Years of work and sacrifice on your research have led you to this point.
You collaborate with the best minds, building relationships, reputation and recognition. You know your research, its potential and its applications, the ways it can change the world for the better or for the worse.
You trust those you are working with and know that everyone is working towards the same shared goal. But do you really know who you are collaborating with?
Some states may seek to exploit the open system of international research collaboration to misuse your work for their own purposes.
Not being aware of the risks can have severe consequences for your research and career. Failing to perform thorough due diligence on your partners may have an impact on your reputation, and if you don't consider the potential misuses of your research and those who might seek to misuse it, your career may be damaged and you may lose your funding.
It's your responsibility to protect your research.
Check the trusted research website to help secure your collaborations.
To download a copy of the video please contact us via our enquiries form.
The UK has a thriving research and innovation sector that attracts investment from across the world. More than half of UK research is a product of international partnerships.
Trusted Research aims to support the integrity of the system of international research collaboration, which is vital to the continued success of the UK's research and innovation sector. It is particularly relevant to researchers in STEM subjects, dual-use technologies, emerging technologies and commercially sensitive research areas. The advice has been produced in consultation with the research and university community and is designed to help the UK's world-leading research and innovation sector get the most out of international scientific collaboration whilst protecting intellectual property, sensitive research and personal information.
- Outlines the potential risks to UK research and innovation
- Helps researchers, UK universities and industry partners to have confidence in international collaboration and make informed decisions around those potential risks
- Explains how to protect research and staff from potential theft, misuse or exploitation
In addition to the following guidance we have produced Trusted Research for Senior Leaders which outlines some key considerations for academia leaders.
THE UK AND BEYOND: RESEARCH & COLLABORATION AT A GLANCE
A fifth of the world’s scientific papers are produced through international collaboration, and these partnerships play a vital role in scientific progress1.
The UK champions a rules-based system, which has served our interests as a global, outward-facing nation and continues to be of vital importance. This system has enabled global cooperation to protect shared fundamental values of respect for human dignity, human rights, freedom, democracy and equality. For academia this is demonstrated by the importance the UK places on the protection of academic freedom, something which is enshrined in law2.
Universities in the UK work closely with partners from across the world - more than half of UK research is a product of international partnerships. These international relationships extend further than research funding and collaboration; 42% of postgraduates and 31% of staff in universities are from outside the UK3. Developing and maintaining these international relationships is key to the success of UK research and innovation. The Department for Business, Energy & Industrial Strategy (BEIS) published the UK International Research and Innovation Strategy4, which sets out a goal for the UK to be the partner of choice for international research and innovation for the long term.
More than £1 billion of research income comes from overseas
In 2017-18, UK universities received £8.2 billion in research income, £1.39 billion of which came from international sources5
How to protect your research
As a researcher there are steps that you can take that will help you to protect your research, ensure that you are meeting all your legal obligations and support you in making informed decisions about research collaborations. These measures should always be proportionate to the risk and balanced to support the benefits of international research collaboration.
- Collaborating with research partners - protecting intellectual property, making informed decisions about international collaboration and managing cyber risks
- Using legal frameworks, understanding contractual expectations, export controls and GDPR
- Helping researchers to stay safe - protecting your personal and research data, working with overseas researchers and attending conferences abroad
Collaborating with research partners
- Due diligence Conduct due diligence when considering a new research and/or funding collaboration. This should include ethical, legal and national security considerations as well as financial. You will then have all the information needed to make an informed and balanced decision about whether you want to work with them.
- Conflict of interest Be aware of potential conflicts of interests between research and/or funding partners that you work with. Be open with your partners and discuss your security arrangements, and their security needs, regularly.
- Segregation Ensure that, where necessary to protect IP, research or personal data, there is appropriate segregation between research programmes, both physically and online. Only give access to research to those who have a valid requirement.
Securing funding for even short-term research can be a source of pressure and, understandably, security considerations may be of secondary concern. Increasingly, legitimate industry or commercial partners who are seeking to fund research expect assurance around the protection of the resulting intellectual property (IP), which they hope will contribute to their future commercial success and to the success of the wider economy. A 'secure research' offering could result in assurance for prospective industry partners or sponsors whilst simultaneously protecting your existing relationships.
