5

University and National Lab Responses on Research Security

Chaouki Abdallah (Georgia Institute of Technology) moderated a session that considered the evolution of university and national laboratory responses to research security threats and strategies. The National Science, Technology, and Security Roundtable (NSTSR) sought to understand whether the threat to our research system is qualitatively different from previous threats, or simply larger in size. The conclusion was that the problem is qualitatively different because adversaries have greater resources than in the past. Abdallah called for a “neighborhood watch” approach, where research security is the responsibility of all those working at a university. The security of the United States’ science and technology (S&T) system is only as strong as our weakest link; some less-resourced institutions cannot afford to address the challenge of research security, and some international partners and small- and medium-sized companies are not even aware of the issue.

Peter Fisher (Massachusetts Institute of Technology [MIT]) said that he became familiar with research security when the National Science Foundation (NSF) asked JASON, a group of professors that advises the government on matters that are typically classified, to undertake a report on research security in 2019.¹ The report identified research security stakeholders in the research enterprise, which included principal investigators

___________________

¹ JASON. 2019. Fundamental Research Security. https://www.nsf.gov/news/special_reports/jasonsecurity/JSR-19-2IFundamentalResearchSecurity_12062019FINAL.pdf.

(PIs), research leaders, research institutions, professional societies, federal funding agencies, political leadership, and the general public. PIs are key because they set norms for their research groups and how research groups communicate. PIs also recruit, train, and arrange for researcher compensation (including researchers from overseas). Professional societies were also identified as key stakeholders because they provide guidance to PIs based on norms in their particular fields of research.

The authors of the JASON report attempted to create a list of the norms that govern research. However, it was difficult because different S&T fields have different cultures, histories, and perspectives on sharing data and ideas. The report instead identified a set of tools for researchers for assessing engagements in fundamental research. The assessment tools included the questions: Are the terms of the engagement made clear in writing? Have all participants been identified? Are all the participants’ conflicts of interest and commitment documented? Is there any aspect of the engagement that seems unusual, unnecessary, or poorly specified?

John Sarrao (SLAC National Accelerator Laboratory), drawing upon his experiences at national laboratories, said that the U.S. research enterprise cannot be effective without international engagement. If we chose not to engage internationally, then we would have nothing worth stealing. However, it is true that real risks exist when others do not share our values. A grand challenge and key priority is to strike an appropriate and dynamic balance between international engagement and research security. Sarrao suggested that we are doing a better job on research security today than we were a couple of years ago and that the NSTSR has played an important role. If we can achieve the right balance, it will do a lot to mitigate the “chill” in international engagements that has been evidenced.

In addition to seeking compliance, Sarrao said, the U.S. government must also provide education and awareness regarding research security. Articulating to researchers that the United States’ objective is to ensure that researchers’ work is protected (and that they get appropriate credit for it) is

a powerful lever. We should think about international colleagues as targets of activities carried out by the adversarial governments designed to interfere with the U.S. research system, rather than as threats. Talent is critical to national labs, but the broader research ecosystem is also important because national labs, which are not degree-granting institutions, rely on universities to train talent.

Sarrao said that it is important to focus on protecting the future rather than relitigating the past. Signals about international collaboration from institutional leaders and the government 5 to 10 years ago were very different from today. It is useful to think about research security culture as we think about lab safety culture. Ideally, concerns and issues could be brought forward without fear of reprisal, and there would also be confidence that labs and institutions foster a system of fairness and accountability.

Sarrao said that we must share best practices but recognize that one single approach does not work for all circumstances. Having policies in common across federal agencies for disclosures by those seeking a federal grant are an important starting point. Once commonalities are identified, agencies can tailor disclosure requirements. Every restriction or protection measure comes with an opportunity cost.

It is important to celebrate and communicate the good work we are doing at national labs, Sarrao said, but also to acknowledge that we have much more work to do. He foresees the development of an approach to assess international collaborations in the Department of Energy (DOE) that will bring consistency, transparency, and objectivity by examining the “who,” or the affiliation history and role within DOE; the “what,” or the scope of the work; and the “where,” or acknowledging variability in site access restrictions across laboratories.

Joe Elabd (Texas A&M University System) shared his experiences with research security at the Texas A&M University System. Composed of 11 universities and 8 state agencies, the A&M System is one of the largest in the country, with an enrollment of 157,000 students. It has an annual research portfolio of over $1.5 billion, and it includes a large R1 university, four R2 universities,² and a historically Black university.

___________________

² R1 universities are defined as Ph.D.-granting universities with very high research activity, and R2 universities are defined as Ph.D.-granting universities with high research activity, according to the Carnegie Classification of Institutions of Higher Education. See https://carnegieclassifications.acenet.edu/carnegie-classification/classification-methodology/basic-classification/#:~:text=R1%3A%20Doctoral%20Universities%20%E2%80%93%20Very%20high,%2FPU%3A%20Doctoral%2FProfessional%20Universities.

The A&M System has a robust and well-staffed research security program, and smaller universities within the system can make use of systemwide resources. In 2021, A&M performed a systemwide review of international agreements with countries of concern. This review included close to 100 research agreements, academic collaborative agreements, memoranda of understanding, and letters of intent. In-depth risk analyses were performed on each agreement and, as a result, a majority were terminated and the remainder were identified for mitigating measures. A&M found that a significant number of zero-dollar agreements (e.g., foreign exchange programs) were being signed off on by individuals who did not realize that there were risks associated with signing the agreement.

In 2022, A&M instituted a program called High Risk Global Engagements and High Risk International Collaborations, where all foreign engagements are proactively assessed, including travel and co-authorships. Proposed international engagements must be submitted for review to the university’s export control officer. Legal, foreign influence, institutional, and reputational risks, among other risks, are evaluated. Reviewers include Elabd as A&M vice chancellor for research and the general counsel. Outcomes of the review include approval, approval with mitigating measures, or denial. About 20 international engagements are reviewed each week. This process has shown the importance of communication and the need for education of faculty researchers, leadership, and the broader community about research security concerns.

DISCUSSION

During discussion, consistency of decision-making across academic institutions on international engagement was raised and panelists expressed the viewpoint that different institutions have different risk profiles. Maria Zuber (MIT) said that risk management policies and procedures should be consistent within an institution, but that safeguards in place for research at universities that perform classified research should be increased compared with those at universities that do not perform classified research. Sarrao said that it should be acceptable for different institutions with differing risk profiles to arrive at different risk management decisions, so long as decisions are transparent.

Elabd shared that China, Russia, North Korea, and Iran were subject to intense scrutiny at A&M, but that, while country provides a starting point for analysis, specific foreign entities must also be considered. Fisher said

that faculty members are encouraged to take risks, but that it is important from a scientific and international engagement perspective to have the resources that enable investigators to understand risk. He said that it is challenging when a researcher does something without understanding the risk they are taking. Additional discussion focused on the challenges universities face ensuring that faculty have risk management resources for their decision-making in potential private-sector pursuits.

This page intentionally left blank.