Gone in a Flash
“State-sponsored espionage” was the phrase that reverberated around the wooden walls of the Faculty House during the Nov. 19, 2015, meeting of the University Senate.
These words were uttered quickly and then faded to continued discussion among those in attendance.
Why was espionage being discussed at the senate meeting?
Martha Day, SKyTeach education codirector, GSKyTeach executive director and associate professor of science education, and Lynn Hines, professional in residence at the School of Teacher Education, traveled to China from Aug. 3-7, 2015, to conduct teacher training.
This training should have been nothing out of the ordinary for Day and Hines as their August trip was the third trip each had taken to China for that purpose. Typically, Day and Hines conduct teacher training workshops to prepare Chinese teachers who will be traveling to Kentucky.
However, the training in August was different. Day said they were asked to train college professors and educational administrators from across China instead of instructors teaching grades K-12, their previous trainees.
This discrepancy in the training was just the beginning of Day’s concerns. While in China, a flash drive belonging to Day was taken from her without her permission.
“This is a serious matter,” Day said at the November senate meeting. “I had four years of my scholarly work stolen from me and a virus installed on my flash drive.”
Her work included projects related to the Confucius Institute, lesson plans she had taught to Hanban teachers, evaluation documents related to Hanban teachers, information pertaining to her students and training materials.
Hanban/Confucius Institute is a public institution affiliated with the Chinese Ministry of Education.
Apart from Day’s compromised intellectual property, the duo discovered upon their return to the United States that the institute had misrepresented who was providing the training.
Day and Hines were told they would be working with Hanban/Confucius Institute, but they later discovered they were working for a for-profit company called Chinese Testing International, which publishes teaching materials in China.
The CTI website states they are “an independent legal entity that specializes in Chinese language testing services.”
“We had never heard the acronym CTI until we had returned from the August trip,” Day said at the senate.
The Confucius Institute at WKU was established in April 2010, but controversies surrounding the program erupted in the halls of the senate and the Student Government Association chambers last semester regarding a contract approved by the Board of Regents in January 2015.
On Jan. 23, 2015, the board approved the design and construction of the Model Confucius Institute building.
The details of this incident can be boiled down to two separate but connected events:
The first is how Day’s flash drive was taken from her and how her intellectual property was compromised as a result. The second is how Day and Hines were really working for CTI and not Hanban/Confucius Institute during their training work
THE FLASH DRIVE
On Aug. 6, 2015, Terrill Martin, the managing director of the Confucius Institute, sent an email to Sam Evans, the dean of the College of Education and Behavioral Science, and carbon copied Wei-Ping Pan, assistant to WKU’s president, and Betty Yu, associate director of educational outreach of the Confucius Institute, according to documents obtained by the Herald.
The email from Martin to Evans, Pan and Yu contained electronic communication Day had sent to Pan at 4:17 a.m. that same day.
In the email, Day stated her flash drive was taken out of her classroom by one of the Hanban personnel. Day said this person claimed Day had given her permission, but Day said that was not the case. She said when the drive was returned to her, it was loaded with files that were corrupt.
“I feel that my files were taken without my permission and on top of this my intellectual property is now compromised,” Day said in the email. “The Hanban official asked me to give her my flash drive again, so she could remove the corrupted files but I refused. I will take it to Paul Mooney when I return to campus.”
Mooney is the compliance manager for WKU. The Herald reached out to Mooney multiple times, but he said he could not comment. Day and Mooney remained in contact with one another over the next several months.
Day also sent an email to Mooney on Aug. 6 recounting what had happened, telling him she had just “had an incident with my files in China.”
Day informed Mooney she was still in China and would be returning in the next week. Mooney responded to Day with advice on what she should do next.
“Try to keep this on the Down Low, and delete these emails to me. I will let you know that if you put up any more of a fuss while there you will be questioned more,” Mooney wrote to Day in a response late that evening. “Try to keep the flash drive on you but do not fight for it. If your equipment is corrupt you can get it cleaned I promise. Just be careful.”
Martin drafted a memorandum to Ransdell on Aug. 14, 2015, that was also sent to Pan, Evans, Yu, Mooney and Deborah Wilkins, general counsel for the university. The memorandum covers various aspects of planning that went into the trip, events that transpired, Day and Hines’ budget for their training, two appendices and a letter from CTI.
Ransdell emailed Martin on Aug. 17, 2015, outlining four main questions he had at that point. He asked what the CTI acronym stood for, what CTI’s relationship was with Hanban, if any Hanban employees were present, and if the incident appeared to be “a matter between CTI and our two faculty.”
In his response to the email later that day, Martin said there were no Hanban employees on-site at any time, and only CTI members and personnel with North China Electric Power University, where the training was taking place, were present.