THREE KEY THINGS TO CONSIDER
If you are collaborating with multiple partners, it is crucial to avoid conflicts of interest. It may be possible to explore a related but different focus for collaboration with a new research partner in order to avoid a conflict of interest with your existing partner.
Without compromising academic freedoms or curtailing the benefit of collaboration, some degree of separation between areas of research may be necessary. In some cases, you may wish to consider segregating IT network access, information and potentially people to prevent one partner having visibility of the work which another partner is sponsoring. Developing a good research security culture and having agreed guidelines between fellow researchers is a positive way of approaching this issue.
As part of managing long-term research relationships, it is important to be transparent about new research commitments. This may mean speaking to your existing sponsors, with potential implications for your ability to enter into non-disclosure agreements. Visibility of research across a laboratory, department or university is also critical. Laboratory or departmental meetings are a key opportunity to provide such visibility, and your regular meetings with research partners could include discussion about security.
Cyber security for research collaboration
When entering a new foreign collaboration, including a funding arrangement, you will need to understand the cyber security risks presented and the additional mitigation activities required.
Your IT department will be able to support you with implementation of the following measures:
It is important that you control access to sensitive data, whether that is personal data or research data. You should only allow users and partners with a valid requirement to have access to sensitive data, research and other parts of your networks. You should also ensure that you understand the security of any collaborative IT platforms, especially those used by third parties.
Unauthorised access monitoring and prevention
Even when critical or highly sensitive data is separated and privileged access is limited, there may be instances of unauthorised access attempts. These could be from system users (insider threat) or from partners or other sources (external threat). You must ensure there are effective cyber security arrangements in place to monitor and defend against unusual or malicious network activities.
Supply chain or partner organisation security
Many issues around supply chain security are due to the poor security practices of partner organisations or managed service providers. Working with overseas partners may present a higher level of risk. You should develop an understanding of the cyber risks associated with partner organisations, managed service providers and potentially vulnerable components at an early stage.
A SECURITY-MINDED AGENDA FOR RESEARCH PARTNERS
A university with long-established research relationships saw that critical to their success was having regular interactions with their partners, usually on a quarterly basis, where they ensured that security was a standing item for discussion. When it came to publishing, they had an agreement with their sponsors that they would consult on the content of papers and have a set process for arbitrating conflicts.
As the sponsors were engaged in a long-term funding relationship, there was an opportunity to consult early on new areas of research. These early discussions provided an opportunity to give confidence to the long-established research partner.
The open and transparent relationship included talking about who was working on a project, changes to personnel, and any visiting research fellows working on closely related topics. This ongoing dialogue extended to IT/network security and data protection and was an opportunity to discuss how the sponsor’s data and information was protected and held.
What do you know about your potential research partner?
Universities already invest significant effort in conducting due diligence around the financial sustainability or fraud risk associated with a research partner or funder. You should also consider whether a research or funding partner poses ethical or national security concerns. This consideration should go beyond questions of compliance (such as the export control regime) and consider reputational risks. An internet search can provide a lot of information about a partner, their relationship with a state or state military, and the nature of any previous research they have undertaken.
Things to consider include:
- Is there any publicly available information about an organisation, institution or entity which might give you cause for concern?
- In view of that information, what might be the broader application or unintended consequences of working with them in the area of research that you intend to undertake?
- What information is available about the level of freedom and the state of law of the country where your research partner is based?
The following resources could help inform your decision about the suitability of research with specific partners:
Using legal frameworks
- Export ControlEnsure that you understand whether your research is subject to export control. Research activities are covered by export control legislation and there are tools that you can access to check whether your research needs to have an export control licence.
- Legislation When collaborating with a foreign research partner or funder, ensure that you have an awareness of the different legislative frameworks under which they may operate and how this might impact your agreements or partnership.
- GDPR Be aware of your responsibilities to protect the data and information that you handle under GDPR legislation.
- Technology Transfer Office Speak to your Technology Transfer Office (TTO) or equivalent at the earliest stage of considering a new collaboration. They should be well-placed to advise you on legal conditions and compliance issues
- The National Security and Investment Act The National Security and Investment Act came into force on 4 January 2022 and provides powers for the government to scrutinise and intervene in certain investments that could harm the UK’s national security.
