot 
the warning signs of foreign operations. But many in academia 
have been unwilling to accept reality and unwilling to take any 
defensive measures to protect their researchers' work, their 
universities' scientific assets, and taxpayers' investments.
    The University of Texas recently rejected funding from the 
China-United States Exchange Foundation, a China-based and 
government-connected foundation. The foundation is registered 
as a foreign agent representing China. The idea of a university 
taking significant funding from an organization controlled by a 
foreign government would be contrary to the independence and 
safeguards needed in academia. This action by the University of 
Texas was appropriate and the type of proactive oversight that 
needs to occur at other colleges.
    The National Science Foundation's grant guidance is clear: 
As grant recipients, universities bear full responsibility for 
the management and results of federally funded projects. The 
recent indictments of Iranian student-spies and other incidents 
are clear warnings about the need for swift, strong action. 
This includes improved cybersecurity, educating researchers to 
anticipate attempts to steal their work, and more careful 
screening of those who come to the United States to study.
    I also look forward to hearing from our experts about how 
we can build appropriate defenses. On the one hand, we must 
maintain the open and collaborative nature of academic research 
and development. On the other, we must protect our research and 
development from actors who seek to do us harm.
    Thank you, Mr. Chairman. I yield back.
    [The prepared statement of Chairman Smith follows:]
  
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you. I now recognize the Ranking 
Member of the full committee, Ms. Johnson, for an opening 
statement.
    Ms. Johnson. Thank you very much, Chairman Abraham and 
Chairwoman Comstock, for convening this hearing today, and 
thanks to the panel that agreed to appear before us.
    America's superior academic institutions have drawn the 
best and the brightest from around the world, and we have 
benefited greatly from their contributions. From 1960 to 2017, 
foreign immigrants who settled in America won 81 Nobel Prizes 
in chemistry, medicine, and physics. In 2016, all six Americans 
who won Nobel Prizes in chemistry, physics, and economics were 
immigrants. Many of these immigrants came here as international 
students.
    Academic and intellectual openness are key to the success 
of American higher education and America's leadership in 
science and technology. However, we do face legitimate and 
serious threats from foreign adversaries. They are targeting 
our scientific innovations and advanced technologies whether at 
our government-funded laboratories, in our industries, or on 
the campuses of our universities. The theft of--plunder of our 
critical technologies must be clearly addressed and prevented.
    Our counterintelligence community must work hand-in-hand 
with research institutions to help mitigate the risk of these 
threats. These institutions need to be engaged in applying best 
practices in their approach to security and know how to 
identify acts of espionage. Professors and researchers should 
learn more about intelligence activities carried out through 
social engineering, networking, and conference participation. 
Now is not the time for the counterintelligence community to 
reduce its outreach to research colleges and universities. 
These bonds should be growing and strengthening. It is vital to 
our national security.
    However, we need to be careful that any security measures 
do not stifle the benefits our country realizes from legitimate 
international academic collaboration. At the same time, we 
should also examine the reasons why universities find 
international students so attractive. Part of the reason is 
economic. Nationwide, States have reduced levels of financial 
support to our respective public institutions of higher 
learning. Universities have responded by cutting financial aid 
and raising tuition fees. International students who usually 
pay full tuition have helped make up this reduction in funding 
and have helped universities balance their books.
    This also makes the allure for foreign funding from 
students of foreign institutions such as China's Confucius 
Institute that offer hundreds of thousands and occasionally 
millions of dollars for academic programming very enticing. We 
need to make sure that state and federal support for higher 
education meets the needs of these vital institutions. It is 
vital to our national security.
    I look forward to hearing from our witnesses today, and I 
yield back the balance of my time.
    [The prepared statement of Ms. Johnson follows:]
   
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. Thank you, Ms. Johnson.
    I now recognize the Chair of the Research and Technology 
Subcommittee, Mrs. Comstock, for an opening statement.
    Mrs. Comstock. Thank you, Chairman Abraham, for holding a 
hearing on this important and serious issue. It would be easy 
to think about the theft of information from American 
universities by foreign students to be the topic of a modern-
day spy novel, but in fact it is a very real problem and, 
sadly, not a new one. My predecessor in the House, 
Representative Frank Wolf, also worked on this important issue.
    Academic institutions in the United States are valued for 
their openness, innovation, and collaboration with domestic and 
international scientists. Our nation has long been a leader in 
science and technology research and development, and 
consequently, a magnet for foreign scholars and scientists 
seeking to learn from and collaborate with the best.
    Unfortunately, various immoral actors have sought to 
exploit our openness to steal American ingenuity and innovation 
and undermine our system. Such thefts can enable foreign 
nations to save themselves billions in research and development 
costs and support technological advances that they may 
otherwise be unable to make on their own in order to gain an 
industrial or, even more troubling, a military advantage.
    The FBI has been warning our academic community about these 
threats for years, while also urging measures be taken to guard 
against such activity. Since much of the stolen information 
comes from research funded by federal agencies, these nations 
are ultimately stealing ideas and innovations from American 
taxpayers like you and me, undermining the policy intent of 
federal funding for such research in the first place. It is 
imperative that our academic institutions not close their eyes 
to the very real threat posed by foreign intelligence spies. 
They cannot be blinded by naivete or ignorance when 
distinguishing between friend and foe.
    But to be clear, the solution is not to shutter the doors 
of American universities and colleges to students, researchers, 
and professors from foreign nations. The vast majority of 
scholars who come to the United States do so to work with our 
citizens on scientific discoveries and breakthroughs based on 
an open exchange of ideas to benefit the scientific community 
and the world.
    Finding an appropriate balance between scientific openness 
and security concerns is not new, nor is it easy, but it's 
essential. As our world continues to be increasingly connected 
electronically, with more devices that can be used to covertly 
take pictures or scans, it is getting easier for foreign 
criminals to steal our information. Other committees just today 
are talking to major players on that front, as we know. That is 
why hearings like this are important, as they shine a light on 
the problem and provide a venue to engage with stakeholders to 
identify potential solutions.
    I look forward to hearing what our witnesses have to say 
and hope they have some advice on how to better distinguish 
between scholar and spy so that we may find the balance between 
open scientific collaboration and protecting America's research 
and development.
    As I mentioned, we do have some headline-grabbers here 
today, as you might know in the Capitol, but I think this issue 
is every bit as important, and I thank the witnesses for being 
here today. And I yield back.
    [The prepared statement of Mrs. Comstock follows:]
 
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Mrs. Comstock.
    Let me introduce the witnesses now. Our first witness today 
is Honorable Michael Wessel, a Commissioner of the U.S.-China 
Economic and Security Review Commission. Mr. Wessel previously 
worked for the Federal Trade Deficit Commission in 1999 and 
2000. He's spent more than 2 decades as a staffer for former 
House Democratic leader Richard Gephardt. Mr. Wessel currently 
works for the Alliance for American Manufacturing; Wessel 
Group, Inc.; and Goodyear Tire & Rubber Company. He holds a 
bachelor of arts degree and a juris doctor degree from George 
Washington University.
    Our second witness is Honorable Michelle Van Cleave, the 
former National Counterintelligence Executive. Ms. Van Cleave 
is a former staffer of the Science, Space, and Technology 
Committee, serving as Counsel in 1989. More recently, she was 
Special Assistant to the Under Secretary for Policy and Senior 
Advisor to the Secretary of the Army for Homeland Defense 
within the Department of Defense from 2001 to 2003 before 
becoming the national Counterintelligence Executive under 
George W. Bush. Ms. Van Cleave received both her bachelor's and 
master's of arts degrees in international relations from the 
University of Southern California. She also earned her juris 
doctor from the University of Southern California School of 
Law.
    Our next witness is Mr. Daniel Golden. He's an author of 
the book Spy Schools. Mr. Golden is a Pulitzer Prize-winning 
writer with his work regarding admissions preferences at 
prominent American universities when he worked at the Wall 
Street Journal. He is currently a Senior Editor with ProPublica 
and previously worked at Bloomberg News from 2009 to 2016. He 
received a bachelor's degree from Harvard University. It's good 
to have a Pulitzer Prize winner among us.
    Our fourth witness is Mr. Crane Hassold, Director of Threat 
Intelligence at PhishLabs. Mr. Hassold previously worked for 
the Federal Bureau of Investigations from 2004 to 2015 in a 
variety of analyst positions. Since that time, he had been 
working with PhishLabs in a threat research role. He holds a 
bachelor of science degree from James Madison University.
    I now recognize Honorable Michael Wessel for five minutes 
to present his testimony.

