Summary of CUCFA Concerns Regarding the UCOP Cyber Security Mandate

The University of California is requiring all employees to comply with a cybersecurity mandate issued last year by the University of California Office of the President (UCOP). Deadlines vary across UC campuses, but all are requiring compliance at some point within the coming weeks. We have grave concern about the cybersecurity mandate and its implications for academic freedom, privacy and security. These concerns have been brought to UCOP on numerous occasions. UCOP promised to answer these questions but has failed to do so.

1. Implementation Timeline

We have learnt that the UC system has suffered numerous and increasingly frequent cyber attacks and security breaches. For years, the administration has done little to study and address the problem. The price of this negligence has been doubled by the ultimatum issued by President Drake in February 2024 to create and implement a security plan by May 2025. According to all experts, including those who have worked on this implementation and testified in Senate meetings, trying to meet this timeline has led to hasty decisions that may create more problems than they solve. An extended deadline is the most appropriate answer to this widely acknowledged issue. The following concerns regarding specific aspects of the software chosen for the implementation make this pause even more of a necessity, along with the answers that UCOP has promised and never delivered. 

2. Additional Security Vulnerabilities

We are particularly troubled by the “Trellix” component of the ZotDefend package. This software was previously known as “FireEye,” a program that enabled a massive hack of its customers in 2021, including US government agencies, an attack so disastrous that the company was sold to a private equity firm and changed its name. The private equity firm still operates Trellix and has retained the same fundamental centralization feature that allowed the hack to be so damaging. This leads to a “software monoculture” wherein every device on a network runs the same program–the further centralization of such data leaves the entire network more and not less vulnerable to potential attackers. Why is UC adopting this centralized model of security when others may be more effective?

3. Transparency

Over the past year, significant questions have been raised by both the Academic Senate, as well as many experts and other stakeholders across the UC system about the provenance of this software, about the process by which the University came to the decision to mandate its use, and about its potential impacts on academic freedom, human subjects data protection, privacy, mass surveillance, and security. Despite the many attempts to demand answers to these questions, UCOP has repeatedly dismissed inquiries and requests for transparency. Why have Senate faculty requests for information been repeatedly ignored by UCOP? What was the process by which this particular program–and the alternative “Nessus” which has the same fundamental centralization–chosen? Was a competitive RFP issued? Why haven’t faculty been allowed to review the due diligence reports?

4. Impacts on Research

Many faculty’s hardware and software are incompatible with the required toolsets, requiring them to either abandon decades of data or struggle with converting workflows. Many faculty also report concerns about the slowdown of computer processing due to the additional software.

5. Lack of Clearly Defined “Use Policy” Leading to Potential Invasions of Privacy

The deployment of Trellix monitoring software permits extensive surveillance capabilities, including scanning all accessed and executed files, logging detailed metadata (such as filenames, paths, threat names, and hashes), quarantining files, and potentially uploading files deemed suspicious, thus severely compromising faculty privacy and autonomy. More information is available at Trellis’ Privacy Data Sheet. The toolsets required by the University will have full access to device information, including installed software; IP addresses (who you are on the internet at a certain time); your browsing history and application usage (what websites you visit and when, what files you open), and information on device use in real time, including processes running, files accessed, and network data.

Faculty have not been made aware of these facts prior to any installation, and have not been fully informed. Meanwhile, no clear “use policy” has been offered in order to guarantee protection of faculty data on and beyond campus.

For instance, Trellix documents suggest that “snapshots” of computer memory can be sent to their servers when an event is detected. What is the complete scope of information on our computers that can be accessed by persons other than the user when employing the full capabilities of the Trellix software and other ZotDefend components?

What safeguards exist against our data being acquired by an external agent if the present private equity owners divest?

What, if any, controls exist to safeguard HIPAA, assurances of confidentiality for human research participants, and intellectual property concerns? In particular, strong concerns have been expressed around the possible access of Trellix (and any company it chooses to share information with) to human subjects data stored securely on researchers’ devices.

6. Inconsistent Interpretations of Mandate Across Campuses

The only devices thus far excluded are handheld devices such as mobile phones and iPads. Meanwhile, some campuses allow computers purchased with personal rather than university funds to be exempt. What determines this exemption and why is it not uniform across campuses? Nor do UC campuses appear to be uniformly interpreting which precise campus resources (Canvas? Email? Libraries?) will be made inaccessible on devices without the installed spyware. We have the opportunity to learn from campuses who have innovated in addressing privacy, academic freedom, and data security. Differences among campuses should be clearly explained in transparent use policies.

7. Violations of Academic Freedom

We are living in a time of unprecedented attacks on academic freedom. The current federal government has repeatedly pressured campuses–including our own– to turn over private, confidential information of faculty members in order to investigate and constrain their protected speech activities. Trellix is a member of the Joint Cyber Defense Collaborative, a joint task force of private companies and the federal Cybersecurity and Infrastructure Security Agency, which together engage in “rapid bilateral and multilateral threat information sharing.” Thus, data gathered by these tools will likely be accessible to government agencies without a warrant.

Can UCOP commit to guaranteeing that UC will not share any information obtained from such spyware with any governmental authorities or state agencies on demand?

In the current absence of such guarantees, the unchecked capacity of such software to monitor, upload, and even alter files without explicit consent would pose a significant threat to intellectual freedom, confidentiality of sensitive research data, and the ethical standards expected within our scholarly community. It would violate the American Association of University Professors’ (AAUP) guidelines on Academic Freedom and Electronic Communications guidance against pervasive surveillance of faculty personal communication and research material.