In some cases, the Act requires mandatory notification to the government of qualifying investments into certain entities which are in scope of the government’s 17 sensitive areas of the UK economy, which are highly compatible with high-risk and sensitive research areas.
There are also instances in which a voluntary notification of qualifying entities, which do not meet the criteria for mandatory notification, and qualifying assets may be submitted to the government to determine whether they intend to call in the investment for review.
In academia a qualifying entity may include a UK, or foreign, university, private university, trust, university spin-out, university subsidiary, research organisation or a private company working with an academic organisation.
A qualifying asset in academia may include designs, plans, drawings, specifications, software, trade secrets, databases, source code, algorithms, formulae and tangible movable property (e.g. laboratory equipment).
For further information on the relevance of the NSI Act to academia, you should contact your institution's nominated Research Collaboration Advice Team (RCAT) representative via your Research Office or contact the Investment Security Unit (ISU) via [email protected].
Collaboration and contracts
Your research will often be subject to contractual arrangements, providing greater certainty around the expectations of a research partner or sponsor. Equally, sponsors will have contractual expectations. It is critical that you have a clear understanding of the impact of these agreements on the research that you undertake.
"Unfortunately, it is common for disputes to arise over co-created materials. That is not to say you shouldn't collaborate. It is, however, essential that the collaborators agree upon the terms of the arrangement." Maria Crimi Speth
UK export controls are designed to restrict the export and communication of sensitive technology or strategic goods, with the aim of preventing weapons of mass destruction (WMD) proliferation and countering international threats such as terrorism.
When collaborating with international partners, you must ensure compliance with UK export controls. Certain products, software, and technology (including the intangible transfer of critical, technical knowledge) are ‘controlled’ and therefore require an export licence.
The UK maintains a single consolidated list of sensitive items that require export authorisation. These include both military and dual-use items. Dual-use items can be used for both civilian and military applications. The government has additional powers to require an export licence on items, technology, or knowledge even if they are not on the consolidated control list.
UK export controls for research focus on applied research in high-risk disciplines, which are predominantly STEM-related. Institutions are responsible for checking whether items require an export licence.
Export control could affect your research activities if you:
- Work with colleagues overseas.
- Teach overseas students (at an overseas campus or in a virtual/online learning environment).
- Take your research overseas (physically or electronically).
- Access controlled technology whilst overseas from servers or an intranet.
- Conduct research activities at overseas institutions that have a weapon of mass destruction (WMD) or military end-use potential.
- Export your technology overseas.
It is important to note that computer-based services and activities which take place online are also subject to export control including, but not limited to, e-Research, e-Science and presentations on controlled topics.
There are export control exemptions for some areas of academic research, including:
- Research already in the public domain without restrictions on its further dissemination (excluding copyright).
- Basic scientific research (experimental or theoretical) which is not directed toward a specific practical aim or goal.
- The minimum technical information required to support a patent application.
It is essential for researchers to identify whether the research they are undertaking is subject to export control and whether the international research partners with whom they are working are subject to additional controls.
As part of this process, you should:
- Check whether the item you want to export appears on the consolidated list of strategic military and dual-use items that require export authorisation.
- Use the Goods and Open General Export Licences (OGEL) checker to check whether the items you want to export are regulated by export controls and Open General Export Licences (OGEL) checker to determine if an Open License is available for your scenario. Where an OGEL is not available and your goods, technology or knowledge is controlled you will need to apply for a Standard License in SPIRE.
- Do background checks on the end-user(s) to check whether you need an export licence:
- Is their home country listed as an embargoed destination on the list of end-use controls applying to military related items?
- Do they have links to military or defence organisations?
- Does their home country have active policies on using advanced and emerging technology to support the development of their military?
- Have they been involved in civil or criminal proceedings?
- Is their home country subject to any sanctions?
You should also ask your research office if they have a SPIRE - Export Licensing System account.
- UK strategic export controls guidance provides details on the UK’s regulatory framework for export controls and the circumstances where you might need an export licence.
- Export controls applying to academic research.
- Exporting military or dual-use technology: definitions and scope.
- Tools and services in SPIRE, the UK’s export licencing system. This includes:
- The Goods and Open General Export Licences (OGEL) checker tools to check whether the items you want to export are regulated by export controls.
