University of California administration says it's just going after "bad actors."
Days after a group of concerned professors raised alarm bells over a new network monitoring system installed at the University of California, Berkeley and the other nine campuses of the University of California system, a separate committee of system-wide faculty has now given its blessing. Some Berkeley faculty remain concerned that their academic freedom has been threatened by the new full packet capture system that sits on each campus network’s edge, however. They say that retaining such information could be used as a way to constrain legitimate discussion or research on controversial topics.
Last summer, the University of California Office of the President (UCOP) ordered that a Fidelis XPS system be installed at all 10 campuses at a total estimated cost of at least a few million dollars. The Fidelis hardware and software is designed to "detect attacks" and analyze "every single packet that traverses the network."
The move came in response to a July 2015 attack against the University of California Los Angeles Health System, which resulted in 4.5 million records being stolen. Following that attack, University of California President Janet Napolitano, the former Secretary of Homeland Security, moved quickly to bring more digital monitoring onto the campuses, which stretch from Berkeley to San Diego. The UC Regents, the governing board of the entire UC system, now face 17 separate lawsuits as a result of the breach at UCLA. Similar network monitoring hardware has also been installed at other universities nationwide.
"We recognize that the essential openness of the University represents a cybersecurity challenge,"David G. Kay, a University of California Irvine computer science professor and head of the UC-wide committee, wrote in the Monday letter to the UC Academic Senate. "We have been informed that the monitoring of communications looked only for ‘malware signatures’ and Internet traffic patterns. As neither message content nor browsing activity were monitored, we believe this level of monitoring can be appropriate."
But exactly how the Fidelis XPS operates and what data is being retained and scanned is unknown.
Kate Moser, a UCOP spokeswoman, refused to answer Ars’ specific questions, referring us simply toprepared statements from both Napolitano and Executive Vice President Rachael Nava. She also pointed us to a new website, security.ucop.edu, which states, "UC is taking appropriate steps to prevent cyber attacks by advanced persistent threat actors." That site also touts the new Cyber-Risk Governance Committee, which acts as an umbrella group for the affected campuses, the Lawrence Berkeley National Laboratory, and the UCOP’s own network.
The recent dust-up arose when Ethan Ligon, a member of a Berkeley Information Technology committee began alerting other faculty that the UCOP had "intrusive hardware" installed on the campus, "over the objections of our campus IT and security experts." That e-mail went out several days after the UCOP formally rejected the Berkeley group’s request to shut the Fidelis system down.
"It's a black box," Ligon, a professor of agricultural economics, told Ars over coffee at a campus-adjacent café this week. "Our own IT staff don't have any access to it. It's not like their IT guys are better qualified than our IT guys."
He said that many IT staff are concerned about speaking out for fear of losing their jobs—few of them have the kind of job security that Ligon and other tenured professors have.
Ligon shared with Ars a slide deck that he prepared for a committee meeting earlier this week. The economics professor also pointed Ars to a 2005 UCOP policy document stating that while the administration is certainly allowed to do network monitoring, it doesn’t comport with the provision thatmandates the "least invasive degree of inspection."
Previously, campus-monitoring log files were deleted as a matter of course unless there was a specific reason to retain them. Ligon and his colleagues argue that this level of monitoring goes far beyond that policy, usurping the normal autonomy granted to each campus.
After being shown the Kay letter on Thursday, Ligon called this a "small move in the right direction" but said he hopes the UCOP will do more to acknowledge its role in perceived overreach. "The limited progress is the statement that UCOP's behavior constituted a ‘serious failure of shared governance,’" he added by e-mail. "But note that this is faculty saying this; we still don't have any acknowledgement of this from UCOP. Still, this seems to set the stage for UCOP to at least tacitly acknowledge that they misbehaved. Finally, the document doesn't say anything about stopping the monitoring, and indeed goes out of its way to suggest that it was justified."
The concern has extended beyond academia as well: Rep. Ted Lieu (D-Calif.) who represents western Los Angeles—including UCLA—has weighed in. Lieu is one of a handful of a computer science majors in Congress, and he is also a Lieutenant Colonel in the United States Air Force Reserves.