           TESTIMONY OF THE HONORABLE MICHAEL WESSEL,

               COMMISSIONER, U.S.-CHINA ECONOMIC

                 AND SECURITY REVIEW COMMISSION

    Mr. Wessel. Thank you, Chairs Abraham, Comstock, and Smith, 
Ranking Members Beyer, Lipinski, and Johnson. It's great to be 
here before the committee, and it's an honor to appear before 
you.
    My name is Michael Wessel, and I'm a Commissioner on the 
U.S.-China Economic and Security Review Commission. While 
appearing before you in my capacity as a Commissioner, the 
views I express are my own, although of course my views are 
informed by the work I and my colleagues do.
    This hearing is particularly timely in light of the 
President's actions to confront China's policies in the 
intellectual property arena. China has stolen, coerced, and 
subsidized the massive transfer of intellectual property to 
their country from the United States. These efforts have 
advanced their economic and military power.
    Clearly, not everything is a zero-sum game. Advancements in 
science, medicine, technology, and innovation can improve the 
lives of all people around the globe, but China is not as 
interested in advancing global interests as much as their own.
    China has made their priorities public. Most important for 
this hearing is China's Made in China 2025 Initiative, which 
identified 10 key sectors the government would support to be 
global leaders in, which have significant economic and national 
security implications. They range from new energy vehicles to 
biotech, robotics, next-generation information technology, and 
high-tech ships. China is using an all-of-government approach 
to stakeout dominant positions in the global market in these 
technologies with the commitment of hundreds of billions of 
dollars. China will do whatever it takes legally or illegally 
to achieve its goals.
    My colleagues will talk about many of the illegal means. I 
will focus on some of China's key public programs and their 
targeting. Perhaps the most well-known program is the 
propagation and funding of Confucius Institutes all over the 
globe with roughly 100 here in the United States, as was noted 
earlier. They are purported to teach Chinese language, culture, 
and history. As Politico noted earlier this year, the Confucius 
Institutes' goals are little less wholesome and edifying than 
they sound, and this by the Chinese Government's own account.
    China is willing to influence the current and future 
generations of American leaders, their views, and their 
research. Last week, Texas A&M terminated its Confucius 
Institute after Congressman McCaul and Cuellar wrote that, 
quote, ``These organizations are a threat to our nation's 
security by serving as a platform for China's intelligence 
collection and political agenda.''
    Another significant program is known as Project 111. Under 
that program was the Thousand Talents program, which is 
designed to recruit foreign experts in strategic sectors from 
the world's top universities to come to China to assist in 
achieving their goals. The target is now 4,000 participants. 
Participants receive extensive benefits, including a bonus 
payment of roughly $158,000, in addition to salaries based on 
previous levels.
    The FBI's Counterintelligence Strategic Partnership has 
warned that these programs pose a threat to our nation's 
academic community. And I quote, ``Chinese talent programs pose 
a serious threat to U.S. businesses and universities through 
economic espionage and theft of intellectual property.'' The 
different programs focus on specific fields deemed critical to 
China to boost China's national capability in S&T fields.
    The size of the foreign student population of the United 
States is significant and raises interest--issues that merit 
attention. Of the more than 1 million international students 
studying here, China accounted for 32.5 percent of the total or 
roughly 350,000. Chinese students have a significant presence 
on many campuses and in many labs where critical research is 
being done. Many of these labs receive significant federal 
funding from the Department of Defense or the National Science 
Foundation. At the Berkeley Artificial Intelligence Research 
Lab, roughly 20 percent of the Ph.D. students are PRC 
nationals. At the University of Maryland's Bing Nano Research 
Group, 30 of the 38 postdoctoral researchers and graduate 
students are from China. Every one of the visiting researchers 
and professors utilizing J visas are from China. The lab 
receives support from 15 different federal agencies, including 
NASA, DARPA, the Air Force Office of Scientific Research, and 
the Department of Energy.
    Bilateral scientific cooperation programs also bear 
attention as there are questions about the real value of some 
of those programs to us. Sunlight is a great disinfectant, and 
today's hearing is an important step in that process. Raising 
awareness to the potential risks associated with China's 
academic activities vis-a-vis U.S. interests is key. In my 
prepared testimony, I provided a number of recommendations 
about actions that could be considered. In questions and 
answers I would be happy to talk about any of them.
    We cannot allow the debate and actions on this issue to 
fuel the targeting of Chinese people--citizens or people of 
Chinese descent. I believe that there can be broad bipartisan 
support for commonsense approaches that recognize the diversity 
strengthens, not weakens us. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Wessel follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. Thank you, Mr. Wessel.
    I now recognize Honorable Michelle Van Cleave for five 
minutes to present her testimony.

        TESTIMONY OF THE HONORABLE MICHELLE VAN CLEAVE,

         FORMER NATIONAL COUNTERINTELLIGENCE EXECUTIVE

    Ms. Van Cleave. Thank you so much, Mr. Chairman, and 
Members of the Committee.
    I had the honor of serving as the first national head of 
U.S. counterintelligence. I was appointed by President Bush in 
2003, and I have spent the years since leaving office with a 
continuing sense of gratitude for the honor of having served in 
that capacity and a continuing sense of obligation to share 
what I learned. I'm especially grateful, therefore, for the 
opportunity to be here this morning to share some of these 
insights with you as they pertain to the subject of today's 
hearing.
    The United States is a spy's paradise. Our free and open 
society is tailor-made for clandestine operations. As this 
committee is so well aware, American R&D, the engine for raw 
ideas and products and capabilities and wealth, is 
systematically targeted by foreign collectors to fuel their 
business and industry and military programs at our expense.
    China and Russia both have detailed shopping lists of 
targeted U.S. technologies and specific strategies for 
clandestine acquisition, ranging from front companies to joint 
R&D projects to cyber theft to old-fashioned espionage. U.S. 
academic institutions with their great concentration of 
creative talents and cutting-edge research and open engagement 
with the world of ideas are an especially attractive 
environment for these kinds of activities.
    Let me say the numbers are frankly staggering. For every 
dollar we invest, some $510 billion annually, we lose most if 
not all of that equivalent amount to these kinds of illicit 
activities every year. Each year, reports out of U.S. 
counterintelligence show numbers that are worse than the year 
before. Losses are growing, numbers of foreign collectors are 
growing, vulnerabilities are growing, and the erosion of U.S. 
security and economic strength is also growing.
    So why don't we do more to disrupt these operations before 
adversaries make off with our trade secrets, our national 
security secrets, and other valuable information? Let me ask 
you to hold that thought.
    The last time I sat in this witness chair was five years 
ago at another Oversight hearing on this very subject. In fact, 
Mr. Chairman, as we were sitting here having that hearing, the 
case that you referenced, the MRI exfiltration at NYU, there 
were surveillance cameras watching them at that very moment. 
And toward the end of that hearing, one of the members asked me 
very pointedly, ``Isn't there a way we can go on offense? Isn't 
there a way?'' ``Yes,'' I answered, ``there is, but national 
security leadership must be prepared to change the way we do 
the counterintelligence business if we are going to do that.'' 
So today, I'd like to pick up at that bottom line and get to 
that point.
    Unlike most other nations in the world, the United States 
has never had a national counterintelligence service. Instead, 
counterintelligence grew up as part of the distributed 
responsibilities of the three operational agencies--the FBI, 
whose principal responsibility is to find the spies here and 
put them in jail; the CIA, whose job is to make sure that their 
clandestine collection operates securely in all the realms in 
which it is asked to operate; and the military services, who 
have to be worried about foreign intelligence threats to our 
military operations abroad.
    And they're all very good at what they do. But throughout 
our history, most of our history, there was no national head of 
counterintelligence to integrate all of these various 
activities or to provide a common picture of the threat or to 
identify gaps or to warn of these activities. And 16 years ago, 
the Congress took a look at this and said this isn't working 
right. We have got to make some changes.
    The Counterintelligence Enhancement Act of 2002 was passed 
to create a national head of counterintelligence to integrate 
all these things--to provide warning of foreign intelligence 
threats to the United States, to find ways of filling in the 
seams so that foreign espionage couldn't exploit those seams, 
and to make sure that we were aware of these kinds of strategic 
threats to our activities, these kinds of R&D exfiltration, and 
broader threats to the United States, information threats, 
cyber exploitation, influence operations. These were the things 
that the office that I headed was asked to worry about.
    And when I served in that job, we took a look at how CI was 
distributed in this country, and we said, you know, tinkering 
around the edges isn't going to do. We need to make substantial 
changes in the way we do these operations. We need to have a 
strategic counterintelligence program that knits together 
different activities, that characterizes a threat, that gets 
ahead of the threat, by understanding how these foreign 
intelligence services operate, how they are structured, how 
they're tasked, and and what their vulnerabilities are so that 
we can get inside of them and stop them before they hurt us.
    Unfortunately, the strategy that President Bush issued to 
go forth and do these things in a proactive way was never 
implemented. Now, why is that? Well, it was signed in 2005. 
That was the same year that the Director of National 
Intelligence Office was first created. There was a lot of new 
bureaucracy and many new priorities, which pulled away 
resources and direction from what we were trying to do.
    At the same time, the bigger problem was there was no real 
strategic counterintelligence program that the new law 
mandated, so it was easy not to follow through on these things 
because there was no requirement in fact to do that.
    I know my time is short, but I do want to urge that we 
spend a little time talking more about what can be done and how 
effective we could be if we worked our counterintelligence as a 
strategic tool of the nation's national security strategy. That 
possibility is open to us. And I will suggest to you that if we 
continue to just go along with the old business model of how 
we've been working case by case by case instead of going after 
the service proactively as a target, as I know our professional 
community in fact could do if national leadership gave them 
that direction, we will continue to have these unacceptable 
losses to our nation. Changes are possible. Good things can 
happen, but leadership is required. Thank you.
    [The prepared statement of Ms. Van Cleave follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Ms. Van Cleave.
    I now recognize Mr. Daniel Golden for five minutes.