- The End User Advice Service to check whether the end user of your items mean that you need an export licence.
- GOV.UK list of countries subject to arms embargo, trade sanctions, and other trade restrictions.
- GOV.UK list of end-use controls applying to military related items.
- You should carefully consider whether you use anything supplied from the US, in which case you may also be subject to United States export control laws, specifically:
WORKING WITH OVERSEAS INSTITUTIONS
A university worked in partnership with overseas institutions for a number of years on cutting-edge technology research. In 2019 the university discovered that a significant proportion of existing research agreements should have been subject to export control licence applications. The university undertook an extensive review of those agreements and, working with the relevant government departments, went through a process of submitting export control licenses for those research programmes, some of which had to be paused during the process and some of which were stopped entirely.
You should be aware that, at the time of publication (2019), there are arms embargoes in operation against both China and Russia. You should also carefully consider whether any of your research is derived from the US, in which case you may also be subject to United States export control laws, specifically:
Compliance in foreign jurisdictions
If you are collaborating with an international partner there may be laws and regulations with which you will need to comply in your collaborator's country. Most countries will maintain some form of export control, they may have laws which restrict their institution's ability to share data or research outcomes, and the legal protections around IP may also differ in those jurisdictions. You should not assume that your research partner will take responsibility for such compliance, and you should be aware of any requirements that impact the collaboration. The Intellectual Property Office (IPO) provides advice on the protection of intellectual property in other countries.
China’s top legislature, the National People’s Congress (NPC) passed the National Intelligence Law in June 2017. The legislation allows Chinese intelligence agencies to compel Chinese organisations and individuals to carry out work on their behalf and provide support, assistance and cooperation on request. This may affect the level of control you have over any data, information, research and assets that you share with Chinese individuals and organisations, especially if you research is in an area that is of interest to the Chinese state.
The System of Operative Search Measures (SORM) is Russia’s legal intercept capability, which is administered by the Russian Federal Security Service (FSB). All telecommunications operators (TOs) operating in Russia are obliged to install equipment to enable the FSB to monitor communications. The FSB can use SORM to monitor communications transmitted to, within, and out of Russia including voice calls, text messages, social media, web browsing and metadata. The FSB is not obliged to provide TOs or commercial companies with any details of their monitoring of SORM. This may mean that you are unaware of how your sensitive communications and information is used outside of your commercial engagements in Russia (or with Russian individuals and companies).
Publish and protect
Freedom to publish will be of paramount importance to all academics, but it is possible to both publish and protect. In many cases, publishing first will be the means by which you protect your ideas but there may also be occasions when you want to protect aspects of your work if they have a sensitive application or if you are considering commercial opportunities.
Your Technology Transfer Office, legal department or other relevant supporting corporate services should be able to help with advice on export control issues and contractual undertakings.
Publishing and protecting research
At an early stage, before publishing or even speaking at a conference, consider if there is anything which is patentable within your research. Through the cycle of a research project, you should continually review progress and whether there is anything new which you have developed which might now be patentable. If working with sponsors or partners where there is a co-creation agreement for IP, maintain a regular dialogue and discussion around what may be patentable and explore an early framework agreement or process for agreeing sensitive material that may be sanitised without damaging your overall ability to publish.
In some cases, you should consider whether there are national security implications to the research and whether a National Security Patent under Section 22 of the Patents Act 2004 might be applicable. Alternatively, you may not want to patent an area of research as at that point your sponsor may wish to protect the information until they are closer to the point of commercialisation. In this case, you would be treating specific aspects of the research as 'trade secrets' and commercially sensitive. You will need to have an agreed process about those things which you may be able to publish and those things which you may wish to protect. Think carefully before disclosing information where you do not have a patent.
When you submit a patent application the Patent Office will assess whether there are any national security applications which may require an application under Section 22. Some details of the technologies and areas that may fall within section 22 are described below, although some details are not made public.
GDPR: Implications for research data
The Data Protection Act (DPA) 2018 sets out the framework for data protection law in the UK. It updates and replaces DPA 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. You must ensure that all data that you handle (including research data) is protected in compliance with GDPR. The Information Commissioner's Office (ICO) is the regulator for GDPR and there are circumstances in which you will have to report a data breach to the ICO. A detailed guide to your responsibilities under GDPR can be found on the ICO website.
