University of California faculty push back against Big Brother cybersecurity mandate

From ScienceMag:

Faculty and administrators at the University of California (UC) have settled into a bitter stalemate in a dispute over privacy and academic freedom. For more than a year, faculty members have voiced loud opposition to a cybersecurity mandate they say hands administrators and federal agencies access to their research and communications. Last month, they learned the UC president’s office would not issue any further statements on the issue, a decision faculty say underscores their frustration over limited dialogue about the mandate, which began going into effect in May.

The long-running dispute centers on Trellix, a cybersecurity software UC now requires on all university-owned computers used by faculty and even personal computers accessing certain online university resources. UC officials say it is essential for defending against a surge in digital threats. But faculty warn that Trellix is highly intrusive and effectively gives administrators the ability to view, or even remotely manipulate, nearly all activity on their devices. Trellix’s participation in the federal Joint Cyber Defense Collaborative, which aims for “rapid information sharing” between private companies and federal agencies, is stoking the concerns. Faculty fear the software could expose sensitive research, regulated health data, and high-value innovations to a presidential administration already hostile to higher education.

“Putting this kind of software on our machines completely obliterates our ability to speak and think freely in our academic communities,” says Lilly Irani, a communication scholar of technology at UC San Diego (UCSD). “It feels very much like Big Brother is sitting on the shoulder of every worker at the University of California,” adds Mia McIver, executive director of the American Association of University Professors, which sent a letter to UC officials today expressing “deep concern” about the policy.

Trellix is part of a class of cybersecurity tools that shield against ransomware and other attacks by constantly scanning a computer for any sign of intrusion. According to information posted online by the UC Office of the President (UCOP), Trellix can collect file names and browser history as needed and can remotely remove malicious files. 

In February 2024, then–UC President Michael Drake announced all employee computers connected to university networks would be required to install Trellix by May 2025. Campuses failing to comply would face penalties of up to $500,000 per security incident and a 15% increase in cybersecurity insurance costs. Unionized employees, including postdocs and graduate students, were exempt because adding such terms to their contracts would have required separate negotiations.

A spokesperson for UC, which in 2020 paid $1.14 million to a ransomware gang that penetrated computers at UC San Francisco, told Science the university established the mandate in response to “numerous requirements under federal and state law” and “to remain eligible for cybersecurity insurance at a reasonable cost.” University officials add that UC is not alone, claiming the software is in place at more than 600 colleges and universities—though the spokesperson and Trellix both declined to provide a source for those numbers.

UC faculty note that Trellix, formerly known as FireEye, was itself hacked by Russian intelligence in the 2020 SolarWinds cyberattack that compromised more than 250 federal agencies. Because it has full administrative control over every computer it monitors through a mechanism called “root access,” Trellix could become a single point of failure if breached, faculty argue. Adopting Trellix could make UC systems “more rather than less vulnerable to threats,” the UC Berkeley Division of the Academic Senate wrote in a May letter to the UC president.

Trellix’s root access privileges could also allow administrators or the government to view anything on faculty computers at any time, without a warrant, says Kevork Abazajian, a cosmologist at UC Irvine (UCI). In an email to Science, a Trellix spokesperson wrote that the company “will not disclose any UC or other customer data unless required to do so under law or a valid government order. In such an event, we would first give the customer notice of the demand and an opportunity to object, unless legally prohibited from doing so.”

UC says it would not allow such intrusions in the first place. “The university’s long-standing Electronic Communication Policy … strictly prohibits administrators from accessing user content without due process, such as a warrant,” says Van Williams, UC’s vice president for information technology services.

But many faculty members aren’t convinced by those assurances. “Once someone has access for a legitimate purpose, there is also access for illegitimate purposes,” Abazajian says. Given federal efforts to cut university funding, Irani also fears it might be hard for UC administrators to stand up to government officials seeking information on faculty computers. “It seems like a recipe for UCOP to end up in a situation where it’s going to get blackmailed by grant cancellations to give up information about what we’re teaching and researching.”

The objections have sparked a flurry of letters, petitions, and resolutions. Most recently, in June, UC’s Academic Senate—which shares decision-making power with the administration on matters affecting teaching, research, and academic policy—passed a resolution with an 82% supermajority demanding an immediate halt to Trellix. That same month, more than 1000 faculty signed a petition opposing the rollout, followed by another 1 August letter calling for its suspension. But on 15 September, Academic Senate Chair Ahmet Palazoglu relayed that UCOP would not respond to the August letter or issue future UC-wide messages regarding Trellix.

Despite the protests, all 10 UC campuses have rolled out the software, with varying policies. UCSD has said Trellix is required on both university-owned and personal laptops that access “trusted resources,” such as restricted research databases. UCI requires Trellix even for access to routine resources such as Canvas, the learning platform professors use to communicate with students, and employee timesheets. In response, some UCI faculty say they have resorted to teaching from “burner laptops” or virtual machines to avoid putting Trellix on computers where they store their data.

Organizers of the push to end the mandate say their fight isn’t over. “We certainly intend to keep the pressure up,” says Claudio Fogu, director of UC Santa Barbara’s Italian program.  A UC spokesperson told Science that administrators continue to be committed to an open dialogue with faculty. “This is a complex matter that requires nuanced, continuous conversation,” they wrote by email.

The stalemate has shaken faculty confidence in the Academic Senate’s power and has pushed some toward unionization. The UC system is home to a union that represents nearly 50,000 graduate students, postdocs, and academic researchers—but no tenured and tenure-track professors. “For many years, I thought we didn’t need a union,” says Walter Leal, a professor of molecular and cellular biology at UC Davis. “Now, I believe the only way out is if we’re effectively unionized, which is a very dramatic change.”

Read More