                TESTIMONY OF MR. DANIEL GOLDEN,

                      AUTHOR, SPY SCHOOLS

    Mr. Golden. Thank you. I'd like to thank the Committee for 
inviting me and----
    Chairman Abraham. Mr. Golden, if you will push that button 
and put that mic on.
    Mr. Golden. Thank you. Thanks very much to the Committee 
for inviting me. I'm delighted to be here with such 
distinguished fellow panelists. In fact, Michelle, I quote her 
prior congressional testimony in my book Spy Schools.
    My book examines both foreign and domestic espionage 
activity at U.S. universities, but my testimony today will 
focus on foreign theft of federally funded academic research.
    The number of foreign students and faculty has mushroomed 
over the past 40 years. In 2016, the number of international 
students at U.S. universities topped 1 million for the first 
time, almost seven times the total in 1975 and more than double 
the 2000 figure. And of course they were basically no Chinese 
students here before 1978.
    The number of foreign-born scientists and engineers working 
at U.S. colleges and universities rose 44 percent between 2003 
and 2013, and in key technical fields like engineering and 
computer science, American universities award more than half of 
their doctorates to international students.
    Educational globalization has many benefits: diverse 
perspectives in the classroom cross-cultural understanding, 
skilled labor for research, collaboration of the world's best 
minds, and the advancement of learning. But there is an 
alarming side effect. Globalization has transformed American 
universities into a frontline for espionage. Some small but 
significant percentage of international students and faculty 
come to help their countries gain recruits for clandestine 
operations, insights into U.S. Government plans, and access to 
sensitive military and civilian research. Academic solicitation 
defined as the use of students, professors, scientists, and 
researchers as collectors tripled from eight percent of all 
foreign efforts to obtain sensitive or classified information 
in fiscal year 2010 to 24 percent in 2014, according to the 
Defense Security Service.
    For foreign intelligence services, a university offers a 
valuable and lightly guarded target. They can exploit the 
revolving door between academia and government. Today's 
Professor of International Relations is tomorrow's Assistant 
Secretary of State. They can recruit naive students and guide 
them into the federal agency of their choice.
    Academic research offers a vulnerable and low-risk target 
for foreign espionage. University laboratories are often less 
protected than their corporate counterparts, reflecting a 
culture oriented toward collaboration. Typically, university 
researchers aren't required to sign nondisclosure agreements, 
which run counter to the ethic of openness. Open campuses also 
make it simple to gather intelligence. Spies with no academic 
affiliation can slip unnoticed into seminars, student centers, 
libraries, and cafeterias and befriend the computer scientist 
or Pentagon advisor sitting beside them.
    And academia's old-fashioned gentlemanly culture abets 
espionage. All it takes for professors in different countries 
to agree to collaborate on research is a phone call, an email, 
or perhaps a handshake at a conference. There's not necessarily 
a contract that explicitly spells out what data or equipment 
each side has access to. Many science students and faculty are 
unfamiliar with intellectual property safeguards.
    University administrations largely overlook this threat in 
part for financial and reputational reasons. They're ramping up 
enrollment of full-paying international students an opening 
campuses abroad, which are often subsidized by the host 
countries.
    The story of one Chinese graduate student at Duke 
University illustrates how vulnerable academic research is to 
foreign raiders and how little universities do to protect it. I 
came across this saga when, through a public records request, I 
obtained the agenda of an October 2012 meeting of the National 
Security Higher Education Advisory Board, which I heard today 
was recently disbanded. One agenda item stated that Duke 
University Professor David Smith, quote, ``will discuss how, 
without his knowledge, a Chinese national targeted his lab and 
published and exploited Dr. Smith's research to create a mirror 
institute in China.'' The episode cost Duke significantly in 
licensing, patents, and royalties, and kept Smith from being 
the first to publish groundbreaking research.
    I soon learned that Smith was a renowned researcher who had 
helped launch the fast-growing field of meta-materials, 
artificial materials with properties not found in nature. His 
lab had invented the first invisibility cloak ala Harry Potter, 
although it only concealed objects from microwaves, not the 
human eye, and that his lab had Pentagon funding to develop 
ways of making weapons invisible.
    And I identified the Chinese national as Ruopeng Liu, a 
former graduate student in Smith's lab. Through interviews with 
Smith and other lab members, I discovered that Liu had left a 
trail of specifics suspicious behavior, arranging for Chinese 
scientists to visit the Duke lab and photograph its equipment, 
passing them data and ideas developed by unwitting colleagues 
at Duke, deceiving Smith into committing to work part-time in 
China by enlisting him under false pretenses to participate in 
the brain-game program called Project 111 that Michael 
mentioned, and secretly starting a Chinese website based on the 
work at Duke.
    After numerous warnings from other members of the lab and 
questions from the Pentagon, Smith finally began to suspect Liu 
and took away his key to the lab, but Duke still gave him a 
doctorate. Liu noted in an interview for my book that the 
invisibility research was considered basic but the are 
advantages even to stealing open research, mainly saving time 
and avoiding mistakes. With a mole in a U.S. university 
laboratory, researchers overseas can publish and patent an idea 
first, ahead of the true pioneers, and enjoy the consequent 
acclaim, funding, and surging interest from top students and 
faculty. In fact, a foreign government may be eager to scoop up 
a fundamental breakthrough before its applications become so 
important that it's labeled secret and foreign students lose 
access to it.
    Universities should be more smarter and more sophisticated 
about the intelligence ramifications of research 
collaborations, student and faculty exchanges, academic 
conferences, and international admissions. I'd like to see more 
training and courses in intellectual property rights, 
contractual agreements for cross-border collaborations that 
spell out each side's access to data and equipment, and 
orientation sessions for conferences on study-abroad programs 
that include tips on recognizing come-ons from intelligence 
agencies. And if students or alumni are exposed as foreign 
spies, universities should deny or revoke their degrees rather 
than looking the other way.
    As Americans, we're all concerned and rightly so about 
foreign intelligence services interfering in our elections. 
Like democratic elections, a robust, open, and intellectually 
curious system of higher education is a hallmark of our society 
we should take pains to protect it as well. Thank you.
    [The prepared statement of Mr. Golden follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Mr. Golden.
    Mr. Hassold, five minutes, sir.

                TESTIMONY OF MR. CRANE HASSOLD,

           DIRECTOR OF THREAT INTELLIGENCE, PHISHLABS

    Mr. Hassold. Thank you. Chairs Abraham and Comstock, 
Ranking Members Beyer and Lipinski, and Members of the 
Committee, thank you for the opportunity to appear before you 
today. My name's Crane Hassold, and I'm the Director of Threat 
Intelligence at PhishLabs, a cybersecurity company based in 
Charleston, South Carolina. The purpose of my testimony today 
is to discuss my research and observations on the threat 
foreign actors pose to American academic institutions through 
the theft of research as a result of cyber attacks.
    For background on who PhishLabs is and what we do, we were 
founded in 2008, and one of our primary missions is to 
identify, understand, and mitigate cyber attacks where the 
primary attack vector is phishing. In 2017, we analyzed more 
than 1.3 million confirmed phishing sites and shut down more 
than 12,000 phishing attacks each month.
    For more than 90 percent of targeted cyber attacks, the 
initial attack vector is phishing. Phishing is effective 
because it takes advantage of emotional responses that are 
inherent to human behavior such as fear, anxiety, and 
curiosity. Through phishing, threat actors can compromise 
personal and financial information, steal data or intellectual 
property, and extort victims for financial gain.
    Relevant to today's discussion, universities are 
particularly susceptible to risks associated with phishing 
attacks due to the sheer volume of users that interact with our 
network. In December 2017, I identified a series of malicious 
domains hosting phishing sites, targeting various universities 
in the United States and other countries. Unlike most other 
university phishing sites, these were uniquely crafted to mimic 
the login pages of university libraries.
    Using a combination of technical analysis and open-source 
research, I identified hundreds of other phishing sites linked 
to the same threat actors that had targeted other universities 
around the world. To date, I've identified nearly 800 distinct 
phishing attacks linked to this group, which we refer to by the 
name Silent Librarian dating back to September 2013. These 
attacks, which are significantly more sophisticated than most 
phishing attacks I've seen, have targeted 300 different 
universities in 23 countries, including 174 institutions in the 
United States. It is clear the universities targeted by this 
group are not randomly selected. Targets in these phishing 
campaigns are generally prominent research technical or medical 
universities.
    In addition to universities, I also observed other notable 
nonacademic American institutions targeted by the group such as 
Los Alamos National Laboratory, the Electric Power Research 
Institute, and multiple major medical centers. Based on my 
research, the purpose of these attacks is to compromise 
university credentials and use those credentials to access and 
exfiltrate data from university resources such as academic 
research databases.
    I also identified one Iranian website that was used to 
monetize the stolen credentials, which has been in operation 
since at least 2015 and, based on data shown from the site, has 
been visited more than 1 million times.
    Since the beginning of my research into this group and 
their attacks, I have worked closely with the FBI to provide 
intelligence into the group's tactics and motivations. I have 
also partnered with REN-ISAC, an information-sharing 
clearinghouse for higher education institutions to notify 
targeted universities of imminent or recent phishing campaigns.
    As referenced by a few members already, on March 23, 2018, 
the Department of Justice indicted nine Iranians associated 
with a company named the Mabna Institute. According to the 
indictment, this group allegedly conducted phishing attacks 
against more than 100,000 targets at international universities 
and private sector companies to steal more than 31 terabytes of 
academic data and intellectual property. The cost spent by 
American universities to procure resources compromised by the 
group is reportedly in excess of $3 billion.
    The DOJ also alleges in the indictment that much of this 
malicious activity was conducted at the direction of the IRGC, 
one of the Government of Iran's primary intelligence collection 
entities. Based on the evidence detailed in the indictment, it 
is likely that the Mabna Institute and Silent Librarian and are 
the same group.
    It is also important to note that the indictment has not 
seemed to deter the group from continuing their malicious 
activities. As of the date of this testimony, I've observed 27 
new phishing sites created by the group since the indictment 
targeting 20 different universities, 10 of which are located in 
the United States.
    Based on my analysis of these attacks and conversations 
I've had with members of the university security community, 
there are a range of ways academic institutions can better 
prepare and respond to the cyber threats posed by malicious 
threat actors. Universities should accept credential phishing 
as a significant threat and focus on identifying ways to better 
protect their users against them.
    Users--universities should place more of a focus on fully 
mitigating phishing sites targeting their users rather than 
implementing quick responses like simply blocking access to 
malicious websites on an internal network that still leave open 
the opportunity for further compromise. And, like other 
institutions, universities should also invest more in security 
training that raises the awareness of students and faculty to 
potential cyber threats.
    Thank you again for the opportunity to testify before you 
today, and I look forward to answering any questions.
    [The prepared statement of Mr. Hassold follows:]
    