Helping researchers to stay safe
Awareness Ensure that you and your colleagues are aware of the measures that you can take to protect you and your research online. Good cyber security practices will reduce the likelihood of the loss or compromise of your research data.
- Visas Ensure that visiting researchers with access to your facilities and IT network are centrally recorded as members of staff and have appropriate visas.
- Travel advice When travelling overseas for a conference or longer period, consider local laws and custom as well as how you protect intellectual property and sensitive data. If relying on IT, make sure it can be used/accessed overseas.
The nature of your collaborations, including how you use and share data and research online, will require a tailored approach to cyber security in line with your institution's security policies. However, there are some sensible tips that all individuals can follow, that will reduce the likelihood of loss or compromise of your research:
- Protect your email by using a strong and separate password
- Install the latest software and app updates
- Enable two-factor authentication on your email and collaboration platforms where possible
- Use a password manager to help you create and remember passwords
- Secure smartphones and tablets with a screen lock
- Always back up your most important data
Your IT department will be able to support you with any of the measures in this section.
Take care when using USB drives
USB drives or memory cards are a quick and easy way to transfer files between organisations and people. However, there are risks. If you're handed a USB drive at a conference, for example, before you insert it:
- Consider how trusted the source of the USB drive is
- Make sure 'autorun' is disabled on your device via settings or system preferences, for example:
- Windows 10: Windows key + I -> Devices -> Autoplay -> Use Autoplay for media and devices (OFF)
- MacOS just mounts the files rather than executing anything
- Make sure your antivirus software runs an auto-scan before your device accesses the data on the USB drive
If you need to share information, consider alternative means (such as cloud storage, email or dedicated collaboration platforms).
Preventing phishing attacks
Phishing attacks are one of the most common ways of obtaining personal and other data, so it is worth doing whatever you can to defend yourself against them. Phishing emails appear genuine but are actually fake. They might try and trick you into revealing sensitive information or contain links to a malicious website or an infected attachment.
Below are some of the actions you can take to reduce the likelihood of being phished.
For more details please refer to the NCSC guidance that can be found on the NCSC website.
- Phishers use publicly available information about you to make their emails appear convincing. Review your privacy settings and think about what you post and what has been posted about you, such as conference or organisational biographs
- Know the techniques that phishers use in emails. This can include urgency or authority cues that pressure you to act
- Phishers often seek to exploit 'normal business' communications and processes. Make sure you understand your organisation's policies and processes to make it easier to spot unusual activity
- Anybody might click on a phishing email at some point. If you do, tell someone immediately (e.g. your IT team or line manager). Prompt reporting will significantly reduce the potential harm caused by cyber incidents, so don't assume that someone else will do it
PHISHING IN THE RESEARCH SECTOR
In August 2018, researchers discovered over 300 fake websites and login pages for 76 universities across 14 countries, including the UK. Victims were likely directed to the fake websites by email. After entering their credentials into the fake login page, the credentials were stolen and the victims redirected to the legitimate university website. This was likely to limit suspicion over what had taken place. Many of the fake pages were linked to university library systems, indicating the actors’ appetite for this type of material.
The researchers attributed this activity to Iranian actors who had previously targeted universities in order to steal intellectual property, including from library systems. This attack followed a previous Iranian campaign between 2013 and 2017, which saw the Mabna Institute target more than 100,000 accounts of academics worldwide and led to the loss of more than 30 terabytes of academic data and intellectual property.
Working with researchers from overseas
Academic institutions will want to attract visitors and researchers from overseas. You have a duty of care to all staff and need a degree of understanding of visiting staffs' backgrounds, previous work and ongoing obligations in order to help them to avoid conflicts of interest.
It is critical to follow your institution's human resources procedures so that anyone working on research for the university (with access to its facilities and IT network) is recorded as a member of staff or a student. Even short-term research attachments must comply with your institutional policies. Also consider what expectations you or sponsors may have from staff at the end of their work, particularly around confidentiality and non-disclosure.
You also have a responsibility to ensure that they are working on an appropriate visa whilst at the university. Visas for overseas students applying for certain courses in the UK may be subject to the Academic Technology Approval Scheme (ATAS). Your visa office at the university will be able to advise.