Appendix B, titled “Flash Drive Situation,” of Martin’s memorandum is told from the perspective of NCEPU’s IT coordinator, according to Martin. No name or gender preference is obvious from the coordinator’s statement.
The statement is dated Aug. 8, 2015, at 7:45 a.m. The IT coordinator begins by stating that he or she encountered Day in a classroom while she was attempting to use her flash drive to open a document on a computer. Day was unable to open the document.
The IT coordinator stated that he or she installed a more updated version of Microsoft PowerPoint on the computer in hopes that Day would then be able to open her files. Day wanted the IT coordinator to try a second flash drive she possessed since the first was not working. Day then consented to the IT coordinator’s trying to use her other flash drive, according to the coordinator’s statement.
“I took the flash drive she handed me and tried on the computer, but it was not working and the 360 virus killer indicated that the flash drive has been infected by a virus, so it cannot be opened,” the IT coordinator stated.
The statement continues that Chunqing Wu, who is an NCEPU employee according to Martin, then entered the classroom with a computer faculty member who immediately checked the flash drive and decided to try it on another computer.
According to the statement, Day, when asked if the personnel could try the drive on a computer in another room instead of Day’s trying it on her laptop, said, “It’s ok.” At that point, the IT coordinator, Wu and faculty member left with her flash drive.
The computer faculty member, according to the IT coordinator’s statement, discovered a virus on the flash drive that could “convert all the documents into a ‘.exe file’,” had changed all the opening routes of documents in the flash drive, and had “conducted some new files that were actually fake.”
The IT coordinator told the computer faculty member not to kill the virus at that point since the coordinator was not sure if killing the virus would affect Day’s documents. The faculty member and Wu then opted to copy all the flash drive’s files to the computer’s desktop before attempting to kill the virus in the flash drive.
After the computer faculty member had killed the virus, he checked the flash drive and said its documents “were not infected or deleted,” according to the IT coordinator’s statement. In other words, all the original files were there, and the virus was successfully killed, but fake files remained.
The coordinator stated that he or she then required the faculty member to “delete all the files on the desktop copied from the flash drive for good.”
Day said this statement from CTI holds no merit and is false. She said her flash drive was taken out of the room while she was distracted, and when it was returned, it contained malware. She also said her flash drive still contains the malware.
“I knew better than to let it out of my sight,” she said.
Martin said he believes there was a virus on Day’s flash drive, but he’s unable to attest that the drive went missing.
“All I can say is I’m out of it, and they got NCEPU’s side, they got CTI’s side, and we have Day’s side,” Martin said. “The truth lies somewhere in the middle.”
Martin does not believe there was malice on either side and said this was just a misunderstanding.
He also said CTI only conducted and organized the teacher training. It was an NCEPU IT employee who was actually involved with the flash drive, Martin said; CTI never took the flash drive.
“It was NCEPU saying, ‘Oh, you have a virus on it. Let me take it back to the office. Let me see if I can clean it off,’” he said.
On Aug. 14, 2015, Ransdell requested a meeting with Day, Hines, Mooney and Wilkins on Aug. 17. In the email, he expressed interest in hearing the full story of the incident.
“I am certain there is more to learn,” Randsell said in the email. “I have been told that Paul Mooney has taken the initial step of turning the flash drive over to the FBI. I need to know what role that University [NCEPU] had in your trip and your endeavors while in China.”
Ransdell said in his email that the only other person with whom he had discussed the incident was Faculty Regent Barbara Burch.
In an interview with the Herald, Burch said she had met with Ransdell to discuss the issue. She said Day and Hines came to her since she was faculty regent and a fellow colleague to share their concerns.
“They came to me because they felt they had been inappropriately treated as a result of the situation that occurred in China,” Burch said.
Burch said neither of them asked her to inform Ransdell, but she decided that if he didn’t know, he needed to.
Day said the meeting served as a space to report what had happened with her intellectual property, difficulties she and Hines had with the WKU Confucius Institute, the misrepresentation of the trips and other concerns.
On Sept. 4, 2015, Mooney informed Day, Hines, Wilkins and others via email that he had heard back from the FBI, who had proposed a meeting time on Sept. 11, 2015.
This meeting was attended by Kate Hudepohl, senate chairwoman, Wilkins, Mooney, FBI agents and Dan Rudloff, principal attorney at Rudloff & Rudloff Attorneys at Law, who served as Day’s attorney.
“Special Agent Aaron Graves described he will have a Cyber Agent available to describe the findings of the flash drive, and receive any further information if available,” Mooney said in the email, referring to Special Agent William Aaron Graves.
Day said after the meeting, the FBI agents took the compromised flash drive back with them for testing. The agents had the flash drive in their possession for about one month.