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Mr. Hassold.
    I thank all the witnesses for their testimony. I'm going to 
recognize myself for five minutes for questioning.
    Mr. Wessel, Ms. Van Cleave, and Mr. Hassold, I think these 
questions will go to you. Is it fair to say that the open and 
collaborative nature of U.S. academic institutions make them 
inherently vulnerable to the threat of foreign exfiltration? 
And if so, how do we strike that balance in protecting our 
research and our systems while ensuring collaboration? Mr. 
Wessel, I'll start with you.
    Mr. Wessel. Thank you, Mr. Chairman. I think, as I pointed 
out in my testimony, we can identify what some of the high-
value targets are and focus on those first so that we can look 
at critical areas of research that relate not only to the 
economic domain but China's national security desires, other 
countries' national security desires. One can do a gap analysis 
to determine whether, for example, China needs hot engine 
technology to be able to develop jet engines for their 
fighters.
    We can then net back and look at some of those cooperative 
research programs, the labs here in the United States that are 
doing work with cleared defense contractors or doing it on 
their own and try and upscale what the systems in place are to 
ensure that our systems are secure, to assess foreign students 
who are part of those labs, and make sure we're doing better 
analysis of their visas and the connections they have, and to 
try and track where the information may or may not be going. So 
it's threat analysis and using that to try and identify gaps 
and go forward. We also have a lot more to do beyond that.
    Chairman Abraham. Ms. Van Cleave?
    Ms. Van Cleave. Mr. Chairman, clearly, the academic 
community, as you describe it, is open and free, and value the 
free exchange of ideas and interaction of all peoples and 
that's the way to advance our knowledge and understanding. 
Academia is very rich. It is very rich in creative people, it 
is very rich in people who are going to have significant 
relationships with other creative people throughout the 
country. And so from the standpoint of a foreign intelligence 
service, here's an opportunity to do the basics of espionage. 
It is the opportunity to spot potential sources, to evaluate 
those sources, to find people who know other people that can 
introduce them to significant potential sources. So for an 
espionage service, is academia a great place to operate? 
Absolutely, it's a great place to operate.
    My point--my principal point to you is to say, look, yes, 
we need to have awareness. And awareness is significantly 
important, and the more that all Americans can understand the 
extent to which they don't want to be taken advantage of by 
foreign actors, that is excellent. But we have more to do as a 
government as well. It is clear to me that the advantage lies 
in being able to see inside of what the foreign intelligence 
service is after in the first place. If we know who their 
people are and where they are and how they're operating and we 
know they're at this university but not that university, we 
have the advantage to protect ourselves and to disrupt what 
they're doing much more effectively than if all of our eggs are 
in the defense basket.
    Chairman Abraham. Mr. Hassold, your take?
    Mr. Hassold. Thank you. I think from a traditional 
counterintelligence perspective, collaboration allows for 
things like source recruiting and things like my panelists 
previously have said, but from a cyber perspective, I believe 
that collaboration centralizes the information that's used by 
universities from a research perspective that allows for an 
inherent risk by pooling all of the data and research into one 
location that can be accessed by foreign adversaries. So I 
think from a cyber perspective it's more of a sense of 
centralizing the data and making the data more vulnerable for 
attackers.
    Chairman Abraham. All right. Thank you.
    Mr. Wessel, in your testimony you stated that we needed to 
act to preserve our own technology and confront China's 
predatory and protectionist actions to ensure the existence of 
the global commons. Has the U.S. Federal Government taken steps 
to confront this at our academic institutions? How would you 
suggest we confront China's actions? And what consequences do 
we take the appropriate action to do so?
    Mr. Wessel. Thank you, Mr. Chairman. Although that probably 
would take me a day or two to respond, I don't think we've done 
enough to send a message that--both to the Chinese and other 
nations but also to players here about the seriousness. As you 
probably recall, in May 2014, five PLA hackers were indicted 
for going into a number of our major companies here, not 
universities but major companies. There's no follow-up action 
to that. The indictment was sealed. Those five PLA hackers may 
not be able to come to Disneyland, but they're doing quite 
well. So there have been few costs to the Chinese or other 
nations for what they're doing.
    You talked about indictments, et cetera. There are some 
one-offs. We have to do a much better job of identifying the 
critical technologies that China and other nations want and 
enhancing the safeguards around those. And, as the President is 
doing now in terms of the theft and coercive taking of 
intellectual property by the Chinese is make sure that there 
are sanctions that are effective and people understand that the 
overall framework has to change. Sanctions to respond to the 
illegal activities need to be upgraded. They need to be much 
more public. We also need to do a much better job of training 
those people here as to what the risks are.
    Chairman Abraham. Thank you. My time is up.
    Ms. Esty, you're recognized for five minutes.
    Ms. Esty. Well, thank you very much.
    Again, I want to thank all of you for joining us here 
today. This is an extremely important topic.
    I represent Connecticut. I have Yale just to the south of 
me, UConn Medical Center to the north of me, and so these are 
very serious issues for the research institutions that I'm 
honored to represent.
    To all of you, and based on the anecdotes you shared with 
us here today, it seems like there's a very serious lack of 
situational awareness of people in the academy. I have a 
husband who's not in this field but has a lot of foreign 
students. He has grad students. We increasingly in the STEM 
fields have--the vast majority of our students are foreign-
born. We have benefited enormously by that openness, but that 
makes us extremely vulnerable.
    Can you try to drill down for us a little bit on what you 
think we can do to raise that level of awareness within 
institutions that allows them the freedom that they are going 
to want to have and need to have to share widely--that 
collaboration is important--but to be aware that with that 
openness comes a responsibility to be more on guard? And I 
think frankly we have not been. People are becoming aware of 
the phishing risks, but maybe not this broader one, don't 
really think that it's possible that you might actually have 
spies. It's sort of not in the mindset of the academics. So how 
do we preserve that openness but raise that awareness?
    And if you have thoughts of appropriate ways for us to do 
that, I think it's really important because it's not always 
laws that we need to be passing. A lot of times it's actually 
helping people do the right thing and being aware of what the 
risks are. Thank you.
    Mr. Golden. I'll mention one or two things. Intellectual 
property courses are, at most universities, confined to law 
schools, so there's generally not access for, you know, science 
students to take them, and, as a result, studies have shown 
that relatively few graduates in fields like engineering or the 
sciences understand concepts like what is a trade secret. So I 
think having those kind of courses or training more broadly.
    And the other point I'd make is that, you know, 
universities have security people and research security people, 
but they tend to be, you know, dependent on professors and 
people in the classroom to report something that they see that 
might, you know, seem amiss.
    And, you know, in fact one case that did happen that I 
looked at in my book where there were two scholars visiting 
Boston from a university in China that's partly run and funded 
by China's intelligence ministry and the scholars were just 
kind of visiting all these different universities. They didn't 
really have an office at UMass Boston; they were just dropping 
in wherever they felt like it, the Northeastern research 
security people got a tip and, you know, recognized that we 
better monitor what these two people are doing. So--but they're 
dependent on professors and grad students to let them know, and 
so training or understanding would be of great benefit there.
    Ms. Esty. Does anyone have courses already developed and is 
that something you could maybe--may be that's something that 
needs to be done to do a mini course. Having been a law 
student, a lot of law students don't take intellectual property 
courses, so I think you're going to need to have something 
that's a mini version that's accessible to people but to 
realize that these things have real value. You have a 
responsibility to safeguard it, and that's part of your 
basically fiduciary duty as a researcher and as a student to be 
aware of that. And that if you see something, say something 
notion. I think there's a lot of times people don't know. And 
something may strike them as a little odd but they don't 
realize like that could mean something.
    And so maybe that's something you can follow up with us 
with some suggestions about developing curricula and things 
that we could try to get help from the National Science 
Foundation and others to work with our research institutions 
large and small to have them be more aware of these are the 
kinds of things you might see and you should be equipping your 
faculty to be aware because, again, I think we're concerned 
about clamping down on academic freedom, and so this may lend 
itself to awareness at the very least. So----
    Mr. Golden. Definitely. I'd be glad to.
    Ms. Esty. Well, thank you. I appreciate that. And I see my 
time is almost up. Thank you, and I yield back.
    Mr. Wessel. If I could just add quickly because it's been 
noted by you, Mr. Chairman, and others that much of this 
research is federally funded. It's our--your constituents' tax 
dollars. There can be ties to that with the universities to 
make sure they are putting in place the kind of 
counterintelligence and other systems and education in place to 
make sure that their professors, their researchers, their 
students have a better understanding of what the threat factors 
are.
    Chairman Abraham. Thank you. Mrs. Comstock?
    Mrs. Comstock. Thank you.
    The Iran case demonstrates that nefarious foreign actors 
use cyber means to access valuable research and development, 
and numerous case studies in China, as was detailed, reveal 
that human intelligence is used to gain access. And the FBI has 
recognized two methods: seeding operations and recruitment 
operations. So could you discuss, any of you, any specific 
cases that fall into each of these and the methods or means 
utilized by the foreign agents to access and exfiltrate 
valuable R&D?
    Ms. Van Cleave. Well, I suspect Dan has a long list of 
particular cases that he can cite, but I just want to confirm 
that those methodologies, as well as others, are used 
systematically by foreign intelligence services not only on our 
campuses but, you know, elsewhere in the country to go after 
the things that they are interested in. And it isn't casual. 
Sometimes there's a misunderstanding that, you know, maybe it's 
just a casual undertaking. That's not the case.
    China, for instance, and Russia as well, have very 
sophisticated, which is to say highly developed, acquisition 
strategies for where they're going, the things that they want, 
how they're going to get them. The cyber opportunities 
certainly are tremendous now, but old-fashioned espionage is 
still very much a part of these activities. And what that says 
to me as a counterintelligence professional is that we have an 
