Rethinking Research Security

By Ainikki Riikonen, Emily Weinstein
Thursday, June 24, 2021, 8:01 AM

The January 2021 arrest of Massachusetts Institute of Technology (MIT) professor Dr. Gang Chen reignited a heated debate about research security: How can or should the United States protect the gains of innovation without damaging the very research base it wants to protect? The U.S. government has rightfully identified the People’s Republic of China (PRC) as an adversary intent on stealing technology for its national interests, and the Department of Justice established the China Initiative as a countermeasure. But the China Initiative misses the mark on an effective approach to research security. It is out of alignment with evolving research security initiatives in the rest of the federal government. It alienates the research community at best and, at worst, puts those within it of Chinese and other Asian ethnicities in an atmosphere of undue suspicion inflamed by presumptive narratives about “loyalty to China.” In its current form, research security under the China Initiative may damage America’s ability to innovate and continue defining the cutting edge of technological research in the long term.

At a moment when the Biden administration is assessing and recalibrating China-related initiatives for protecting U.S. economic and national security, the department should restructure research security as a separate effort from the China Initiative and adopt a country-neutral approach better-aligned with other U.S. government initiatives. The Justice Department and U.S. government sponsors of research funding should also offer a period of amnesty for research institutions and personnel to adapt to anticipated updates to disclosure requirements.

 As part of these efforts, the department should establish a dedicated research security initiative distinct from the China Initiative, and the Federal Bureau of Investigation (FBI) should reestablish its National Security Higher Education Advisory Board (NSHEAB) as part of these efforts. The FBI had established the NSHEAB in 2005 to “foster outreach and promote understanding” between itself and research institutions on both counterintelligence matters and the open culture of research institutions. The NSHEAB’s membership included senior leaders from U.S. universities such as university presidents and chancellors. A report from Georgetown University’s Center for Security and Emerging Technology (CSET) argues that, because government officials are not typically involved in research, they often lack the expertise and situational awareness needed to protect important research and engage effectively with the research community. A new NSHEAB would bridge this gap and capitalize on a rare point of consensus: in 2018, Republicans, Democrats and higher education associations had all expressed concern about its then-recent dissolution.

Officially, the charges against Chen are for wire fraud, failure to report a foreign bank account and making a false statement in a tax return. These allegations are serious and should be dealt with accordingly. However, department representatives and researchers diverge wildly in their understanding of Chen’s work activities as described by the complaint. Andrew Lelling, a U.S. attorney at the time, claimed that they offer evidence of “Chen’s desire to promote the PRC’s scientific and economic development.” By contrast, 170 of Chen’s colleagues contend that the complaint “represents a deep misunderstanding of how research is conducted or funded” and “vilifies what would be considered normal academic and research activities.” 

Beyond matters of interpretation, MIT President Rafael Reif published a subtle but important correction to an allegation that Chen received millions in foreign funding: MIT received the funding, not Chen himself. The Justice Department and university researchers have a clear disconnect in expectations of normal activities, and the department and the FBI should ensure they dedicate resources to understanding the research community, its practices and the context in which those practices happen. Doing so would equip law enforcement with tools to make more nuanced and accurate assessments so they can increase public trust in their ability to evenhandedly prosecute research-related cases and work with, rather than against, research institutions.

To further address the disconnect between academia and the department, some experts have also insisted on establishing a research security oversight entity beyond the scope of law enforcement. For instance, CSET’s Melissa Flagg and Zachary Arnold proposed a new, public-private research security clearinghouse designed to bring together leadership from academia, business, philanthropy and government that would provide researchers with open source information, security-related education, decision support resources and a non-punitive interface with federal partners when necessary. An institution such as this could act as a critical bridge between law enforcement and the U.S. research community.

The department should put country-neutral practices, aligned with recommendations from the Joint Committee on Research Environments (JCORE), at the center of its initiatives for research security instead of zeroing in on the PRC. JCORE, an interagency and intersector forum in the White House Office of Science and Technology Policy, facilitated dialogue between research community stakeholders to identify the administrative capabilities already present at many research institutions. JCORE released its recommendations in the final days of the Trump administration which notably do not call out any country by name. Instead, the recommendations focus largely on administrative processes at research institutions, such as disclosures for foreign funding, affiliations with talent programs and other potential conflicts of interest. Emphasis on proliferating existing practices functionally leans into the strengths of universities. It also acknowledges the critical role of universities themselves in protecting research security, as they are the front line of the enforcement ecosystem. Some agency officials have even expressed that universities carry responsibility for addressing conflicts of interest, since universities receive the grants, not individual researchers themselves. Proliferation of best practices, already present at many universities and addressed in JCORE’s interagency meetings, may establish a functional baseline for research security. Rather than fight the research ecosystem, the department should treat these country-neutral practices as the baseline upon which it can build and collaborate.