Graves, an agent from the FBI’s Louisville office, emailed Mooney on Sept. 23, 2015, and said the FBI would be contacting Day later to schedule a time to deliver the flash drive. Graves carbon copied Agent Wayne Johnson onto the email.
Mooney informed Day and Hines that the agents were having difficulty returning to WKU, and the FBI had agreed to send the agents’ written report that was used in their last meeting. He said the agents were planning to return the flash drive to Day. Day said ultimately Mooney returned it to her.
The Herald reached out to Graves and Johnson for comment. Graves did not respond, but Johnson referred the Herald to Dave Habich, chief division counsel.
The Herald reached out to Habich, but he said he could not provide further comment “Per Department of Justice policy.”
The Herald submitted an open records request through the FBI for the official report, but as of publication, the full report has yet to be obtained.
However, an open records request filed through the university procured documentation of a copy of the report Mooney sent to Day.
According to the copy of the FBI report, malware was found on the flash drive based on a cursory search of the drive. The report stated that it was possible the malware is related to “Backdoor:Win32/Bifrose.IZ” as defined by Microsoft.
The executable files had a modify timestamp of June 28, 2012, and an access timestamp of Aug. 5, 2015, according to the report.
“Had one of the executable files been clicked on by a user, the malware would have executed immediately and gained persistence on the user’s computer … it’s then possible that an unknown person could have pulled data, including sensitive data, from the user’s computer without their knowledge,” the report stated.
Backdoor:Win32/Bifrose.IZ is a Trojan that allows unauthorized access and control of an affected computer, according to the Microsoft Malware Protection Center.
The Trojan allows attackers to perform a number of different actions including but not limited to downloading and executing arbitrary files, deleting files, or spreading to other computers using various methods.
“The FBI officials in the report told me that this flash drive puts dummy files that look like your personal files on your flash drive, and when the flash drive is accessed on the network computer, it infiltrates the network and accesses that information as well,” Day said at the senate.
Day said Mooney assembled a team that was able to extract some of the files from her flash drive, which was then placed on her shared drive at WKU.
Brent Haselhoff, manager of enterprise security and identity management at WKU, said because every computer on the internet is technically connected to every other computer on the internet, it was a possible for one computer on the university’s network to infect another computer.
“Yes, it’s certainly possible for one computer to affect another computer,” he said.
CHINESE TESTING INTERNATIONAL
Once you get through the details of malware, compromised intellectual property and FBI involvement, you still have another level to go through: Day and Hines were told the Hanban/Confucius Institute would be hosting the teacher training when in fact they were not.
In a joint email statement to the Herald, Day and Hines said they did not discover they were working for Chinese Testing International while they were in China but were informed of this once they met with Ransdell.
“At this meeting, Dr. Ransdell provided us with copies of a statement prepared by Mr. Terrill Martin, WKU Confucius Institute, that stated repeatedly we were working for CTI in China … During the negotiations for this trip, Dr. Hines asked Mr. Martin and Dr. Pan specifically if was a WKU Confucius Institute initiative and was told ‘yes,’” the statement reads.
Day said all documents, emails and correspondence sent to her and Hines by the WKU Confucius Institute stated that they were conducting training for Hanban. Day said she and Hines went through all the correspondence the two received and never found a reference to CTI.
“I have an entire plastic box file full of every email correspondence that was among Pan, Martin, myself, Dr. Hines, Dr. Dietrich, Dr. Evans — and [in] not one place prior to Martin writing the letter to President Ransdell is CTI mentioned,” Day said. “Not one place.”
Day’s claim is supported by an email Martin sent to Day and Hines and carbon copied to Pan, Yu, Evans and Sylvia Dietrich, the director of the School of Teacher Education, on June 24, 2015.
In the email, Martin told Day and Hines WKU had been selected to teach Hanban teachers due to training both had completed previously.
“While this is the first year being asked to do Hanban Teacher Training (for teachers not coming to WKU), but I envision this being an ongoing partnership with Hanban and WKU,” the email states.
However, Martin’s Aug. 14 memorandum states that CTI contacted Pan to inquire about having Day and Hines come back to China to host a training event in August. But, Martin said, prior to the incident he and Pan didn’t know about CTI.
“All of the materials we got were Hanban teacher training,” he said. “The budget went back and forth between us and Hanban.”
Pan said he was approached by Hanban and North China Electric Power University in the summer of 2015 to host the August training event. He said Day and Hines were chosen for the trip because “Hanban and NCEPU officials sat in on their training sessions in May 2015 and were impressed with their teaching styles and methods."
Martin said from Hanban’s perspective, it’s likely they thought nothing of having another entity affiliated with them perform the training and that it might not have been a big deal on their part.