opportunity. If we can gain the intelligence insights into what 
they're doing and how they're doing it, then we have the chance 
to get inside of those operations in order to be able to 
degrade them or stop them or better protect ourselves.
    So whether it's cyber operations that would influence our 
democratic institutions and processes or whether it's 
espionage, going after our national security secrets or our 
laboratories or the research activities in academia, getting 
inside of those operations gives us the advantage. And that's 
where we've been falling short.
    Mrs. Comstock. Okay. And are these actors being recruited 
and then sent to the United States to infiltrate in some way 
when it's actual people or are they being recruited by other--
you know, here trying to get--what is the recruitment process 
when it's human intelligence?
    Ms. Van Cleave. All of the above.
    Mrs. Comstock. Right.
    Ms. Van Cleave. Again, it looks at where are the 
opportunities, so you----
    Mrs. Comstock. They target--they go for what they want to 
access first----
    Ms. Van Cleave. Right.
    Mrs. Comstock. --and they build the plan----
    Ms. Van Cleave. Right.
    Mrs. Comstock. --around that?
    Ms. Van Cleave. So put yourself in their place. So if you 
are a Chinese Government entity that is looking to develop 
next-generation ASAT capability and you know that these 
specific kinds of technologies are the subject of research at 
particular universities here or in laboratories, what do you 
want to do? You want to be able to get close to the people who 
are close to that. You want to find other ways in to try to 
acquire these technologies, and so you're going to use all of 
the means at your disposal in order to do that. But it isn't 
casual. You're very serious about your objectives, and you know 
that this works quite well. The Russians, the same. They used 
to build in--and they probably still do--the acquisition of 
Western technologies into their design plans for weapons 
systems. They knew they could get what they needed here, and so 
that would be part of their planning activity. So that very 
much is still going on.
    Mrs. Comstock. Thank you. Mr. Golden?
    Mr. Golden. I could speak to this issue a little bit. I 
could give you any number of cases. They're not always where 
the government directly sends somebody or recruits somebody. As 
Michael mentioned, China has these very aggressive brain-game 
programs that provide incentives for particularly researchers 
in the United States of Chinese descent to come home and--with 
research that they might not have come by honestly. And those 
programs have not succeeded in recruiting sort of tenured 
professors at top-notch American institutions. They don't 
really want to go back to China no matter what the offer is. So 
they tend to appeal to sort of fringe professors at lesser 
institutions, maybe they don't have tenure, and the message to 
them is kind of don't come home empty-handed. So there's kind 
of an incentive for them to bring something back.
    There was a case involving a research assistant at Medical 
College of Wisconsin. Hua Jun Zhao, he basically--his professor 
had invented kind of a cancer-fighting compound, and he applied 
for one of these brain-game programs saying that he was the 
inventor. And the application he sent was basically a duplicate 
of a grant proposal that his professor had filed. So there's 
that kind of case.
    In the Duke case I mentioned, it's not clear if Ruopeng Liu 
was actually working for the Chinese Government. More likely, 
he was on his own knowing, that this would be welcomed when he 
got home. You know, and in fact it was. He got heavily 
subsidized by the government and he set up a business and an 
institute, you know, but it still kind of, you know, theft of 
an American research that he was enterprising enough to go 
after essentially.
    Mrs. Comstock. Thank you, Mr. Chairman.
    Chairman Abraham. Thank you, Mrs. Comstock.
    Mr. Beyer, five minutes.
    Mr. Beyer. Mr. Chairman, thank you very much. And look, 
before I dive into this, I just want to take a moment to again 
implore this committee to provide oversight to EPA 
Administrator Pruitt. Administrator Pruitt's alleged unethical 
behavior, his wasteful use of taxpayer money, his ongoing 
efforts to undermine the EPA's mission to protect our 
environment and our public health, this warrants serious 
Congressional oversight.
    I previously requested that Chairman Smith bring 
Administrator Pruitt before the Science Committee to testify as 
to standard practice, and now, amid daily and abundant 
scandals, this is more crucial than ever.
    Administrator Pruitt's predecessor, Gina McCarthy, Mr. 
Chairman, as you know well, testified before this committee 
again and again and again, once just on text messages to her 
husband. Administrator--in contrast, Administrator Pruitt has 
been confirmed 14 months ago and he has yet to appear before 
the committee that has oversight. He cannot be allowed to 
continue to sell our nation's clean air and water to special 
interests without consequences even without our questions.
    And if the President refuses to hold him accountable, then 
Congress has to do its job. Science, Space, and Technology 
Committee needs to do its job and conduct meaningful oversight.
    Thank you, Mr. Chairman, for that digression.
    Mr. Golden, your book gives lots of examples about how 
foreign intelligence agencies especially from China attempt to 
use various methods to obtain sensitive research and technical 
information through the use of human sources, spies. Given the 
increasing power of digital tools to wage cyber warfare and 
collect colossal amounts of data, for example, Mr. Zuckerberg, 
who's over at the House Energy and Commerce Committee this 
morning, why do foreign intelligence agencies need human 
resources at all anymore?
    Mr. Golden. Thank you. That's a good question and I don't 
have a definitive answer, but I think that cyber and human 
intelligence gathering should be seen as complementary rather 
than sort of as in competition. I mean, there are insights you 
can gain, secrets you can find out that are not necessarily in 
the digital world so that, you know, there's a certain body of 
information that cyber and data hacking or gathering is vital 
to gain, but there's still, you know, many things that people 
don't, you know, confide to email, don't put down in writing, 
and can be gained by recruiting a source. And other things can 
also be done by human intelligence but not by cyber. For 
example, recruiting a graduate student and steering him to 
apply for a job in a given federal agency is not something that 
you can do with a cyber attack, you know?
    Mr. Beyer. Do you see any difference in the trade craft, 
for example, between China and Russia?
    Mr. Golden. I'm not sort of an expert more broadly beyond 
academia, but I would say that the China--most of the examples 
you find in China or most of what I've learned have to do often 
with targeting research, and the Russian examples more often 
have to do with seeking political or economic secrets.
    Mr. Beyer. Thank you very much.
    Mr. Wessel, in your testimony you talked about the National 
Security Higher Education Advisory Board created in 2005. And 
we learned earlier the FBI disbanded it. Do you think when it 
existed that it served a useful function, and how important is 
it to have this regular communication between the law 
enforcement intelligence communities on the one hand and the 
academic communities on the other?
    Mr. Wessel. I think that is vital and it should be 
reinstated, and I think we need to find other ways of 
communicating and collaborating with our universities, 
especially, again, those with high-value targets--that are 
high-value targets. There are lists of those universities that 
are engaged in classified research as it relates to defense 
contracts, et cetera. There are some critical areas of cutting-
edge research that we view as the future of America's economy 
and our success. And the collaboration is vital. If we view the 
academic institutions as a principal threat vector, the 
government needs to be doing much more to make sure that our 
universities are playing their role.
    Mr. Beyer. To continue--thank you, Mr. Wessel--you 
suggested that the Confucius Institute, their personnel should 
be required to register as foreign agents under the Foreign 
Agents Registration Act. How does the Confucius Institute 
differ from the Goethe-Institut, the British Institute, 
Alliance Francaise?
    Mr. Wessel. I can't say that I know all of those other 
entities, so I'm not sure I'm qualified to answer other than 
the Confucius Institutes have a very clear role in extending 
China's soft power at a time when we find them to be 
challenging us on many fronts both in terms of such issues as 
the South China Sea and geopolitical issues but also again 
militarily and economically. So with my work on the China 
Commission, that's what I focus on, not what some of the other 
countries are doing, so I'll have to get back to you on that.
    Mr. Beyer. Okay. All right.
    Mr. Golden. I could speak to the--that issue a little bit.
    Mr. Beyer. Mr. Golden, only if the Chair--the new Chair--
perhaps we will cycle back to it because my time is up.
    Mr. Golden. It's okay.
    Mr. Beyer. Thank you very much.
    Mr. Higgins. [Presiding] Thank you. And the Chair--my 
Chairman has excused himself for a moment, so I'm going to 
recognize myself for five minutes of questioning.
    Ms. Van Cleave, just to clarify for the American people 
whom we serve, we're understanding today, and based upon 
research of myself and my colleagues prior to this hearing, 
that the American people are funding, through university 
grants, the Federal Government harvests treasure from the 
American people to fund university grants that go to research 
and development programs at our universities. Those research 
and development programs designed to enhance the economic 
strength of America and the military might of America, the 
predominance of American university-level research, and that 
research is being stolen and harvested by foreign nationals and 
brought to their own nations in order to give those nations 
predominance, as paid for by the American people. So 
essentially the American people are funding the predominant 
position of foreign nations, is that correct?
    Ms. Van Cleave. Very well put, Mr. Chairman.
    Mr. Higgins. Let me ask you, regarding university grant 
applications for research and development, do those 
applications include any verification of policies or procedures 
that are in place at that university to protect intellectual 
properties and to confirm that they have cybersecurity systems 
in place and even general security systems in place? Does a 
grant application right now include any sort of confirmation 
that that university has the ability or even the intent to 
protect the research and development that we would fund through 
that grant?
    Ms. Van Cleave. Certainly through classified research 
grants, I know very careful restrictions like that are in 
place. I think some of my other panelists can speak to open 
grants.
    Mr. Higgins. Comment?
    Mr. Wessel. Just----
    Mr. Higgins. Mr. Wessel?
    Mr. Wessel. Just as it relates to nonpublic meaning, you 
know, when a pharmaceutical company goes to a research 
institute for collaborative research on, you know, cancer 
drugs, et cetera, there are extensive documents about what 
security measures they may--they must put in place, 
nondisclosure agreements, et cetera. My understanding is for a 
number of federal programs that does not exist.
    Mr. Golden. When research is export-controlled, you know, 
then it's limited to certain countries so students need 
approval and some that can't get approval sometimes. Basic 
research, I don't think there's many security provisions, 
although on the Duke case I mentioned, when they then published 
an article that showed that some of the funding was from the 
Chinese Government on this invisibility research, you know, the 
Pentagon funders got upset and contacted the professor and--who 
put a--who ended that, so there are some monitoring there.
