ISA NATIONAL DEFENSE CYBER THREAT REPORT: HIGHER EDUCATION

America’s Hidden Frontline: Why Universities Are Now a Matter of National Defense

Today, one of the country’s most important and least defended battlefields is not a military base or government bunker – it is US universities. Universities are not merely centers of education; they are the research core of America’s strategic advantage. Each year, they conduct tens of billions of dollars’ worth of federally funded research and development, producing technologies that feed directly into U.S. defense, intelligence, space systems, critical infrastructure, and emerging dual-use capabilities. America’s military strength, in many ways, begins in its university labs. But here is the problem: those very labs that house some of the nation’s most sensitive research are among the easiest targets in the world for nation-state cyber actors.

A Strategic Vulnerability: Universities Are Under Attack

According to the FBI, foreign actors—especially state adversaries—actively seek to illicitly acquire U.S. academic research to advance their own scientific, economic, and military objectives. By stealing university-generated knowledge rather than developing it themselves, these actors save years of investment and billions of dollars, accelerating technological progress by entire generations¹. The scale of this threat is not theoretical. In 2020, two Chinese operatives carried out cyber intrusions targeting U.S. universities and leading immunologists engaged in cutting-edge COVID-19 research². According to the U.S. Attorney’s Office for the Southern District of Texas, these intrusions—carried out between February 2020 and June 2021—were directed by officers of the PRC Ministry of State Security’s Shanghai State Security Bureau (MSS/SSSB). Only one operative was ultimately arrested in Milan, underscoring a sobering reality: U.S. law enforcement can occasionally disrupt hostile operations, but current capabilities remain insufficient to protect universities from persistent state-backed intrusion.

China is not the only state actor expanding cyber operations against academia. North Korea has become an increasingly aggressive threat. In 2023, U.S. Department of Defense, the FBI, State Department, and several federal agencies issued a joint advisory detailing how DPRK-sponsored hackers employ highly tailored social-engineering tactics to infiltrate U.S. and global universities³. The advisory identified the Reconnaissance General Bureau (RGB)—North Korea’s primary military intelligence organization and a UN-sanctioned entity—as the central body responsible for these operations. These operators frequently impersonate journalists, scholars, or policy analysts to conduct spear-phishing campaigns, seeking access to sensitive research files, diplomatic assessments, and private communications.

Beyond espionage, the Department of the Treasury has warned that the DPRK deploys overseas IT workers to illicitly generate hundreds of millions of dollars for its ballistic missile and weapons-of-mass-destruction programs⁴. This is concerning given that ransomware attacks on universities are on the rise, and often colleges have no choice but to negotiate and pay the attackers to restore their data. This became evident when after 6 days of negotiation, the University of California San Francisco paid over $1.1 million in 2020 million to free its ransomware-locked servers⁵. This raises a disturbing concern for the academic sector: universities, which are increasingly targeted by ransomware, may unknowingly be funding Pyongyang’s military ambitions. So, the question we must confront is whether the United States can continue to overlook the severity of this problem while potentially helping finance a hostile regime’s missile program through university ransom payments.

Iran has pursued similar campaigns. In 2018, the Department of Justice indicted nine Iranian nationals affiliated with the Mabna Institute—a contractor for the Islamic Revolutionary Guard Corps—for conducting a massive cyber theft operation targeting 144 U.S. universities⁶. Over the course of the conspiracy, the group stole more than 31 terabytes of academic data and intellectual property from universities, private companies, and government agencies. U.S. institutions collectively spent over $3.4 billion to procure and access the stolen research. Although the attackers were sanctioned by the Treasury Department, all nine remain on the FBI’s Most Wanted list, highlighting the persistent impunity with which state-backed actors operate in the academic domain.

Taken together, these cases illustrate a fundamental reality: universities are no longer peripheral to national security—they are central to it. America’s adversaries understand this connection, and their cyber operations reflect it. The United States must now reconsider its conception of national defense and adopt measures that elevate the protection of academic institutions to a strategic priority.

What Makes Universities Vulnerable?

Microsoft observes that the very openness that makes American universities engines of global discovery also leaves them uniquely exposed to cyber intrusion⁷. Unlike the Pentagon, intelligence agencies, or federally managed national laboratories, universities were never designed to operate as high-security digital fortresses. Their structures and norms reflect an academic culture built on openness, collaboration, and information sharing—an ethos that sophisticated adversaries exploit with increasing ease.

By design, universities are open ecosystems: cross-institutional collaboration, visiting scholars from around the world, and highly interconnected networks create an enormous and dispersed attack surface. Microsoft notes that this openness forces universities to maintain more relaxed email hygiene than other sectors. This is especially dangerous given that more than 90% of successful cyberattacks begin with a phishing email—a vulnerability that the U.S. Cybersecurity and Infrastructure Security Agency has repeatedly emphasized⁸. Within a university environment, where tens of thousands of users interact across diverse systems every day, this risk is magnified. Once an attacker secures an initial foothold, lateral movement becomes far easier, potentially exposing everything from classroom platforms and research servers to student records and sensitive personnel data. The same openness that accelerates innovation can, in the wrong hands, become a strategic liability.

