Canada has taken several measures to safeguard sensitive research but the approach isn’t harmonized and is lacking scientific evidence on what’s effective, says the chair of a Council of Canadian Academies (CCA) expert panel that studied the issue.

“There has been a lot of implementation of research security in Canada,” Martha Crago (photo at right), chair of the CCA’s Expert Panel on Sensitive Research of Concern, said in an interview with Research Money.

However, “we don’t know what works for research security. We have no evidence base,” said Crago, professor and former vice-president of research and innovation at McGill University.

What’s needed now is a special program of funding for research on research security measures, to determine their effectiveness and establish common baseline criteria, she suggested.

“Our most vital areas of research are often the ones that are most susceptible to misuse,” Crago said. “To secure the future of Canada’s scientific strength, our country’s research ecosystem needs adaptive safeguards that work in tandem with our commitment to open science.”
The expert panel’s report, Balancing Research Security and Open Science, offers an independent assessment of national and foreign efforts to promote research security, highlighting potential strategies to safeguard national interests while preserving the openness that drives discovery, innovation and prosperity.

Canada does a lot of high-quality international research collaboration, much of it interdisciplinary and intersectoral and involving sensitive technology and big data stored somewhere, Crago said.

The global research ecosystem is much more decentralized than it has been in the past and it operates in a fast-shifting geopolitical environment, she added. “The risk of losing control in an ecosystem like that, which is so decentralized, leads to this increased vulnerability for security risks.”

Canada was an international pioneer in research security in 2018 when the country established the Government of Canada-Universities Working Group to tackle the issue, Crago said. “What was so remarkable about it is that it was really all of government.”

Since then, the federal government has established Canada’s Policy on Sensitive Technology Research and Affiliations of Concern, and set up a government portal aimed at safeguarding research.

Guidelines and tools include a federal list of 11 high-level technology areas deemed sensitive due to their potential military, national defense or state security applications. 

There’s also a federal list of specific foreign research institutions that have direct or indirect connections to military, national defense or state security entities that pose a risk to Canada's national security. 

Researchers applying for grants in sensitive technology areas must disclose any affiliations with foreign institutions that may pose a risk to Canada's national security and provide an attestation form to certify compliance.

“If they don’t do this accurately and don’t declare their partner(s) in a straightforward way or their research in a straightforward way, and that is discovered in some process, then they’re not supposed to get any more Tri-council [research] funding,” Crago noted.

In Budget 2022, the government allocated $125 million over five years, plus $25 million ongoing per year, to the Research Support Fund for research security.

This funding, intended to help universities identify and mitigate risks, can be used for activities such as hiring security personnel, implementing cybersecurity measures, and providing security training.

Additionally, $12.6 million over five years was provided to Public Safety Canada to establish the Research Security Centre, along with six advisors across the country, to provide guidance and advice to universities on research security. 

Crago said the Canadian Security Intelligence Service also has completely changed its relationship with universities and now has an outreach component to engage academic stakeholders.

“They have really come out of the shadows and into our lives in universities,” she said. “I found them very, very helpful with research decisions and how much security and not to over-securitize something.”

Lack of harmonized approach “weakens the uptake of initiatives”

The CCA expert panel’s report was commissioned by Defence Research and Development Canada and the Public Health Agency of Canada. At their request, the panel applied its findings in two areas: pathogen research and ocean research.

The security of sensitive ocean research has received much less attention in policies and guidelines compared with other research areas, the panel noted. There are “no comprehensive measures to identify sensitive ocean research and determine when it is of concern.”

The panel’s report explored measures for identifying and safeguarding sensitive research of concern and highlights the need for their continuous application and reassessment throughout the research process, fostering a “modern research mindset.” It also described the importance of:

• Increased training and capacity-building, especially for smaller universities, colleges and polytechnics with limited research security resources.
• Greater integration of the private sector, which plays a critical role in Canada’s research ecosystem but frequently lacks oversight.
• Recognition of First Nations, Inuit, and Métis Peoples’ right to govern research about them and their lands.

“The Government of Canada has an opportunity to enhance [research security] services through additional funding and improving communication channels among the intelligence community, researchers, and institutional administration,” the panel’s report said.

Despite the research security measures Canada has implemented, the panel’s report points out that approaches to research security and open science differ across Canada, creating challenges for inter-institutional partnerships, the consistent implementation of research security measures, and research funding applicants and recipients supported by several funding agencies.

“This lack of harmonization places additional administrative burdens on researchers and weakens the uptake of initiatives,” the report said.

One way to address these issues is to establish common baseline criteria grounded in shared principles and approaches to key challenges, while allowing flexibility for tailored implementation to meet the specific needs of different contexts, the panel said.

“Working together to harmonize approaches to research security and open science within Canada will help reduce the burden on researchers and minimize confusion when they attempt to work across jurisdictions, both within Canada and internationally.”

Other countries have established specific organizations, structures and mechanisms to help safeguard research, the panel’s report noted.