“They [CTI] handle all the teaching for Hanban, but we did not know that,” Martin said.
An Aug. 6, 2015, letter from CTI is also included with Martin’s memorandum. In the letter, it’s stated that CTI held a meeting before the training began to “reiterate the importance of privacy and copyright of foreign professors.
“CTI is deeply sorry about the whole business. Meanwhile, we sincerely hope you could understand the misunderstanding caused by the difference of language and culture,” the letter states.
Pan’s response to CTI’s explanation was, “I wasn’t there, do not know what conversations where [sic], and have no perspective on the intentions of the others in attendance.”
Martin was also hesitant to expound on CTI’s explanation, saying that he wasn’t there himself and could not speak to it.
In an interview, Ransdell said the training event was a CTI matter that included engagement by the Confucius Institute.
As for the cultural misunderstanding, he also didn’t wish to speak for CTI but remained skeptical of their assertion nonetheless.
“I don’t know how much of a misunderstanding it was,” Ransdell said. “A flash drive left the possession of its owner and came back compromised, so I wouldn’t call that a misunderstanding, but I’ve not had any communication with CTI.”
Day said had she and Hines known how CTI was affiliated with Hanban and how CTI instead of Hanban was leading the training, the information would have changed their decision to go drastically.
BACK TO UNIVERSITY SENATE
Returning to the University Senate’s Nov. 19 meeting, two reports were being discussed. The Academic Quality Committee and Faculty Welfare and Professional Responsibilities Committee presented reports to the senate regarding the August trip.
“The SEC [Senate Executive Committee] decided to make very specific motions … for academic quality to focus on intellectual property issues associated with this trip, and not just in terms of Confucius Institute but more broadly. The charge for faculty welfare was to ensure that university policies and procedures are followed accurately and that people have good information in advance of trips,” Hudepohl said at the meeting.
The Academic Quality Committee was charged by the SEC to examine the policies and procedures “concerning disclosures of information on security of intellectual property issues stemming from international travel or study abroad by university personnel and students.”
The committee examined WKU policies related to international travel, intellectual property and data security. It was determined that the primary mode in which this information was disseminated to travelers was through Study Abroad and Global Learning and its related resources.
The committee agreed, however, that the manner in which this information is sent could be improved upon. These improvements included consolidating travel security information, WKU’s maintaining a destination-specific record of security incidents involving travelers, making information accessible to potential travelers prior to the commitment of travel, and endorsing Mooney’s idea of his putting together a workshop for faculty on data security.
On March 31, Mooney held an information session for faculty, staff and students to help “assure your personal safety and the security of your property while you are in another country,” according to an email from Provost David Lee.
The Staff Council meeting minutes for March 2 also mention that Mooney is planning to organize a meeting to provide information about securing intellectual data and private information while going overseas.
The Faculty Welfare and Professional Responsibilities Committee stated that it met with Day and Hines, who presented their concerns stemming from the August trip. The report stated that the committee has concerns about intellectual property but that this aspect was better handled by the Academic Quality Committee.
It too identified several issues and concerns that members agreed needed to be addressed by WKU.
At the meeting, Day said she had a formal grievance in process. A grievance, as defined by the Faculty Handbook, is to “provide an individual faculty member with a procedure for presenting a grievance without fear of reprisal” and have it considered in an “unbiased and orderly process.”
Processes for formal grievances typically follow this path: the grievance goes to the department head, and if the head cannot resolve it, the faculty member can request that it go to the respective college dean; if the dean cannot resolve it, the faculty member can then request further review by the provost.
While grievances typically go through the Division of Academic Affairs, any grievance filed against an administrator within the Confucius Institute would be taken to Ransdell since the Confucius Institute reports directly to him.
Ransdell said he ultimately has the final say in any grievance as he is the president, but because the Confucius Institute reports to him directly, this process is short-circuited.
“Hanban wants the presidents of institutions to be engaged and wants the [Confucius Institutes] to be an extension of the president’s office,” he said. “That’s unusual — probably not particularly characteristic of most university structures, but you go with the flow of it.”
When all is said and done, neither Ransdell, Pan nor Martin believes this incident damages the university’s relationship with the Confucius Institute.
Martin said it’s important to keep things in perspective; 300 individuals have gone to China through WKU, and this has been the first significant issue to come up. Pan echoed the same sentiments almost verbatim but at a different time.
Ransdell said this incident could have happened anywhere — France, Spain, Germany or Ecuador — and rattled off a few countries.
“I hate that this happened to two distinguished members of our faculty, but I don’t see it having any bearing on our WKU Confucius Institute,” he said.
The Model Confucius Institute facility located on Normal Street is slated for completion this summer.