Introduction
The Implementation Scenario Videos are a series of short videos, based on real events that have occurred in UK academia. They have been developed by the NPSA and the NCSC, under the Trusted Research advice and guidance, as learning resources to help academics identify and mitigate research security risks.
The Implementation Scenario Videos are particularly relevant to researchers in STEM subjects, developing technologies with dual military and civilian uses, pioneering emerging technologies and working on commercially sensitive research areas.
Trusted Research digital video script Scenario 1: Authoritarian government The following content is based on real events that occurred in UK academia. Sensitive data breach involving UK-based researcher sparks international concern A postdoctoral research associate has found themselves at the centre of a high-stakes security saga. A brilliant mind in semiconductors, the research associate had recently taken up a position at a prestigious UK university, having relocated from an overseas country with an authoritarian government. While employed by the UK university, the research associate travelled back to their home country for a business trip, where it’s understood they received a message from their home government - they would not be returning to the UK. The UK university had no further contact with the postdoctoral researcher and officially they remained an employee of the university. During a routine scan of the UK university’s network two weeks after the research associate left the UK, the university’s IT team uncovered traces of remote downloads from the Engineering faculty’s server to an overseas location - the same location that the research associate had travelled to. Further investigation revealed that the downloads contained sensitive data that the postdoctoral researcher had been working on when they were in the UK and that their credentials had been used to access the network at the time of the download. It’s not yet clear whether the postdoctoral researcher was acting voluntarily, under duress or had their university network log-in credentials stolen in a malicious cyber-attack, but it has been established that they now work in direct collaboration with the military of their home country on similar research to that which they undertook in the UK. What can we learn from the research associate’s story? It’s important to consider the geopolitical climate when travelling overseas as this may heighten risks while travelling. Risk factors include state involvement in military actions, strained diplomatic relations, and the presence of autocratic or authoritarian governments. University staff should be aware that foreign legislation exists which may compel individuals to cooperate or share research data with other governments or intelligence services. It’s also worth considering extra-territorial reach of export control and national security laws. Downloading research data from a UK university to an overseas location may breach export control and/or the Data Protection Act (DPA). Breaches of export control and the DPA can result in financial penalties, reputational damage and the loss of funding. In severe cases, export control breaches can also result in imprisonment. Unauthorised interference and theft of data from a university network could constitute a criminal offence under the Computer Misuse Act. The National Security Act 2023 may also apply, for example, in the instance of sharing trade secrets. The Trusted Research for Academia guidance provides additional advice on collaborating responsibly with international partners. What could the research associate have done to mitigate the risks? The circumstances of the situation are unclear – it's not currently known whether the research associate willingly participated in the breach, was under duress or was the victim of a cyber-attack. Mitigations will vary depending on the exact circumstances but may include: Contacting their research office or professional services prior to travelling overseas to understand the risks of visiting riskier locations. Completing a pre-travel risk assessment is another useful way of doing this, and having appropriate travel insurance in place is essential. Familiarising themselves with reporting mechanisms in case help is needed when overseas. Universities may also outline, as part of their travel policy, expectations for keeping in touch when travelling overseas for work. Reviewing contractual obligations to ensure they are fully understood both during and after employment, especially around ownership and sharing of intellectual property (IP). Getting advice from the research office/professional services on export control before travelling, as accessing information overseas may constitute a breach regardless of whether the information will be shared. Seeking advice on the appropriate cyber security mitigations to put in place before travelling overseas. At a minimum, unique and complex access credentials are crucial to avoid opportunistic guessing of passwords. These should always be stored safely. Identifying foreign laws, customs and political circumstances prior to travelling. Need more information? Speak with the team at your institution responsible for research security and visit the NPSA Trusted Research website
Scenario 1 - Authoritarian government
This video raises awareness of the risks that authoritarian governments may present, both to academic institutions and to individual academics, when involved in international collaborations. Navigate to our Trusted Research for Academia Guidance for more advice on identifying and mitigating research security risks.