    Mr. Higgins. Thank you for those answers. In my opinion, to 
my colleagues I suggest that grant applications should include 
some verification of the levels of training and awareness that 
we are certainly highlighting today.
    Mr. Hassold, through your work, you found that at least 144 
universities were breached by Iranian hackers over the last 
five years. These hackers took 31 terabytes--that's my 
understanding--31 terabytes of R&D-related materials. Were 
these universities being targeted specifically because of the 
research conducted there?
    Mr. Hassold. So those numbers came from the DOJ indictment. 
The numbers that I have found is 174 American universities that 
have been targeted by this group. The firsthand observations 
I've been able to see is that the purpose of that targeting was 
to get access to the centralized academic databases that most 
American and most Western universities have access to to 
exfiltrate research articles from those databases. Of course, 
the--one of the clear indications based on the targets that 
have been selected in those attacks is the possibility that 
research specific to certain universities is exfiltrated. When 
you look at some of the targets, some of the high-profile 
targets that the U.S. Government works with, there's that 
possibility. I think that's hinted at in the indictment but 
that is secondhand information that I have.
    Mr. Higgins. And do you agree that universities should 
provide proper training for their professors, researchers, and 
staff to defend against cyber threats? Do you agree with that 
assessment?
    Mr. Hassold. Absolutely 100 percent.
    Mr. Higgins. I would suggest to my colleagues that today's 
hearing has made clear the extent to which our nation's 
research and development is targeted and exposed, and witness 
testimony confirms this threat is real. We must ensure that 
universities are taking this threat seriously and understand 
the precautions being taken to safeguard their equities. I 
believe we would greatly benefit as a nation by hearing from 
our universities on this matter, and I hope this committee 
continues to take action on this issue.
    My time is expired. The Chair recognizes Ms. Bonamici from 
Oregon for five minutes.
    Ms. Bonamici. Thank you very much, Mr. Chairman, and thanks 
to the Chairs and the Ranking Members and our witnesses for 
testifying today. I appreciate the concerns of course that were 
raised in the testimony and by our colleagues, but I also want 
to acknowledge the immense benefits economically, socially, and 
academically of welcoming foreign students to our academic 
institutions. This is about finding the right balance.
    When informed of this hearing, my alma mater, the 
University of Oregon, was proud to point out that they have 
long sought international students not only for the 
intellectual and cultural diversity they bring but also for the 
opportunity to encourage American students to be more globally 
aware and engaged. With that in mind, I hope our focus today 
can be finding that appropriate balance to make sure that our 
universities are secure and vigilant but also accessible hubs 
of learning and creative exchange.
    And I want to thank Ranking Member Beyer for asking about 
the National Security Higher Education Board. It seems that 
that is something that we could work on together to make sure 
that that is reconvened and operating because I know it's been 
beneficial to universities in my home State and across the 
country. That's been a useful venue for the academic and 
security communities to discuss those challenges.
    I wanted to ask, we know that there are many American 
students who study abroad and academics as well working abroad 
who could be vulnerable to recruitment or unwitting involvement 
in espionage by a foreign actor. So could any of you describe 
what, if anything, we're doing to protect and prepare our 
students, professors, and researchers from being exploited when 
they are abroad? Mr. Golden, you look like you are turning on 
your microphone.
    Mr. Golden. Good observation. The--thanks. You know, 
there's one renowned case in this field of Glenn Duffie Shriver 
who had been a student at Grand Valley State and soon after he 
graduated he went to China--he went to China first in college 
in a study-abroad program and right after--and was recruited by 
Chinese intelligence and they--you know, they paid him to take 
the foreign service exam but he failed and then they paid him 
to try and enter the CIA and he was caught and imprisoned. And 
the FBI made a video about it called Game of Pawns and----
    Ms. Bonamici. Widely panned I might----
    Mr. Golden. Yes, it wasn't that well-received but it also--
you know, they tried to get universities to show it in their 
orientations for study-abroad programs, and the universities, a 
lot of them objected. They felt they had limited orientation 
time. There's a lot of things to orient the students about, you 
know, local conditions, what do you do if you're ill, stay away 
from drugs, whatever, and so most of them did not show it. Now 
that might have been a good decision on aesthetic grounds, but, 
you know, there probably could be some, you know, discussion of 
some kind of orientation for students before they go overseas, 
as well as for the professors----
    Ms. Bonamici. Right.
    Mr. Golden. --who lead those trips and because they are, 
you know, playing in the other country's territory and they are 
potential targets.
    Ms. Bonamici. I believe that was back in 2014 that video 
was made. That could be something that we could discuss as well 
to make sure that there is something meaningful.
    Last December, the White House released its national 
security strategy that indicated that the Trump Administration 
plans to consider restrictions on foreign STEM students from 
designated countries to ensure that intellectual property is 
not transferred to our competitors. Mr. Golden, you were quoted 
in an Inside Higher Education article responding to when FBI 
Director Christopher Wray testified, and you said, quote, ``The 
vast majority of Chinese students are just here to learn and 
maybe do research and they bring energy and intelligence and 
fresh perspective to American higher education. They're quite 
valuable. It would be wrong and unfair to assume that some very 
large proportion of them are here for clandestine purposes.'' 
And I appreciate that, and again, this is about finding the 
balance.
    Can you talk about the concerns or the problems that might 
come from casting an entire group of students, researchers, and 
professors from a particular country as a danger to national 
security based on that country of origin, and how might that 
hinder our ability to attract the brightest minds around the 
world to study, conduct research, and work here in the United 
States?
    Mr. Golden. Sure. Yes, in general, the globalization of 
higher education I think is a wonderful thing, and the 
advantages outweigh the drawbacks. And the students from China 
and other countries, they come and, you know, many of them are 
extremely bright and wonderful researchers and contribute to 
research done in the United States. And in fact, you know, the 
great majority--although the percentage has gone down some, the 
great majority who come over as graduate students or get their 
doctorates here stay here for, you know, at least five to ten 
years after or make their whole careers here. And then, you 
know, the research they do, you know, redounds the benefit to 
the United States rather than China.
    I mean, particularly since Tiananmen Square, that's been 
the case. And if you look at it in that light, China almost 
has--you know, they're losing so much talent that that's why 
they're having these aggressive brain-drain programs and that's 
why they feel probably pressure to use espionage because, you 
know, so many of their best and brightest are making their 
greatest discoveries in the United States for the benefit of 
American universities and the American economy and the American 
Government.
    So, you know, I think it would be a mistake to, you know, 
turn off the faucet of bringing Chinese students to this 
country, and instead, that's why we ought to look for more--
other things such as, as I mentioned, intellectual property 
classes, more collaboration agreements that spell out what can 
and can't be done on each side and those kinds of things 
because, you know, foreign students contribute a great deal to 
the United States in any number of ways.
    Ms. Bonamici. Thank you. I see my time is expired, but as I 
yield back, I want to note that there have been several topics 
here that we could work on on a bipartisan basis to make sure 
that we're protecting our universities and our data. And thank 
you very much. I yield back.
    Mr. Higgins. I thank my colleague.
    And Mr. Loudermilk from Georgia is recognized for five 
minutes for questions.
    Mr. Loudermilk. Thank you, Mr. Chairman. And I agree with 
Ms. Bonamici. This is something that should be bipartisan. It 
is something definitely concerning to me, and it should be to 
not only every member of this committee but Congress and those 
in the universities. This is a meeting of two areas of which I 
have experience and a great interest working in intelligence 
and technology in the Air Force.
    I was greatly concerned when it was mentioned that Sandia 
Labs has been a target. Working with Sandia Labs in the past I 
know the type of research and development they do, and it is 
definitely of a national security concern with me and even with 
other research institutions that I work with in this capacity 
and that I have in my 20 years in the IT sector. This is an 
area that should have much more attention than we are giving it 
right now.
    And, Mr. Golden, I want to congratulate you. There is a 
waiting list for your book at the Library of Congress, which I 
am on, so apparently it is beginning to grow.
    Mr. Hassold, as you've mentioned, you've conducted 
extensive work on the Iranian breach at these institutions and 
provided the FBI with your findings. Can you walk us through 
how the Iranians were able to breach these university systems?
    Mr. Hassold. Sure. So with any phishing attack, it always 
starts with the lure that is generally email-based. All of 
these attacks were--had email-based lures. So they were sent 
out to a number of different students and faculty. Some were 
very targeted, as is referenced in the indictment from a couple 
weeks ago. Some were more general, sent to a wider range of 
students and faculty. When you look at those lures, they are 
incredibly sophisticated. The spelling, grammar, the things 
that you traditionally look for to identify potentially 
malicious emails, everything there has been perfect.
    And one of the--I think the interesting and notable aspects 
of them is that they have barely evolved over time. If you look 
at a lure from three years ago, I had--I found a lure from 
three years ago that targeted American University, and I found 
another lure targeting an Australian university just 3 or 4 
months ago. The content of those emails were exactly the same. 
And I think one of the interesting parts of that is sort of it 
denotes the probable success rate that the threat actors had 
with using those lures.
    So the lures were very sophisticated. They--if you look at 
some of the information that was contained within them, it's 
clear that they did probable manual reconnaissance to collect 
information that is targeted to the university specifically 
that makes them more persuasive. From the lures, you go to the 
phishing sites themselves. The content of the phishing sites is 
a near replica of the legitimate login pages that someone would 
see if they're going to the actual site. The URLs were 
patterned to look extremely similar to the actual login page. 
And then after someone enters information into those phishing 
pages, they would generally be sent off to what we would call a 
drop email account, which is generally a temporary email 
account where the compromise credentials are received.
    Mr. Loudermilk. Okay. And if we could bring up--I've got a 
couple of slides--screenshots of the landing page.
    [Slide.]
    [GRAPHIC] [TIFF OMITTED] T9781.091
    
