UC faculty push back against systemwide cybersecurity mandate
6 days ago
- #UC System
- #Academic Privacy
- #Cybersecurity
- Over 1,540 UC system faculty and staff, including 171 from UC Berkeley, petitioned to delay the mandated installation of Trellix cybersecurity software.
- UC President Michael Drake mandated Trellix installation in February 2024, with non-compliance penalties including a 15% cyber insurance premium increase and potential $500,000 costs for security incidents.
- Faculty associations raised concerns about Trellix granting unrestricted administrative access, enabling invasive monitoring without user consent, and risking warrantless government access to academic materials.
- Trellix is part of the Joint Cyber Defense Collaborative, raising fears of data sharing with the U.S. government.
- Trellix claims it will only disclose user information if legally required and will notify customers beforehand.
- UC Berkeley stated that external parties must submit legally valid requests to access device data and clarified that Trellix stores only 10 minutes of system activity data locally.
- Faculty expressed concerns about Trellix becoming a 'single point of failure' in cybersecurity breaches and potential spying risks.
- Trellix (formerly FireEye) was hacked by Russian intelligence in 2020, described as one of the most sophisticated cyberattacks on the U.S. government and private sector.
- Implementation of Trellix varies across UC campuses, with UC Irvine requiring it for devices accessing Canvas, while UC Berkeley currently mandates it only for campus-owned devices.
- A UC Berkeley database breach in July 2025 led to student and staff data being sold on the dark web for $800.
- Critics argue UC Office of the President (UCOP) lacks private sector experience and is overly risk-averse, driving the Trellix mandate.