Compounding this exposure is the internal complexity of universities themselves. They function less like singular institutions and more like sprawling digital cities, each containing dozens (sometimes hundreds) of semi-autonomous departments, research centers, laboratories, medical institutes, and administrative units. Each unit often manages its own software stacks, devices, data repositories, and IT personnel. This decentralization creates profound cybersecurity challenges. A compromise in a single lab with outdated systems can become the entry point for attackers to pivot into far more sensitive areas of the broader university network. The 2023 breach at the University of Michigan illustrates this dynamic: attackers initially accessed personal data controlled by one department and then expanded into the University Health Service and the School of Dentistry, exposing sensitive information across multiple units⁹. The diversity and fragmentation of academic operations dramatically expand the attack surface and make unified cybersecurity governance extremely difficult.

These structural vulnerabilities are further exacerbated by chronic resource constraints. Most university cybersecurity teams are far too small for the technological complexity and relentless threat tempo they face. According to Educause, central IT staffs represent only about 4% of all university personnel on average¹⁰. While nation-state cyber units operate continuously, universities often rely on overextended and underfunded IT departments that simply cannot match the pace or sophistication of adversaries. Many institutions struggle with fragmented asset ownership, shortages of trained cybersecurity professionals, and the burden of securing environments that combine cutting-edge research systems with decades-old legacy infrastructure.

Given these conditions, it is unsurprising that universities have become some of the most aggressively targeted institutions in the country, facing an average of 2,507 cyberattack attempts per week⁷. Adversaries understand that infiltrating an academic network offers enormous intelligence payoffs—from advanced research data and defense-related innovations to credentialed access into federally funded laboratories. America’s academic infrastructure has become a high-value target, and foreign cyber actors know exactly how to exploit its weakest points.

Conclusion: The Future of American Power Depends on Protecting Its Universities

Foreign adversaries already understand that America’s innovation advantage begins on campus. If the United States cannot protect its universities, it cannot protect the technological and scientific edge that underpins its national security. The frontline has shifted—and the nation’s strategy must shift with it. Defending American higher education now requires a broader, modern understanding of national defense, one that extends beyond missiles and military bases to the digital infrastructure supporting the country’s research ecosystem.

As nation-state cyber actors increasingly target academic institutions, the United States must recalibrate its higher-education security posture with stronger measures and clearer priorities. First, the country must expand and professionalize its cybersecurity workforce. The U.S. currently faces a shortage of more than 500,000 cybersecurity professionals, a gap that threatens every aspect of national cyber defense¹¹. No technology, standard, or framework can succeed without the trained personnel required to implement and sustain it.

Second, the federal government should develop a National Macroeconomic Cybersecurity Dashboard, one that explicitly includes the academic sector. Virtually every major category of national risk is modeled through macroeconomic systems that allow policymakers to measure costs, benefits, and strategic trade-offs. Yet no equivalent model exists for cyber risk, especially the unique vulnerabilities of universities. Despite spending tens of billions of dollars annually on cybersecurity programs, policymakers remain largely blind to the true economic and strategic costs of attacks on higher education: disrupted research timelines, stolen intellectual property, compromised federal grants, and weakened U.S. technological competitiveness. Without a model that quantifies these losses, the nation cannot accurately assess the return on investment of specific university defenses, the comparative value of incentives versus regulations for campus security, or the systemic ripple effects of major breaches across the research ecosystem. A macroeconomic framework for cybersecurity, one that treats universities as critical national assets, would finally enable rational, targeted, and sustainable investment in safeguarding the academic institutions that drive American innovation.

Only by embracing this expanded conception of national defense can the United States secure the universities that form the bedrock of its long-term strategic power.

Endnotes:

1. Federal Bureau of Investigation. China: The Risk to Academia. U.S. Department of Justice, 2019.
2. S. Attorney’s Office, Southern District of Texas. Chinese State-Sponsored Hacker Arrested on U.S. Warrant. U.S. Department of Justice, 8 July 2025.
3. S. Department of Defense, U.S. Federal Bureau of Investigation, U.S. Department of State, National Security Agency, Republic of Korea National Intelligence Service, Republic of Korea National Police Agency, and Republic of Korea Ministry of Foreign Affairs. North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media – Joint Advisory (CSA-20230601-1). 1 June 2023.
4. S. Department of the Treasury, Office of Foreign Assets Control. Treasury Sanctions Fraud Network Funding DPRK Weapons Programs. 27 Aug. 2025.
5. Mehrotra, Kartikay. “How Hackers Bled 118 Bitcoins Out of Covid Researchers in U.S.” Bloomberg, 19 Aug. 2020.
6. S. Department of Justice, Office of Public Affairs. Nine Iranians Charged with Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps. 23 Mar. 2018.
7. Cyber Signals Issue 8: Education under Siege – How Cybercriminals Target Our Schools. Microsoft Security Blog, 10 Oct. 2024.
8. Cybersecurity and Infrastructure Security Agency. Shields Up: Guidance for Families. n.d.
9. CBS Detroit. “University of Michigan Says Hackers Gained Personal Information of Individuals in Cyberattack.” CBS News, 23 Oct. 2023.
10. 2024 CDS Interactive Almanac: IT Spending and Staffing. 2024.
11. S. House Committee on Homeland Security. “Chairman Green Announces Hearing on America’s Cyber Workforce Shortage Amid Rising Threats.” Media Advisory, 21 June 2024.