Other useful resources include:
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The Computer Misuse Act 1990
- The Information Commissioner’s Office’s (ICO) guidance on the Data Protection Act 2018
- The Home Office’s guidance on the National Security Act 2023
- The National Cyber Security Centre’s (NCSC) Top tips for staying secure online
Trusted Research - digital video script Scenario 2: Overseas presentation and government approach The following content is based on real events that occurred in UK academia. UK Professor’s overseas lecture sparks export control investigation Following a voluntary disclosure, a respected professor of advanced materials at a prominent UK university was required to meet with HM Revenue and Customs, the enforcers of UK export controls, following an overseas trip that involved the potential disclosure of sensitive data to a foreign government. The UK professor’s ongoing collaboration with an overseas counterpart had spanned six months before they were invited to deliver a lecture at the overseas professor’s university. The topic? Advanced materials – fundamental to a wide range of science and engineering disciplines, as well as the stuff of stealth aircraft and cutting-edge defence systems. When the UK-based professor was invited overseas to deliver a lecture to students and researchers it seemed routine — an opportunity to share knowledge across continents. But it wasn’t just academics in attendance – a government representative from the overseas Science Ministry gained access to the Q&A session following the lecture and approached the UK professor for a private meeting. Whilst research specifics weren’t discussed due to strict non-disclosure agreement limitations with a UK defence industry partner, the foreign Science Ministry made their intentions clear - to replicate the UK professor’s research and research facilities for themselves. The professor explained that direct replication would not be feasible but agreed to act as a consultant to improve the overseas Science Ministry’s research facilities, accepting travel expenses and an initial retainer of £5,000 to work together. Breaching export control can have severe consequences. To facilitate safe and secure international collaboration, what could the UK professor have done to mitigate the risks?’ When delivering presentations and lectures overseas, or online in the UK to an overseas audience, consider whether export control applies. When taking devices overseas, the information held could be subject to export control, regardless of whether it will be shared. It may be easier and safer to take a ‘clean’ device if your institution provides this service. Content subject to export control can be difficult to identify and protect when devices are used both personally and professionally and export control will need to be considered for all overseas trips, including holidays. Funding is likely subject to terms and conditions, such as alerting of other engagements, or disclosure of paid work that could be deemed a conflict of interest or commitment. If accepting additional payment or expenses, consider whether they need to be declared to your institution, existing partners, or HMRC. Considerations may vary per country, so familiarise yourself with the rules and regulations for your destination. The Trusted Research Countries and Conferences Guidance provides additional advice on overseas travel. What could the UK professor have done to mitigate the risks? Know their UK institution’s travel policies and processes… particularly around devices Review contractual obligations… to ensure they are fully understood With the assistance of the research office, research all partners… to identify any potential risks or concerning links Get advice from the research office and/or professional services around… export licences, legal obligations and due diligence Identify reporting mechanisms in case help is needed when overseas Research foreign laws, customs and political circumstances prior to travelling Need more information? Speak to your research office or professional services. And visit the NPSA Trusted Research website. ENDS INTRODUCTORY LINE
SECTION ONE – THE STORY
SECTION TWO – CONSIDERATIONS
SECTION THREE
WRAP UP
Scenario 2 - Overseas presentation and government approach
This video explores the research security risks that can arise when giving presentations overseas, as well as how to proactively mitigate them. We recommend exploring our Trusted Research Countries and Conference Guidance for more advice before travelling overseas.
Other useful resources include:
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The National Cyber Security Centre’s (NCSC) Device Security Guidance
Trusted Research - digital video script Scenario 3: Hosting sensitive data overseas] [INTRODUCTORY LINE] The following content is based on real events that occurred in UK academia. [SECTION ONE – THE STORY] UK university’s overseas collaboration leads to major controversy and public backlash A postdoctoral researcher at a UK university receiving funding from a UK police force for their research into artificial intelligencehas been working closely with a professor at an overseas university for the past six months. Both academics' research focused on using AI to identify criminality and terrorism through CCTV footage. As a result of their shared research interests, both academics agreed to share their developments and data. To facilitate their collaborative working, the overseas professor suggested that they use a new IT platform developed by their university which had advanced functionality. The UK researcher agreed to host their work, including bulk personal data from the UK police force, on the platform. The situation deteriorated when a UK national newspaper alleged that in collaboration with the UK university, the overseas institution had provided their country's police force with AI technology that could facilitate widescale surveillance on minority groups. This technology was reportedly used to support a regime of repression and ill-treatment. The fallout was immediate and severe. The UK university’s reputation suffered significant damage, facing widespread criticism from the public and academic community. In an attempt to mitigate the situation, the researcher tried to access the overseas university’s IT platform to remove the bulk personal data but was denied access. The researcher reported the incident to their internal IT team, but the damage had already been done. The breach of data security led the UK police force to withdraw funding from multiple projects at the UK university, leaving a trail of disrupted research and financial instability. [SECTION TWO – CONSIDERATIONS] Considerations may vary slightly depending on which overseas country is involved in this type of scenario. What can we learn from the UK researcher's story? [SECTION THREE – Mitigations] What could the UK researcher have done to mitigate the risks? [WRAP UP] Need more information? Speak to your research office or professional services. And visit the NPSA Trusted Research website.