    Mr. Loudermilk. The one on the top is the actual University 
of Pennsylvania library page. Actually, the top one is the 
phishing site. I'm correct--corrected, and at the bottom is the 
actual. This is incredible. I mean, this is highly 
sophisticated. It indicated to me, looking at this, that this 
is not just a rogue actor. This has state sponsorship. There is 
a lot of work gone into this, which, from the technology 
standpoint or an IT standpoint, you're only going to put this 
type of effort to go after a highly valued target and--which is 
really concerning.
    And based on your experience with this and the other work 
that you're doing, how vulnerable are these institutions as 
compared to, let's say, our business community or corporations? 
Are they more--is academia more vulnerable or less?
    Mr. Hassold. I think one of the primary vulnerabilities for 
the academic community is not that--is not that different than 
the--than most other industries and most other businesses. I 
think the challenge, as I said in my testimony, is that you 
have a number of different components that feed into the 
university network. You have students, you have faculty, and 
then you have employees--
    Mr. Loudermilk. Right.
    Mr. Hassold. --and each of those need to have awareness and 
training. And by nature of the academic community, a lot of 
those members are transient, so the ability to train them and 
give them like fully--a full awareness of the actual risks is 
much more challenging than some other businesses where most of 
the employees are sort of centralized and you have a better 
opportunity to train them.
    Mr. Loudermilk. Are they a softer target? And then a lot of 
times we look at often more effort is put into going after--
well, if you have two targets of high-value, you're going to 
put more effort in the softer target than the harder. Are the 
universities a softer target than, let's say, the corporations 
because of the--what you just laid out for us?
    Mr. Hassold. I think that they hold sort of like--sort of 
like you mentioned, they hold specific value to the people who 
are targeting them, so I don't think they are softer and the 
technical defenses are that much worse than general businesses, 
but I think they hold a certain value to the people who are 
targeting them that's much different than you look at the 
reasons that generally--general businesses are being targeted.
    Mr. Loudermilk. Okay. I do have several other questions but 
I see my time is expired, so if we do a second round or if 
somebody else yields any, I'll have a couple other questions 
for you.
    With that, Mr. Chairman, I yield back.
    Mr. Higgins. I thank my colleague.
    And Mr. Lipinski from Illinois is recognized for five 
minutes for questions.
    Mr. Lipinski. Thank you, Mr. Chairman.
    And I want to thank the Chairman and Ranking Member for 
holding this hearing. Certainly this is a very important issue. 
I have been very outspoken about the theft of intellectual 
property, especially by Chinese actors, but others around the 
world. It's a great threat to our economic security. I, though, 
think that we need to make sure that we're using a scalpel and 
not an ax to this problem.
    I appreciate Mr. Golden's comments about the value of 
having foreign nationals come to study here in the United 
States. So many Chinese have come here, as you mentioned, Mr. 
Golden, and have contributed to the United States not just both 
research-wise and also in regard to helping economically our 
nation.
    As an academic, I understand that, you know, my impression 
is that there is a lot more that can be done in order to make 
sure that our academic researchers are aware of the threats 
that are out there, nothing that I was doing--when I was doing 
my research was--would've been of interest to anyone 
economically for espionage, but--or for any reason like that, 
but I know Mr. Golden had mentioned a few things that you think 
should be done to improve security at universities and 
awareness by professors and students of potential intelligence 
threats they face.
    I want to know if there's anything else that any of our 
panelists wanted to add that can be done that you think 
universities should be doing, and is there any way to encourage 
universities to do more of improving awareness of faculty 
members, staff, and students at universities? Ms. Van Cleave?
    Ms. Van Cleave. Congressman, I understand that within the 
56 field offices of the FBI one of their responsibilities is to 
be able to work with universities within their jurisdictions to 
be able to raise awareness. So to have good relations between 
the field offices of the FBI and the universities is something 
where one would encourage university leadership to take 
advantage of that kind of awareness opportunity that the Bureau 
represents, and we've asked them to take on the job.
    But I'd also like to interject something to sort of round 
out the picture here. We've talked about the value--the 
extraordinary value of having international students here on 
our campuses, and it's good for us, it's good for our student 
population, it's good for America generally to have them here. 
And we've also said it's good for the foreign students who come 
here. Their lives are enriched, and especially those who are 
coming from countries that may be closed or may not have our 
freedoms and liberties.
    And we are welcoming them here and showing them perhaps a 
different way, a new way of life, which leads me to interject 
this: The foreign intelligence presence on our universities is 
not limited to trying to develop sources or trying to access 
our research. There is yet a third purpose behind their 
presence on our university campuses. For some countries that 
purpose is to enforce their security concerns about their 
foreign nationals who are present there. So look at it from the 
standpoint of those young students who may be here experiencing 
new things, while at the same time, they know they're being 
watched. And that is something that I find to be troubling. So 
I think we should be also aware of that purpose of the foreign 
intelligence presence on our universities.
    Mr. Golden. That's actually--I think Michelle makes a very 
good point there because there's always--there's been a feeling 
at several universities I think that in some classes Chinese 
students may be afraid to speak candidly for fear that other 
students are keeping an eye on them and reporting back. You 
know, and there's been recent publicity about--I think it's 
called the Chinese Student and Scholars Association and its 
connection to the Chinese Embassy. And I spoke to Derek Bok, 
the former President of Harvard, for my book and he said that a 
professor at Harvard Law School at one point had come to him 
and said Chinese students were telling them they couldn't speak 
candidly in class because of that fear. And Harvard tried to 
figure out what it could do about it and couldn't come up with 
anything.
    Mr. Lipinski. Well, I was going to ask, what can be done 
about that?
    Mr. Golden. Yes, he said they just didn't have the capacity 
to try and investigate that on their own. Harvard didn't know 
what to do, so I don't think they did much of anything. But it 
is another concern of students feeling like they don't have the 
freedom to speak up.
    Mr. Lipinski. And anyone else, any suggestions, 
recommendations, incentives that we could give to universities 
to make sure that they are, you know, paying attention to all 
of these issues?
    Mr. Hassold. I think one of the things that--one of the 
focuses is--that we talked about today is cooperation between 
universities and law enforcement. I think there also needs to 
be more cooperation between universities themselves. Mr. Beyer 
earlier brought up REN-ISAC, which is an absolutely fantastic 
resource that universities have access to. It's very much a 
centralized repository of knowledge specifically for cyber 
attacks targeting universities. As I understand it, I've gotten 
to know the folks over there pretty well over the course of my 
research. Their operational team is only about a half dozen 
people at this point, and they handle about, you know, a couple 
hundred institutions. Those types of entities are--would be 
much more valuable to the university as a whole so they 
understand what's going on, targeting other universities and 
not just what's going on targeting their own university.
    Mr. Lipinski. Very good. Thank you. Thank you, Mr. 
Chairman, for the extra time.
    Mr. Higgins. I thank my colleague, and I recognize Mr. 
Marshall from Kansas for five minutes for questioning.
    Mr. Marshall. Thank you, Mr. Chairman. My first question is 
for Ms. Van Cleave.
    Ms. Van Cleave, I'm a freshman Congressman, and one of my 
jobs is trying to prioritize and figure out how big problems 
are. There's plenty of problems for us to solve. You know, our 
trade deficit was a $575 billion problem. I've been told that 
this intellectual theft may be worth $500 billion, $1 trillion. 
Can you kind of put a number to it or just a wild guess on how 
much is this impacting our country every year?
    Ms. Van Cleave. So the Intellectual Property Commission 
headed up by Admiral Blair and Ambassador Huntsman first met in 
2013 and issued a landmark report. They updated it just last 
year, and their estimate is $510 billion roughly in 
intellectual property theft in the last year.
    Mr. Marshall. And all that could basically buy down our 
trade deficit. That's amazing.
    I think I'll go to Mr. Wessel next. Mr. Lipinski talked 
about using a scalpel. I would talk about using a laser. If you 
were to focus on the companies that are the bad actors, the 
cheaters, the people that are basically robbing our banks, what 
are we doing now to punish them? What could we do? Why aren't 
we punishing these people that are trying to steal--and 
stealing the bigger companies? Is anything happening?
    Mr. Wessel. There are some things happening at--you know, 
the problem, as identified by the Commission and many others is 
ongoing and, you know, there's no way to get your hands around 
it all the time. But the failure to have significant ongoing 
sanctions has sent a message that much of what goes on you can 
get away with.
    You may recall that President Xi and President Obama signed 
a memorandum of understanding on the use of cyber espionage for 
economic gain. The problem was that the Chinese don't view 
economic gain as, you know, a separate inbox on the President's 
desk. Economic and national security are inextricably 
intertwined. So part of the problem is making sure we define 
the issue, we have coherent responses, and that there are real 
sanctions and costs for what happened.
    I mentioned earlier about the indictments of the five PLA 
hackers for going into five U.S. companies, Westinghouse, a 
number of others. The indictment was sealed. There's been no 
follow-up action.
    Mr. Marshall. And when you say sanctions, can we do 
sanctions just on companies rather than entire countries?
    Mr. Wessel. Yes, you can. I mean, we've had--there--in 
those--that situation there was a tasking, meaning that certain 
companies ask the Chinese Government for information or work 
with them to get it. The information was obtained through five 
PLA hackers and transferred back to the companies. And then 
that was utilized. U.S. Steel filed a case at the ITC on this 
trying to have a sanction that was ultimately ruled--the case 
was thrown out. There are ways of looking at what has been 
taken, what has been applied in the market and sanctioning 
specific companies where also a broader problem that's going to 
need a more general solution to.
    Mr. Marshall. Give me an example of something that we as 
Americans would consider intellectual theft that the Chinese 
wouldn't, that it's okay? That--you kind of mentioned something 
there that I didn't quite follow that.
    Mr. Wessel. No, when they were--after they signed the 
agreement, there was this view that China was going to limit 
its cyber incursions into the United States and the prohibition 
or the agreement was it was not going to affect economic 
issues. They wouldn't do it for economic gain. But China views 
their economic progress, their security, their growth rate as 
part of their national security. If they can't----
    Mr. Marshall. So their means justifies the ends? It's 
okay----
    Mr. Wessel. Correct.
    Mr. Marshall. --to cheat as long as it benefits----
    Mr. Wessel. Correct. Their----
    Mr. Marshall. --their national security so to speak?
    Mr. Wessel. Correct. And a different definition. They 
didn't view it as economic espionage; they viewed it as----
    Mr. Marshall. Yes.
    Mr. Wessel. --enhancing their national security.
    Mr. Marshall. Mr. Golden, what would you do to microfocus, 
to laser in on the companies that are cheating?
    Mr. Higgins. Would the gentleman turn his mic on, please?
    Mr. Marshall. Okay.
    Mr. Golden. So I focused--my book is about espionage in 
academia and higher education----
    Mr. Marshall. So, great. So people are espionaging 
intellectual property from universities. What would you do to 
punish them? What are we not doing? Why do we just turn her 
head and say it's okay?
    Mr. Golden. Well, yes, that's a good question Congressman, 
and I can speak to that. You're right; there has been a number 
of examples where, you know, people have been caught spying, 
and the universities have not really punished them. For 
example, the case a few years ago of the Russian illegals in 
the United States, the 10 Russian illegals----
    Mr. Marshall. Right.
    Mr. Golden. --the case that gave rise to the show The 
Americans, seven or eight of them had been in U.S. universities 
and one of them had gone to Columbia Business School, and 
evidence came out that her role there had been to recruit 
classmates and professors, and yet Columbia didn't revoke her 
degree when it came out that she wasn't Cynthia Murphy, she was 
Lydia Guryeva and she was working for Russia.
    Mr. Marshall. We're over my time. I'm sorry. I yield back 
the rest of my time. Thank you.
    Ms. Van Cleave. Mr. Chair, if I might interject, I need to 
correct the record of an answer I just gave a moment ago. The 
$510 billion figure which I cited in fact is the amount that we 
annually invest in R&D, but consulting my notes of the 
Huntsman-Blair Commission report, they had this to say last 
year: ``We estimate that at the low end the annual cost to the 
U.S. economy of several categories of IP theft exceeds $225 
billion with the unknown cost of other types of IP theft almost 
certainly exceeding that amount and possibly as high as $600 
billion annually.''
    Mr. Marshall. Six hundred billion?
    Ms. Van Cleave. Yes.
    Mr. Marshall. Yes, thank you.
    Mr. Higgins. I thank my colleagues, and if our panelists 
will accommodate us, we'll have a second round of questioning 
if you can all stay. Thank you. I recognize myself for five 
minutes for questioning.
    Mr. Wessel and Ms. Van Cleave, the China-United States 
Exchange Foundation, a China-based and government-connected 
foundation, is registered as a foreign agent representing 
China. Do you find it concerning that some universities in the 
United States have accepted funding from this foreign agent, 
and how should universities handle outside organizations like 
this when it comes to potential funding? Mr. Wessel?
