Trusted allies can share information on threats and how to manage them, says Ben Moore
The UK has seen a step-change in how universities assess and manage security threats since 2019. Engagement between the sector, government and the security agencies has ramped up significantly, in recognition of the fact that the higher education sector has a crucial role to play in building the UK’s national security and resilience.
To control the risks associated with international collaborations, universities need to work with a range of international partners. This is why in March the Russell Group joined colleagues from Universities UK and the UK government for a series of meetings with US agencies, the US State Department, national research funders and others, in Texas and Washington, DC. These discussions showed that politicians, regulators and law enforcement agencies in the US are grappling with similar challenges to those faced here.
So what lessons can we take from our talks? The first is that, while legislation will always be part of national security, threats to research cannot be legislated or prosecuted away. The US is shifting from a prosecution-led approach to working more collaboratively with the sector.
Legislation and blacklists targeting specific organisations or technology areas can be out of date before the ink dries. Adversaries rebrand projects, and new research areas become problematic as we learn more about their security implications.
The UK is ahead of the curve here, with the Research Collaboration Advice Team working to build the ongoing dialogue required to respond to emerging threats. The RCAT is admired by international counterparts, and the government should ramp up support for the programme as academic awareness of risk grows and demand for the team’s services increases.
A legislative approach also creates the danger that new requirements will confuse academics or divert universities’ research security teams from risk assessment.
This brings us to the second lesson. Keeping pace with changing threats while maintaining a thriving open science base relies on academics being confident in managing risks. One speaker at the US meetings described this as creating a community of “guardians of science”.
Both the UK and the US have made training academics a priority in research security. Universities, funders, and government are considering how to raise awareness of risk in the academic community without discouraging international partnerships. Sector-led training, awareness campaigns and identifying academic champions to drive peer-to-peer learning were all cited as potential initiatives to drive this forward.
Learning from others
Beyond the US, there are other international initiatives to learn from. Canada’s five-year, C$125 million (£75m) Research Security Fund, for example, allows universities to build security infrastructure and offer competitive salaries for security specialists. The UK government should consider doing likewise, perhaps out of the £1 billion resilience fund announced at the recent refresh of its review of security and foreign policy.
A third lesson is that a high level of trust between academics, universities and the security agencies is necessary. So far, US law enforcement and intelligence agencies have proved more willing than their UK counterparts to trust academics and institutions with relevant classified information. Supported in some instances by same-day security vetting of researchers, this enables frank discussions that help decision-making on overseas partnerships. The UK government should consider what it can learn from the US approach. The newly established UK National Protective Security Authority should review the scope of classified information provided to universities, with a view to sharing more. Increased vetting would enable universities to nominate academic champions in this space and allow the sector to feed into groups such as the Defending Democracy taskforce set up by government last year.
A final lesson is the importance of acknowledging what we don’t know about both threats and the cost of regulation. It’s not clear how the national security regulatory and legislative framework will impact university R&D, but we need a better understanding of how the system will ensure that regulation does not undermine collaborations with low-risk partners.
Research security is not only a national responsibility; it’s a shared international responsibility. When it comes to protecting shared interests in international R&D, we are only as strong as our weakest links. Learning from other countries’ experiences is critical.
Ben Moore is policy manager at the Russell Group
This article appeared in Research Fortnight and a version also appeared in Research Europe