Research Security: protecting Canada’s academic research from foreign espionage

By Peter K. MacKinnon

Peter K. MacKinnon is Senior Research Associate in the Faculty of Engineering at the University of Ottawa.

Today, Canada and its allies are faced with an increasing degree of domestic academic intelligence gathering. This can potentially threaten our economic base through foreign espionage by both cyber and other means.

Referred to as Research Security, it concerns the measures taken to protect research data, materials and participants, including partners, from unauthorized access, theft or misuse.

The depth of penetration into Canada’s research community is currently unknown; however, examples exist and can be anything from gaining cyber to physical access. Cyber protection is achievable if organizations and individuals practice good cyber stewardship.

The more insidious penetrations could be a visiting scholar, graduate student or academic partner. It is for the most part the human roles that are shaping the debate about what to do and how.

Research Security is a growing concern at the executive level in Canadian universities and is starting to be a responsibility of the vice-presidents for research/innovation. It also is a growing concern of the federal government, with a soon to be released report on Research Security from the Canadian Security Intelligence Service.

On the other hand, Canadian academics in general seem to pay little attention to Research Security (RS) as a practice and therefore need to be much more informed about the risks and threats and ways and means of identifying them.

A multi-level response is needed. First is the need for government and institutional policies that are designed to raise awareness and reporting procedures on suspect activities.

Second, coordination among universities (for example, through the U15 Group of Canadian Research Universities) will be a valuable way to share best practices and risk assessments.

Third is the need for a government-university clearinghouse for reporting and sharing of suspect activities. There is also a need to categorize the level of security risk in terms of intellectual property and potential dual uses of some research outputs. Also needed are training guides and learning materials relevant to good practices in RS.

Canada has taken note with both federal and some provincial responses. In September 2020, the Canadian Centre for Cyber Security (CCS) released a publication on Security Considerations for Research and Development, encouraging research organizations to equip themselves with more knowledge on protecting their research data, and how to implement basic security measures.

In May 2021, the Alberta government asked the province’s four universities to pause any new partnerships with links to the Chinese government, review existing relationships, and submit a report.

In Federal Budget 2022, the government allocated $125 million in funding for RS and $34.6 million over five years to enhance research protection and to establish a Research Security Centre that will provide advice and guidance directly to research institutions.​

In addition, various units within the government, from the CCS to the research granting councils are producing guidelines, reports, tools, and services (such as incident reporting) to aid in protecting Canadian researchers.

Components of a Research Security program

Metaphorically, RS raises issues like those that faced the development of research ethics. Thus, the emergence of a response to RS is likely to parallel the emergence of research ethics in both scope and scale, and will help ensure the integrity and confidentiality of research projects.

RS should include various strategies and policies such as secure data storage, encryption, access control, and authentication mechanisms. In addition, researchers should take appropriate measures to protect intellectual property such as patents, copyrights, and trade secrets.

Some additional key points to consider in establishing a Research Security program include:

• The need to conduct risk assessment, to identify potential security threats and vulnerabilities associated with their research projects. This would help to develop appropriate security measures to minimize the risk of data breaches or other security incidents.
• The need to have a plan in place to respond to security incidents such as data breaches, cyberattacks, and theft. The plan should include procedures for reporting the incident, containing any resulting damage, and notifying affected parties and authorities.
• All research projects and collaborations should follow a routine security-incidences review and update cycle. This can help to ensure that security protocols are effective and current and that any new threats or vulnerabilities are addressed in a timely manner.

RS should be essential for ensuring the integrity and credibility of research projects. Moreover, breaches in RS can have significant financial and reputational implications, for researchers as well as their institutions.

By implementing effective security measures, researchers can minimize the risk of such incidents occurring, and protect themselves and their institutions from potential harm. How to do this is the big challenge.

The responsibility for overseeing RS typically falls to a combination of individuals and entities. Within universities, the individuals would range from the principal investigator to all students and research partners; entities could be the office of the vice-president research/innovation or an office for Research Security.

Consequently, several Canadian universities have created a senior-level position typically associated with the VP of research/innovation with institution-wide responsibilities to promote, ensure use and report on RS.

Research Security concerns have reached a point where allies are now seeking ways and means to collaborate to stop foreign interference in domestic academic research, as noted in the following quote from a Five Eyes (Australia, Canada, New Zealand, the U.K. and the U.S.) communiqué issued in April 2021:

“Foreign interference and unwanted knowledge transfer in our academic, research and development sectors are of deep concern, and are prejudicial to our sovereignty and national interests, contrary to internationally accepted norms and values, and must be stopped.”

Overall, ensuring research security is a collaborative effort that involves multiple stakeholders, such as research teams, which are generally led by professors, internal executives and staff concerned with RS, funding agencies, regulatory agencies and some kind of government-university clearinghouse — all with a role in ensuring that research is conducted in a secure and ethical manner.

By working together and implementing appropriate security measures, researchers and their partners can help to protect their projects from potential security threats. Also, by protecting research from unauthorized access, theft or misuse, RS plays an important role in maintaining public trust and confidence in research.

R$