The Justice Department and U.S. agency grantors of research funding should also offer an amnesty period for researchers to fulfill disclosure requirements, as federal agencies adjust their requirements and universities update their policies in turn. These anticipated but overdue adjustments include clarification and alignment of academic security policies across agencies, as mandated by the National Defense Authorization Act of Fiscal Year 2021 and the Trump administration’s National Security Presidential Memorandum-33. For instance, the aforementioned National Security Presidential Memorandum-33 recommends improving agency coordination with law enforcement and university program offices and security officers, as well as the private sector, to “identify and investigate potential violations of agency disclosure requirements.” Currently, research institutions carry a high administrative burden to comply with a hodgepodge of agency requirements, according to a Government Accountability Office (GAO) report. Grantors each have different requirements and may even lack consistent agency-wide policies internally, such as in the Department of Defense and the Department of Energy. GAO notes that university administrators may expend resources to understand what an agency’s requirements are—such as the threshold of “significant financial interests”—only to receive inconsistent guidance or find that they are not publicly available. The anticipated clarification and unification of reporting requirements from U.S. government agencies will simplify compliance for universities and their staff and also pose a rare government-wide opportunity to reset the relationship with the research community. Amnesty from grantors of funding and from law enforcement—both of which play a role, albeit a variable one, in enforcement—would give institutions time to adjust and also build trust. However, as noted by William Hannas and Didi Kirsten Tatlow, this clemency-based approach must be met with sincerity; backsliding or multiple offenses should be fairly prosecuted, and those who deliberately break regulations or laws should be penalized accordingly.

Various parts of the U.S. government are already moving in this direction. The recently-passed Innovation and Competition Act of 2021 includes new language to streamline and clarify many aspects of the research security ecosystem that need updates. Some sections of the new legislation are entirely focused on improving research security both within and outside U.S. government entities. It lays out new policies aimed at prohibiting participation in state-sponsored foreign talent programs that may “unethically or illegally” transfer U.S. knowledge to adversary countries. Notably, it does not name a specific country or talent program, but instead refers to the issue writ-large. 

It includes stipulations to authorize a new Research Security and Policy Office within the National Science Foundation’s (NSF) Office of the Director. This new office will be tasked with setting up an information sharing and analysis organization to promote and facilitate the exchange of information on research security risks and best-practices. This new office, referred to as a Research Security and Integrity Information Sharing Analysis Organization (RSI-ISAO), is designed to serve as a “clearinghouse for information” to provide education and assistance to members and other entities in the research community to increase awareness of the “context of their research” and identify “improper or illegal efforts” by foreign entities to obtain knowledge, materials, intellectual property or other research results. Within this, the RSI-ISAO is in charge of conducting educational outreach in the forms of timely reports, training and support (such as webinars), among other responsibilities.

Section 4493 of the newly-passed act calls for the establishment of a Federal Research Security Council within the Office of Management and Budget. This new agency will be responsible for developing federally-funded research and development grant-making policy and management guidelines. The council will include expertise from across the U.S. government, including a lead science officer designated by the director of the Office of Science and Technology Policy, and a lead security officer selected by a senior-level official from the National Counterintelligence and Security Center. This combination of security and scientific knowledge has the potential to bridge the gap between the scientific and law enforcement communities. 

Research security is not a country-specific issue, nor will it simply disappear overnight. The U.S. government, including the Department of Justice, should be working to create guidelines and regulations that can stand the test of time and be applied across a variety of situations, interactions and partners. Creating research security policy based on the actions of one specific nation or adversary will only pigeon-hole U.S. policy and create new avenues for other adversaries to work around. This is not to say that first attempts will be perfect. However, the U.S. government should continue on the trajectory laid out by the new Innovation and Competition Act, the JCORE and other initiatives. U.S. policymakers can and must create more effective research security protocols that protect innovation without alienating the research base.