Scenario 3 - Hosting sensitive data overseas
This video explores the negative impact of a data security breach, which results in reputational damage and the withdrawal of funding from a key partner. We recommend exploring the NCSC’s guidance on protecting bulk personal data for further guidance on managing data securely.
Other useful resources include:
- The Cabinet Office’s guidance on the National Security and Investment Act for higher education and research-intensive sectors
- The Information Commissioner’s Office’s (ICO) guidance on the Data Protection Act 2018
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
Trusted Research - digital video script Scenario 4: Talent plan, funding conflicts and changing research scope [INTRODUCTORY LINE] The following content is based on real events that occurred in UK academia. [SECTION ONE – THE STORY] Innovative UK medical research terminated following a researcher’s failure to comply with key legal agreements. A UK university had its medical research government funding withdrawn after a researcher took action that conflicted with the conditions of the funding. The researcher had been conducting groundbreaking, UK government-funded research on the subject of genome editing for the development of new medicines. After publishing several academic papers, the researcher was approached by a senior employee from a UK subsidiary of an overseas synthetic biology company. The senior employee expressed keen interest in the research and during a meeting, offered additional funding and lab space at their UK facility through an informal talent plan. The senior employee assured the researcher that this did not require notification to the researcher’s university. The researcher accepted the offer and continued their research, working both at the university and the company facility. Over the next three months, the researcher found the staff at the company facility very welcoming, frequently attending networking events andintroducing numerous colleagues from the UK university. However, when the researcher’s government funding partner discovered that they were receiving additional funding, which conflicted with the terms and conditions of the government funding, the researcher’s government funding was withdrawn. Shortly after the withdrawal of government funding, the UK subsidiary company offered the researcher further funding to work on a new project, using synthetic biology to enhance physical and cognitive human performance, which the researcher accepted, exposing them to a significant amount of further risk. [SECTION TWO – CONSIDERATIONS] What can we learn from the UK researcher’s story? The Trusted Research for Academia guidance provides additional advice on collaborating responsibly with international partners [SECTION THREE - Mitigations] What could the UK researcher have done to mitigate the risks? [WRAP UP] Need more information? Speak to your research office or professional services. And visit the NPSA Trusted Research website. ENDS
Scenario 4 - Talent plan, funding conflicts and changing research scope
This video demonstrates risks which may arise from joining talent plans, or similar arrangements. It also highlights the importance of understanding the ultimate beneficial owner of your research. We recommend exploring the Trusted Research for Academia guidance for further advice on collaborating securely.