    Mr. Wessel. I find it very troubling and talk about that 
briefly in my testimony. It's a function of a number of things, 
including the funding problems I think was referred to earlier 
that we face with higher education. They are seeking these 
funds. They are seeking foreign students who often pay the full 
boat when they're applying.
    I think, number one, we should be monitoring their 
activities. Number two, we should be requiring that students 
who attend those programs be informed of the nature of the 
sponsorship. The curriculum, the personnel are chosen by the 
Chinese Government or those working for the Chinese Government, 
and their materials should have a disclaimer on it so people 
understand that this is an attempt to influence and it's 
essentially propaganda.
    Mr. Higgins. Ms. Van Cleave?
    Ms. Van Cleave. It's hard to add to that statement. I fully 
endorse what Michael said. This is a serious concern. Of 
course, it is also an opportunity when we know that there's a 
specific foreign interest in a particular university. From a 
counterintelligence perspective, it shines a light that that 
nation-state has a particular interest here and is willing to 
invest money in it, but it's small compensation for the risk 
presented.
    Mr. Higgins. Is there enhanced vetting at the federal level 
for a foreign exchange student out of a potential threat 
nation-state like China where there's examples of intellectual 
property theft? Is there enhanced vetting at the federal level 
right now prior to the university level?
    Ms. Van Cleave. Not that I am aware of. Others on the panel 
may have a different insight on that----
    Mr. Higgins. I think they should be.
    Ms. Van Cleave. --but as long as they're meeting the 
requirement for the visa to be issued and they have the support 
of the university, we are a very open and welcoming country.
    Mr. Higgins. Let me ask you each this question. How can the 
United States universities vet or conduct due diligence on 
potential Chinese or other foreign partners that may have 
access to our laboratories and in our universities?
    Mr. Wessel. My view of that is that's primarily a 
governmental role and not the universities' but that--where 
there are--again research that's going on either with cleared 
defense contractors with governmental agencies where there's 
federal money, there should be a certain level of scrutiny.
    And to your earlier question, one of the problems we found 
at the China Commission was that foreign students were coming 
in under visas, for example, to study liberal arts, and once--
and they would change a semester later to physics, to computer 
sciences, et cetera, where there may be threats that we want to 
look at. Universities should be responsible when the terms of a 
student's participation at the university has changed, to talk 
to the authorities, inform them, and then leave it to the 
authorities as to whether there should be follow-up.
    Mr. Higgins. Do you believe vetting at the federal level 
should be tied to the intended course of study for foreign 
exchange students?
    Mr. Wessel. I believe the--for the target of the research--
and so I'm focused more on the laboratory work that's done 
rather than just the general teaching at a university, so a 
computer science course is one thing, but if that person goes 
into computer science lab where there may be work on 
encryption, for example, that should have higher scrutiny.
    Mr. Higgins. And for federally funded university 
laboratories, should there not be a responsibility to report 
that adjustment of that student's intended course of study?
    Mr. Wessel. Yes. As I said earlier, if they change the 
terms of their visas when they came here and what the situation 
they were supposed to enter, if that changes, there should be 
information to the Federal Government.
    Mr. Higgins. Thank you for your answers.
    I recognize my colleague, Mr. Beyer, for five minutes for 
questions.
    Mr. Beyer. Thank you, Mr. Chairman, very much.
    You know, the National Science Board recently released its 
biennial Science and Engineering Indicators report, and the 
basics is that federal investment in basic research and 
development vis-a-vis the United States, the Chinese are 
rapidly gaining ground on us. I talked to many of my friends in 
the medical field, and they just talk about how much more 
they're investing than we are. And of course this is 
unacceptable if we want to maintain our leadership in science 
and engineering.
    But to the point of this commission, what role does 
persistent flat funding of U.S. science research have on our 
reliance on cost-sharing with international partners or give us 
additional vulnerabilities in terms of espionage? Anyone want 
to grapple with that question?
    Mr. Wessel. I think it makes us vulnerable. There have been 
instances in the past, again, from the China perspective where 
there have been investments by or attempted investments by 
Chinese entities, government-affiliated in our universities and 
those that have, you know, stable funding in States where 
they're a public university where there have been budget cuts 
for any of a number of reasons, and there has been greater 
receptivity to those investments. That of course then opens up 
the underlying research to advantage other players. That has a 
serious cost to it.
    Mr. Beyer. Great. Mr. Golden, some half-hour ago you wanted 
to jump in on the Goethe-Institut vis-a-vis--well, the 
Confucius Institute vis-`-vis Goethe, et cetera.
    Mr. Golden. Yes, thank you, Congressman, for giving me that 
opportunity. Well, one difference between the Confucius 
Institutes and these arms of other nations is that they tend to 
be on campus, whereas the institutes of the French, German, 
British Governments tend to be off-campus. And, you know, the 
Confucius Institute courses at many universities they are not 
for academic credit but at some universities they are, so 
they're more, you know, integrated for whatever reason kind of 
into the academic environment and thus, you know, might be 
potentially more influential. And of course they're also 
accompanied in some cases by quite a bit of money to the 
university.
    I was also going to say about them, you know, there was 
mentions of the foundation that is part of the Chinese 
Government. The Confucius Institute for all intents and 
purposes are an arm of the Chinese Government. They're from an 
affiliate of the Education Ministry. And the research for my 
book indicated that they're not intended as an arm of espionage 
because it's the Education Ministry, but at times, the--China's 
Intelligence Ministry does approach Directors and staff of 
Confucius Institute and ask them to gather information. And the 
FBI does as well. Both China and the United States are 
interested in using Confucius Institute personnel as 
intelligence assets because they're so well-positioned.
    Mr. Beyer. Okay. Thank you very much. You know, the 
National Science Foundation has had a long-standing policy of 
rarely doing direct support for foreign organizations and that 
when they did, it would have to be allocated only to the U.S. 
portion of a project. But in January this year, they revised 
its quote/unquote ``proposal and award policies and procedures 
guide'' to address all the international branches of American 
universities which are springing up around the world. And 
another revision calls for funding for a collaborative project 
involving foreign organizations, and they both now require the 
proposal requesting funds for an international branch or for a 
foreign organization to justify why the research activities 
cannot be performed on a U.S. campus or by a U.S. organization.
    Do you have any thoughts on National Science Foundation's 
policy change from rarely doing it out of the United States to 
just now allowing it for foreign organizations and for--or for, 
say, the George Mason campus in Qatar? Any thoughts?
    Mr. Wessel. My thought is I'd prefer--vastly prefer that it 
be occurring on U.S. university campuses, and if there's a gap 
here that our government, NSF, and others work to fill that gap 
here rather than through a foreign university collaboration.
    Mr. Beyer. Yes. Well, thank you. You know, that's sort of 
the half-point I wanted to make. On the one hand, the previous 
question, we want a--we keep hearing again and again that the 
National Science Foundation is able to award an ever-smaller 
percentage of its excellent proposals with money because 
there's just not enough research money with this interesting 
change in policy, suggesting that they're going to invest 
overseas rather than here. So--anyway, thank you very much.
    Mr. Chair, I yield back.
    Mr. Higgins. I thank my colleague and recognize Mr. 
Loudermilk for five minutes for questions.
    Mr. Loudermilk. Thank you, Mr. Chairman. I appreciate the 
additional time.
    Mr. Hassold, I kind of want to circle back to where we left 
off in the previous questioning regarding the Iranian attacks 
on our universities. We were discussing whether or not they 
were softer targets, and you explained that there's more 
transition within the universities and a lot of corporate 
businesses. A follow-up on that is did these Iranian actors 
have the same success rate with non-academic organizations, 
institutions as they did the academic?
    Mr. Hassold. The outcomes of the attacks is something I do 
not have insight into, as well as I believe the private 
organizations that were targeted is something that's only--that 
I only know of through the FBI--or the DOJ indictment.
    Mr. Loudermilk. Okay. I appreciate that. Of the 31 
terabytes that's been reported that was stolen, what type of 
data was contained in that?
    Mr. Hassold. That's also something that's--that I don't 
have specific knowledge into. I just know that they--that the 
targeting that I observed was the academic research databases. 
I'm assuming that much of that 31 terabytes came from that 
exfiltration data.
    Mr. Loudermilk. Okay. And from what I've read, a lot of it 
is medical research and R&D-type information. How do these 
universities respond? When you notify them or when they realize 
that they've been a target of a phishing attack or an outside 
breach into their systems, how have they responded to these, 
specifically, the Iranian attack?
    Mr. Hassold. So since I've started researching the group 
and their attacks, every time I've identified a new American 
university that's been targeted, I have both contacted REN-ISAC 
to let them filter the information through their specific 
context for universities, as well as when I've been able to 
identify a specific point of contact at a university, I 
directly informed them of potential phishing attack. REN-ISAC 
has been fantastic. They have--we've been in communication a 
significant amount, and they have confirmed that notifications 
have gone out.
    I haven't gotten response back from universities based on 
my communications. However, I wouldn't really expect that. I 
would really more expect them to take the information and try 
to mitigate on their side. From what I understand with most 
phishing attacks, the way a lot of universities deal with them 
is that they block the malicious sites and most infrastructure 
on their internal networks, which is a quick way to deal with 
them. However, one of the issues with that is if there is a 
user that is not network that tries to access the malicious 
sites, that same protection is not afforded to them. So things 
like actually trying to mitigate the actual sites and shutting 
those sites down is an additional step that could be done to 
help prevent the damage caused by these types of attacks.
    Mr. Loudermilk. Well, have you seen, are they reporting 
these IP addresses to have them blacklisted or do they 
communicate with other universities? I mean, the strength of 
these research universities is the collaboration on their 
research and development. Are they collaborating with one 
another to highlight that, you know, we've been subjected to a 
phishing attack, we've been--data has been breached? Are they 
going outside of their own infrastructure? I mean, I commend 
them. You know, you go into your gateway, your firewall, you 
block that IP address, but from an IT perspective, there seems 
to be so many more things that could be done, hiding your page 
such as this so it's not available to the public to replicate 
that, that you have to be interior to the network to actually 
get to that page, reporting to your internet provider to have 
the IP blacklisted, I mean, that's one step that--of course, 
they can change their IP addresses, but also education and 
collaborating with other universities. I mean, do you see that 
they're doing this and what other steps could they or should 
they be taking?
    Mr. Hassold. I'm sure every university is different 
specifically how they deal with these types of attacks. There 
are resources like REN-ISAC, which I've mentioned multiple 
times, that sort of is that central place for intelligence and 
information-sharing that they can use. I don't know how much 
universities directly interact with one another, especially--I 
would assume that there would be some sort of interaction.
    There are some other defensive tactics that would probably 
stem the effectiveness of these types of attacks like 
multifactor authentication that a lot of schools don't utilize. 
And from what I've learned with my discussions with university 
partners, as well as some of the folks at REN-ISAC, the cost 
associated with implementing multifactor authentication is 
pretty significant, and a lot of universities don't have the 
sources of funding to be able to pay for things like that. But 
something like multifactor authentication would be able to 
prevent some of these types of attacks after the fact by not 
allowing foreign actors to be able to login to the actual 
legitimate pages.
    Mr. Loudermilk. I appreciate that. And so as with any 
attack, it appears this could have been prevented by, you 
know--and hindsight is 20/20, but it could have been prevented.
    Last question. Are the universities taking this serious 
enough to prevent it from happening in the future? And I'll 
open that up to anybody on the panel.
    Mr. Hassold. That's a good question. That would be a 
question I think would be better suited to be answered by the 
actual universities. I think they would probably have better 
insight into it. But I think this--these--this type of threat 
is so sophisticated that dealing with it would take significant 
resources to do and a significant planning and collaboration 
amongst the entire academic institution.
    Mr. Loudermilk. Thank you. Anyone else care to--all right. 
Well, Mr. Chairman, thank you. I yield back.
    Mr. Higgins. I thank my colleague.
    This has certainly been an enlightening conversation we've 
engaged in today. I thank the witnesses for their valuable 
testimony and the Members for their questions. The record will 
remain open for two weeks for additional comments and written 
questions from Members.
    The Science, Space, and Technology Oversight Subcommittee 
and Research and Technology Subcommittee joint hearing is 
adjourned.
    [Whereupon, at 12:01 p.m., the Subcommittees were 
adjourned.]

                               Appendix I

  
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]