Introduction
When I think of spring, I think of warmer weather, and planning Spring Break Trips. In my case, these trips usually include amusement parks. My favorite rides have always been rollercoasters which of course come in many different configurations. However, there is one thing that defines them all–they all must end at some point, and preferably before you get sick!
Academia is in the middle of a rollercoaster ride of its own which involves the complicated subject of foreign influence risk. Except, this ride does not seem to have an end to it, at least not yet. So, before everyone gets sick, let me offer some virtual medication by going over the history, some of the latest developments in the area of federal guidance, and a picture of what to expect from the federal government.
What has happened?
Unless you have been living off the grid for the last few years, you have seen a steady stream of security actions our government has taken to protect U.S. assets from foreign government interference. This comes as the U.S. has finally realized that countries have been exploiting our legal, financial, and research enterprises to the point that they were catching up or exceeding the U.S. in many STEM fields. So how could this happen? Where were the U.S. security agencies? Before you start throwing your popcorn across the room, understand that the world of spy craft has been going on for decades, and has included both the commercial and academic sectors. Yes, that’s right…it includes the academic sector too. Don’t believe me? Read the 2017 book Spy Schools by Daniel Golden. It’s compelling.
As the world advanced technologically, Cold War spy tactics were partially replaced by cyber and non-traditional methods. Other countries could now collect information through non-traditional means like students and visiting scholars, and use cyber networks to illicitly access proprietary and confidential data, and a lot of it–health records, military secrets, phone records, you name it. Notable past commercial data breaches include Adobe (2013), Equifax (2017), Marriott International (2014-2018), and Canva (2019). And let’s not forget the federal data breaches which include the U.S. Department of Veterans Affairs (2006), the National Archives and Records Administration (2009), the U.S. Voter Database (2015), and the U.S. Department of Personnel Management (2015). In addition to data breaches, there were also widespread cases of proprietary IP theft, usually involving the commercial sector. Huawei should be the first company to come to mind if you have been keeping up. As our adversaries ramped up their attacks, our lawmakers, often in a bipartisan way, passed legislation aimed at both the commercial and university sectors to combat foreign influence. In fact, they have been passing, and passing, and passing legislation faster than quarterbacks on a Sunday afternoon. So what exactly has passed related to universities, and what’s the message for those of us in the game?
What can we expect?
The federal message directed at academics has been pretty clear–your environment has been exploited by foreign governments and their citizens, and something needs to be done about it! O.K., so how has it been exploited? What data can you provide? What should universities do about it? A series of federal agency notices, bulletins, congressional hearings, congressional reports, and Department of Justice prosecutions under the China Initiative provide partial answers to these questions. Additionally, we also have direct federal agency inquiries sent to universities based on anomalies they uncovered in public records searches. However, in order to understand how schools should be responding to all of this now, we need to start by looking at three recent federal publications: Section 223 of the FY2021 National Defense Authorization Act, National Security Presidential Memo – 33, and the JCORE Research Security Recommendations.
Section 223 of the FY2021 NDAA requires federal agencies to include as part of research and development proposals the disclosure of all current and pending other support for senior and key personnel. Most federal agencies already have this as part of their processes covering proposals, JIT requests, and progress reports, but now it’s mandatory and the scope is broader than just research projects that run through the submitting institution.
The NSPM-33 memo is directed at federal agencies and provides them with national security policy positions on various items. There are some clear directives aimed at federal agencies which all have to be addressed within 12 months.
The JCORE Research Security Recommendations are directed at universities and provide 21 research recommendations to consider. Many of the recommendations stem from Section 223 of the FY2021 NDAA and the NSPM-33 memo.
Despite the minor discrepancies that appear among these three documents, there are some common themes that cannot be ignored, and should be on a school’s short list to address now:
-
- Conflict of Interest and Commitment Policies and Procedures: As part of key/senior personnel current and pending other support, institutions will now be required to include outside activities like consulting if those activities include research. NIH is the first federal agency to announce these new requirements through NIH guide notices NOT-OD-21-073 and NOT-OD-21-110. Schools have until January of 2022 to get their systems and processes ready. Due to the expanded scope for other support, schools are facing some difficult legal and processing challenges, especially those schools that do not have robust policies or systems addressing COI/COC and outside employment. If your school has not started talking about this yet, it needs to, and quickly.
- Foreign Talent Recruitment Programs: Along with Confucius Institutes, lawmakers have focused on Foreign Talent Recruitment Programs as vehicles through which other countries obtain American tax-payer funded research and expertise in a non-reciprocal way. Faculty participation in these programs, while not illegal, can lead to conflicts of interest and commitment that are difficult if not potentially impossible to manage, if federal funding is involved. My prediction here is to expect even more lawmaker scrutiny resulting in more restrictions aimed at these programs, especially those centered in China.
- Research Security Programs: federal agencies will at some point in the future require institutions that receive federal science and engineering support in excess of 50 million dollars to certify that they have established and operate a research security program. This is what the NSPM-33 directs federal agencies to do. So what should be included in a research security program you ask? Both the NSPM-33 memo and JCORE recommendations describe 4 main elements of a research security program: cyber security, foreign travel security, insider threat awareness and education, and export control training. Until federal agencies release more information on this topic, schools should be looking at these first 4 elements as a starting point.
- Training: I’m going to keep this one generic to consolidate all the topics that institutions should now consider creating or enhancing. And yes, CITI Program provides courses for each: COI/COC, Export Controls, Responsible Conduct of Research, and Undue Foreign Influence: Risks and Mitigation. If you had to pick one to start with, it would be COI/COC, but with an eye toward the new NIH requirements, and how they figure into foreign influence risk and mitigation.
Of course, there are other important topics mentioned in these documents that I would invite you peruse on your own. In addition, lawmakers are also considering additional security measures related to review and approval of foreign contracts and gifts (HEA Section 117 reporting), immigration, and export controls. But this is all part of that rollercoaster ride I’m talking about. Keep holding on tight for now and stay in touch with your government affairs professionals and higher education associations. When this ends is anyone’s guess.