ATAS applies to all international students (subject to existing UK immigration permissions) who are applying to study for a postgraduate qualification in certain sensitive subjects which could be used in programmes to develop weapons of mass destruction (WMDs), or their means of delivery. These students must apply for an ATAS certificate before they can study in the UK.
Staff working overseas
If you have staff working in a country whose democratic and ethical values are different from our own, your broader risk assessment of staff working overseas should include the following:
- If something happens to one of your colleagues when they are working overseas, who should they report it to?
- How often do you check up on whether they have any concerns or issues?
- What agreements are there with the institution that will be hosting them overseas?
- What are the rules and laws that they are required to comply with in that country?
- Do any laws conflict with any of the agreements you have made with that institution?
- Will the work that they conduct be subject to UK export control?
- Are your colleagues aware of the export control laws, national security laws or intellectual property arrangement in the country that they are working?
In 2019 a UK university identified that there were a large number of individuals with access to its facilities and IT network that were not recorded as members of staff at the university. In many cases this had occurred because individual academics at the university were informally approached by researchers based at overseas institutions, who had come to the university for a short-term placement which they had funded themselves. Although they had access to the university site and network, the visiting academics had not applied for appropriate visas for the research work that they were undertaking at the university.
Countries and conferences
With overseas conferences being a normal part of academic life, researchers will understandably focus on their presentations and potential research opportunities, rather than the security issues associated with travelling to a different country. Part of your preparation for any overseas conference should be to:
- Consider the country that you are travelling to, and be aware of local laws and customs
- Think carefully about what information you share or present
- Make sure you understand your host's attitude to academic freedom and discussion
- Ensure that any payments you accept for attendance do not create a conflict of interest, or place you in a contractual breach or breach of university policies
- Be clear on the areas of research that you can, and cannot, talk about
- Be polite but firm if pressed to share more information
- Report any suspicions to your manager and the appropriate university authority
See the FCO website for more detailed travel advice, including how to seek consular assistance the country you (or your staff) visit.
More detailed guidance on travel, conference attendance and working abroad is available here.
Why protect your research?
Whether you hold sensitive medical data for genetic research or commercially sensitive information on behalf of a research sponsor or business, protecting your research is important to you, your institution and your partners.
Joint research is vulnerable to misuse by organisations and institutions who operate in nations whose democratic and ethical values are different from our own. It allows them to work with experts in a field of cutting-edge research and innovation, and obtain the resulting output of that work, all without having to steal it (e.g. through cyber espionage). It provides those with hostile intent overt access to expertise, IT networks and research. These activities may undermine the system of international research collaboration in the UK, which has been integral to the success of our research and, ultimately, global scientific progress.
All research can be at risk, but areas around applied research are particularly vulnerable, especially where there is a specific problem that you are seeking to solve, or where you are trying to develop a commercial application. In these cases, the consequence of research outcomes being exploited could be far greater and could result in the loss of intellectual property and misuse of your research.
For individual researchers, interference with (or loss of) research is likely to limit your ability to publish first or take credit for the resulting intellectual property. This could negatively affect your reputation and ability to demonstrate the impact of your research.
Who are you at risk from?
Some states have different democratic and ethical values to our own and have a strategic intent which is hostile to the UK.
A state may:
- seek opportunities to increase its own economic advantage, in particular to develop a research and innovation base to increase military and technological advantage over other countries
- prioritise the stability of its regime and focus on preventing internal dissent or political opposition
- seek to deploy its technological and military advantages against its own people in order to maintain the stability of the regime
MEMORANDUM OF UNDERSTANDING
A university signed a memorandum of understanding (MoU) to collaborate on research into facial recognition technology with an overseas university. As part of the proposal, the overseas university committed to providing significant funding and to sponsor two research fellows. The university conducted in-depth due diligence, including financial assurance and checking compliance with export control legislation. A year into the research, a newspaper published an exposé which highlighted well-publicised details of the overseas university’s work with the military and police of their country to support surveillance and repression of dissent to the political leadership.
How might you be targeted?
State actors are targeting UK universities to steal personal data, research data and intellectual property and this could be used to help their own military, commercial and authoritarian interests.