In Germany, some institutions have established specialized committees to help researchers identify sensitive research of concern. In the U.S., the National Science Foundation supports the work of the SECURE Center, an information hub that aims to facilitate collaboration on research security issues and provide guidance and information to the research community.

The panel’s report pointed out that the private sector also makes important contributions to the Canadian research ecosystem, including in sensitive research areas such as quantum technologies, pathogens and toxins, and AI.

Different orders of government exercise limited control over research security and open science practices when research is not publicly funded, “which is a gap in the domestic approach to research security and open science alike,” the report said.

In recent years, the federal government has intensified its security engagement with private companies in the biopharmaceutical, life sciences, and data science sectors, as well as with small- and medium-sized enterprises utilizing emerging technologies.

However, Crago said there is still not enough known about what’s happening in government laboratories and industry research labs when it comes to potential security risks.

In the U.K., the National Protective Security Authority and the National Cyber Security Centre have created the Secure Innovation toolkit for private sector innovators. The government’s Engineering Biology Responsible Innovation Advisory Panel integrates industry into the governance of dual-use technologies.

From 2020 to 2025, the U.S. National Academies of Sciences, Engineering, and Medicine conducted the Science, Technology, and Security Roundtable, where representatives from government, academia and the private sector exchanged information and best practices related to research security.

“Developing similar inclusive approaches in Canada could facilitate information-sharing and reduce the exposure to threats across the entire research ecosystem,” the CCA panel said.

Another challenge is in Canada, federal research security funding is calculated as a percentage of each post-secondary institution’s eligible direct research funding above $2 million.

This creates differences in capacity between large universities and other institutions, including small- and medium-sized universities, healthcare institutions and affiliated research institutes, and colleges (including Cégeps in Quebec) and polytechnics, according to the panel’s report.

“Providing support for building research security and open science capacity across all post-secondary institutions could help address these disparities,” the panel said.

“Modern research mindset” required

Crago said the expert panel came up with a concept of the “modern research mindset” as being a requirement in the current decentralized global research environment and shifting geopolitical landscape.

 “In today’s world, you want to share [research]. But you want to make sure that sharing is done in the right way and with the right people, with awareness of what’s going on in the big world,” she said.

The expert panel said a modern research mindset is one where all actors participating in the research ecosystem are aware of the context in which they conduct research and its impacts on the world, and of the policies, principles and practices to address these impacts, including research security, open science, Indigenous rights, data sovereignty, ethics, consent and research integrity.

“These policies, principles and practices allow individuals to assess how open and secure their research needs to be,” the panel said.

The panel noted that the modern research mindset involves cultivating awareness of security and open science in researchers throughout their academic careers, as well as individuals comprising research institutions and governments more broadly.

These skills could be introduced as a training requirement by institutions or departments, and supported by governments and decision-making bodies.

Training could also be supported at the faculty level by making it a requirement for receiving federal research funds. This training would focus on the principle that engaging in the responsible conduct of research involves sensitivity to potential risks in tandem with engagement on open science and research integrity, to avoid over-securitization.

Crago pointed out that every PhD program she knows of, and often the Masters research programs as well, require training in research methodology and research ethics.

“We have to add a research security [component] and an open science component” to this training, she said.

Research security and open science initiatives – under the broader concept of responsible conduct of research and research integrity – are vital to the research ecosystem, and yet it is difficult to identify the most promising practices due to a lack of publicly available research and evaluation of current programs both in Canada and internationally, according to the panel’s report.

“Monitoring and tracking of compliance and effectiveness of these policies and programs is crucial to improving implementation and ensuring that all actors in the research system are adequately supported to make research as open as possible and as secure as necessary.”

When it comes to cybersecurity, there are “significant gaps” in the federal government’s cybersecurity services, monitoring efforts and responses to active and increasing attacks on information systems, federal Auditor-General Karen Hogan said in a report in October.

Cyberattacks are also increasing against Canadian universities, including an attack in 2024 that forced the University of Winnipeg to shut down its network.

Laboratories support several sectors that experience higher than average cybercriminal activity, including health care and academia, increasing the potential for incidental exposure to cybercriminal activity and exploitation, the Canadian Centre for Cyber Security (CCCS) said in a report on the cyber threat to research laboratories.

“Laboratories are a compelling victim for cybercriminal activity because of the value of the information they contain and their vulnerability to extortion tied to operational disruptions,” the CCS said. “Advanced research across sectors is a common target for espionage.”

The CCA’s expert panel warned that if threats to intellectual activities continue, “there could be devastating consequences that are far-reaching across society, with negative impacts on health, wealth, and our ways of life.”

Ongoing dialogue about approaches to identifying and securing sensitive research without compromising open science is necessary on an international stage, the panel said.

“Canada is well-positioned to lead in developing and championing models of research security that protect national interests and the global scientific ecosystem while encouraging responsible sharing,” Crago said.

“By investing in education, training, and capacity-building that acknowledge our diverse research environments – including the rights of First Nations, Inuit, and Métis Peoples over research affecting their communities – we can build a research ecosystem in which openness and security are mutually supportive values.”

R$