Other useful resources include:
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The Cabinet Office’s guidance on the National Security and Investment Act for higher education and research-intensive sectors
Trusted Research digital video script Scenario 5: University spin-out The following content is based on real events that occurred in UK academia. UK research associate ensnared in overseas military scandal A recently commercialised drone, designed to track endangered species in extreme weather conditions, appears to be the focal point of an international military scandal. The research associate that designed the drone, cashed in on their invention when a UK subsidiary of an overseas tech giant offered to invest and help commercialise the technology, through the formation of a university spin-out company. The overseas tech company stated that they intended to market the drone to the producers of wildlife, travel and extreme sports documentaries. However, aware that the technology could have dual-use applications – to track people, withstand explosions and function in extreme weather – the research associate conducted open-source research on the UK subsidiary, which left them feeling assured that the intended use was for civilian purposes only. Confidence bolstered, the research associate partnered with their institution’s Technology Transfer Office (TTO) and went ahead with forming the university spin-out company, providing the tech company with exclusive licensing rights. Following a year of R&D to further develop the drone’s capabilities, the research associate was shocked to find that the country in which the UK subsidiary was headquartered had recently produced a military drone with near identical capabilities and identical appearance. When the research associate approached the partner company, they denied involvement in the development of the military drone but soon after they terminated their agreement with the university spin-out. What can we learn from the UK research associates’ story? Researchers should familiarise themselves with institutional policies related to university spin-out companies, particularly in regard to shareholding and intellectual property (IP) ownership. Under the National Security and Investment Act, the UK government can scrutinize qualifying acquisitions if there’s reasonable suspicion of a risk to national security. Acquisitions related to sensitive areas of the economy, such as military and dual-use, are more likely to trigger scrutiny. Universities can voluntarily notify the government about an acquisition to determine if it will be called in. Researchers should be aware of who ultimately benefits from their work. When collaborating with UK subsidiaries of overseas companies, explore the organisation’s entire ownership structure as part of due diligence. Consider whether export controls apply based on information transfer within that structure. Working with overseas partners or in foreign markets may require you to obtain additional IP protections as they are often limited by territory, meaning IP protections held in the UK may not be recognised overseas. Note that IP enforcement varies across different territories; not all uphold protections as rigorously as the UK. The NPSA’s and the NCSC’s Secure Innovation campaign offers guidance on safeguarding start-ups and spin-outs. What could the UK research associate have done to mitigate the risks? Conducting open source research on all partners and their funding sources, not just those based in the UK, at the outset and refreshing this regularly for the duration of a project. This should be undertaken in conjunction with the research office, professional services and/or TTO to ensure a comprehensive understanding of the ownership and funding structures involved and the ultimate beneficiary of their work. Ensure that you are compliant with institutional policies with regard to the legal owner of any intellectual property that is developed when you are employed by a university, developing a spin-out or accepting funding from a third party. Consult institutional policies on holding external appointments, conflicts of interests and IP ownership prior to becoming involved in university spin-outs. Identify any legal obligations overseas partners, and their funders, may be subject to. Seek advice on IP protections, both in the UK and in the relevant overseas jurisdictions, from your research office/professional services. You can also access the Intellectual Property Office’s (IPO) online support tools. Need more information? Speak with the team at your institution responsible for research security and visit the NPSA Trusted Research website
Scenario 5 - University spin-out
This video highlights the need to identify the ultimate beneficial owner of research in order to secure your IP and be legally compliant when developing a spin-out company. For more information on embedding security into spin-outs, explore our Secure Innovation Guidance.
Other useful resources include:
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The Cabinet Office’s guidance on the National Security and Investment Act for higher education and research-intensive sectors
- The Intellectual Property Office’s (IPO) Online Support Tools
Trusted Research digital video script Scenario 6: Identifying export controls and sanctions The following content is based on real events that occurred in UK academia. UK University Avoids Breach of Sanctions in Near-Miss Incident A postdoctoral researcher at a UK university had hoped to collaborate with their former PhD supervisor, but the proactive identification of export control concerns and UK sanctions meant that the risks were identified at the outset. This allowed both them, and the university, to avoid legal issue and reputational damage. The postdoctoral researcher, who obtained a PhD in advanced materials from an overseas university, currently works at a prestigious UK institution and has been conducting extensive research into the application of graphene as a protective material. Keen to collaborate, the postdoctoral researcher reached out to their former PhD supervisor at the overseas university, who is an expert in the application of graphene as a construction material. Eager to be involved, their former PhD supervisor emphasised that to understand the UK project’s requirements, the full research aims and findings would need to be shared. Luckily before any data exchange, the postdoctoral researcher consulted with their institution’s professional services team. The team helped them navigate the university’s