International collaboration offers state actors the opportunity to benefit from research without the need to undertake traditional espionage or cyber compromise. Collaboration can provide those with hostile intent access to people, IT networks, and participation in research which may be sensitive or have sensitive applications.
Individual researchers may be targeted by a state actor, but equally you may also be targeted by an academic institution to undertake research which is of strategic benefit to that country.
Traditional academic engagement provides an easy route for a foreign intelligence service to gain access to you, for example at a conference or research placement.
You might also be targeted through a cyber attack, such as a phishing email, which might try to trick you into revealing sensitive information or contain links to a malicious website or infected attachment.
What are the risks to your research?
Academic competition and plagiarism will be familiar concerns to many working in the field of research and innovation. If your research is obtained by a state actor, whether through legitimate means or not, you and your research could be affected in a number of other ways:
Conducting research in a way that maintains the trust of the public and private industry is vital to the continued success of the sector. Researchers need to demonstrate that you can meet the expectations of that trust in order to access sensitive data and funding. If the data on which your research depends is stolen, inappropriately protected or misused, this may mean that your institution is not trusted with such data in the future.
The integrity of your research methodology is as important as the integrity of the research data and outcomes. In addition to the ethical framework surrounding research, consideration should also be given to compliance with legislation and regulation such as General Data Protection Regulation (GDPR), export control and the Academic Technology Approval Scheme (ATAS). Each of these has its own conditions, and complying with one will not satisfy the conditions of the other two. Failure to comply with legislation may expose you to criminal charges or litigation.
At an institutional and even a departmental level there is a significant risk of over-dependence on a single source of funding, whether that is from a single organisation or from a single nation. Such over-dependence creates the opportunity for funders to exercise inappropriate leverage across a range of areas, for example, pressurising an organisation where it seeks to protect freedom of speech or even academic freedom.
You and your institution may find it difficult to attract future funding if it were to be discovered that your research had been stolen by a foreign state who may not impose the same sort of controls and protections around the privacy of that data, or might seek to misuse it for unethical purposes. You could face financial loss if a competitor were to access research data or information owned by your sponsor.
Your reputation and the reputation of your institution is critical to your future individual and institutional success. Your reputation could be damaged if it were to become apparent that your research had been exploited by the military of another country.
In 2014 a UK university provided a course on cyber security, which included modules on how to hack into secure IT networks. A national newspaper published details of two North Korean students who were studying on the course and allegedly had links to political figures in the North Korean state, shortly after the hack of Sony by alleged North Korean cyber actors.
How much of a target are you?
The first step is to have an awareness of the potential threat and this needs to be combined with an understanding of what you want to protect. This should involve identifying what you value the most - the 'crown jewels' of your work.
Most research will not have any sensitive application and will not cause concern, but being clear on which areas of research are sensitive is critical. You need to consider whether your research is commercially sensitive, has potential for patent, is related to sensitive defence or national security technology and/or could have future dual-use or unethical applications.
In most cases, as an expert in your field, you are ideally placed to judge the potential interest and broader application of your research. Some research will be subject to export control and the Department of International Trade's Export Control Joint Unit (ECJU) will be able to advise.
Things to consider are:
- Are there any potential ethical or moral concerns for the application of your research?
- Could your research be used to support activities in other countries with ethical standards different from our own, such as internal surveillance and repression?
- Could your research be of benefit to a hostile state military or be supplied to other state actors?
- Are there any dual-use (both military and non-military) applications to your research?
- Is any of the research likely to be subject to UK or other countries' export licence controls?
- Do you need to protect sensitive data or personally identifiable information? This may include genetic or medical information, population datasets, details of individuals or commercial test data.
- Is your research likely to have a future commercial or patentable outcome which you or your organisation would want to benefit from?
What to do if you are concerned
Every university will have different oversight arrangements for research activities. Many aspects of research and academic activity are devolved to a local level, for example, to a Head of Faculty or to an individual principal investigator (PI). There is a delicate balance for universities in protecting academic freedoms whilst trying to improve visibility of issues such as cumulative risk of investment (where the institution becomes overly dependent on single sources of funding).
Where you identify concerns around a potential collaboration, ethics committees or university governance boards may be the appropriate bodies to consider the balance of risks for the organisation.