collaborations policy, which required consideration of UK export controls and sanctions. Through this process, it was established that due to the potential dual-use application of graphene as a protective material, the research would be subject to export control. It was also discovered that the overseas university was subject to UK sanctions. Recognising that the collaboration couldn’t go ahead, the postdoctoral researcher informed the UK university that whilst there had been contact with a sanctioned university, no intellectual property had been transferred and they would seek alternative partners with which to continue their research. What can we learn from the researchers’ story? The researcher was right to flag this potential international collaboration with their institution. Identifying potential research security risks and complying with UK legislation, as well as institutional policies, is a key part of protecting your research. Working with research offices/professional services helps to ensure that legal obligations are upheld and institutional policies and processes are followed. These teams can also provide advice on how to report and record interactions that may be a concern. Graphene as a protective material falls under the Export Control Order 2008. Use of graphene in body armour is also listed on the UK Government’s consolidated list of strategic military and dual-use items requiring export authorisation. The Department for Business and Trade’s Goods Checker tools can help to determine if technology is subject to export control. Since the tool is primarily designed for goods, it is always beneficial to discuss requirements with the research office/professional services. The UK Government can impose various sanctions on individuals, organisations, or countries, so sanction lists must be consulted before transferring goods, technology, or knowledge. Researchers should be alert to the use of third-party countries in international collaborations to circumvent UK sanctions. The Trusted Research Collaboration Checklist can be used to assess the level of risk incurred by a potential collaboration. What did the researcher do to reach this positive outcome? Notified their institution of the proposed collaboration at the outset. Conducted open-source due diligence, with the assistance of their research office, regardless of their prospective collaboration partner being personally known to them. Sought the advice of their research office on export control requirements for the topic of their proposed project. Checked the UK sanctions list to identify whether any individual or institution involved had been designated. Need more information? Speak with the team at your institution responsible for research security and visit the NPSA Trusted Research website SECTION ONE – THE STORY
SECTION TWO – CONSIDERATIONS
SECTION THREE – MITIGATIONS
Scenario 6 - Identifying export controls and sanctions
This video explains how an academic successfully navigated their institution’s collaborations policy and worked with their research office to avoid breaching UK export controls and sanctions. We recommend using the Trusted Research Collaboration Checklist to identify research security risks at the outset of a collaboration.
Other useful resources include:
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The Department for Business and Trade’s (DBT) OGEL and Goods Checker Tools
- The Foreign, Commonwealth and Development Office’s (FCDO) guidance on UK Sanctions
Trusted Research - digital video script Scenario 7: Identifying dual-use applications before commercialisation [INTRODUCTORY LINE] The following content is based on real events that occurred in UK academia. [SECTION ONE – THE STORY] UK lecturer involved in near-miss IP theft incident A lecturer who developed an innovative solution for disposing of radioactive waste was able to protect themself from serious repercussions, including reputational damage, following overseas interest in their dual-use research. The lecturer specialises in nuclear energy and was approached by an overseas company to create a university spin-out. The lecturer sought approval for travel expenses to visit the company and discuss terms. The lecturer identified that the potential collaboration fell outside the scope of a mandatory notification under the National Security and Investment Act. However, recognising the wide ranging civilian and military uses of nuclear energy, the lecturer’s Head of Department recommended detailed research into the overseas company and referred the matter to the university’s research security team and the technology transfer office. The lecturer provided the research security team with a detailed specification of their product, which enabled them to determine that the product included components listed on the UK Government’s consolidated list of strategic military and dual-use items, which would require an export licence. Further open-source research also revealed the overseas company had a concerning history of IP theft disputes. Given these findings, and the potential for dual-use applications, the research security team escalated the collaboration to the research risk review board. The board decided to voluntarily notify the UK Government of the potential collaboration under the NSI Act, considering the nature of the product and the overseas company’s background. As a precaution, the Head of Department advised the lecturer not to travel overseas until the review was completed, ensuring all legal obligations were met and the lecturer’s intellectual property was safeguarded. [SECTION TWO – CONSIDERATIONS] What can we learn from the UK lecturer’s story? [SECTION THREE - Mitigations] What did the UK institution do to reach this positive outcome? [WRAP UP] Need more information? Speak to your research office or professional services. And visit the NPSA Trusted Research website. ENDS
Scenario 7 - Identifying dual-use applications before commercialisation
This video shows how proactively identifying dual-use applications of research can help researchers to protect their work and their reputation. Before travelling overseas to meet with partners, familiarise yourself with the Trusted Research Countries and Conferencesguidance.
Other useful resources include:
- The Cabinet Office’s guidance on the National Security and Investment Act for higher education and research-intensive sectors
- The Export Control Joint Unit’s (ECJU) guidance on Export controls applying to academic research and on dual-use items
- The Intellectual Property Office’s (IPO) Online Support Tools