In a shift of tactics, CSIS briefs researchers directly to counter security threats

The pandemic has disrupted the way Canada’s spy agency works to safeguard the nation’s research and, ultimately, its economic security.

Over the past year, the Canadian Security Intelligence Service (CSIS) has dropped its mask and has begun to engage directly with the research community, sounding the alarm about the emergence of security threats to Canadian universities, medical research institutes, pharmaceutical companies and others involved in the pandemic response.

“CSIS pivoted in part by stepping out of the shadows to shine a brighter light on threats to Canada’s national security,’ said CSIS Chief David Vigneault in a speech in February at the Centre for International Governance Innovation (CIGI), a think tank on global governance in Waterloo, Ont.

The shift is a response to the threats of espionage and foreign interference coming from a variety of places, including the governments of Russia and China, and directed at most sectors of Canada's knowledge-based economy.

Warning that spies have “traded trench coats for lab coats,” CSIS analysts have given hundreds of threat briefs to researchers through universities and industry associations like BIOTECanada and the Canadian Chamber of Commerce, often with partners from the Canadian Centre for Cybersecurity, Global Affairs Canada and the Ministry of Innovation, Science and Economic Development. The goal is to raise awareness about the clear and present dangers to the innovation ecosystem and the measures the research community can take to protect itself.

“Given the stakes involved, it was important to get out in front of these researchers to let them know what we were seeing so that they could take measures to protect their research, their intellectual property, their assets," said René Ouellette, CSIS director general of Academic Outreach and Stakeholder Engagement, in an interview with Research Money.

Biopharma and the health sector are certainly at risk, but CSIS is warning that a broader range of emerging technologies, including aerospace, artificial intelligence, quantum computing and ocean technology are also being targeted.

Aaron Shull, CIGI's managing director and general counsel, said the scope and scale of the threats to Canadian universities and companies is unprecedented, and that the interplay between economic security, intellectual property and national prosperity is now a key driver of geostrategic competition. 

"Providing analysis and advice to the private sector and research industry is new, but necessary," he told Research Money, adding that CSIS needs to build a network of key stakeholders that it engages with regularly.

“You’ve got to get to know [key stakeholders] before there is a crisis because it will pay dividends. Think about constructing a building. You don’t want to start pouring your foundation in the rain. So you’ve got to build out the relationships and make sure they trust you,” he said.

Pandemic brought increase to security threats

Vigneault and Ouellette make clear that national security is no longer a game of spy versus spy. Canada’s best and brightest—in academic labs and technology companies across the country—are now in the crosshairs of foreign states looking to acquire knowledge, data and intellectual property for geopolitical advantage.

Though these threats have been present for some time, the COVID-19 pandemic brought them to the forefront, Ouellette said. With many Canadians working from home and day-to-day operations in flux, it created a situation in which Canadian researchers, start-ups, and corporations were more vulnerable than before, particularly to online threats.

It was not business as usual.

“In 2020, CSIS observed espionage and foreign interference activity at levels not seen since the Cold War. In short, the key national security threats facing Canada, namely violent extremism, foreign interference, espionage and malicious cyber activity, accelerated, evolved and in many ways became much more serious for Canadians,” wrote Vigneault in the CSIS Public Report 2020 released on April 12.

The threat environment was already starting to shift by November 2019, when Ouellette’s team began reaching out to the research community. But in the spring of 2020, the sudden need to alert university researchers and companies working on COVID-19 vaccines and therapeutics “kicked us into high gear,” said Ouellette. 

CSIS contacted more than 225 entities and briefed at least 2,000 stakeholders during the pandemic in 2020, according to the CSIS Public Report.

The Canadian Chamber of Commerce was one of them. The Chamber hosted a webinar with Ouellette and a senior intelligence officer named Alex outlined the threats and how companies could respond.

Mark Agnew, the Chamber’s senior director of international policy, said the CSIS event “catalyzed interest among our members,” many of whom lead small- and medium-sized enterprises, which are particularly vulnerable. “It's good to see that there's a genuine desire to collaborate and be proactive about communicating risks instead of talking about what do you do when things go wrong," Agnew said.

The outreach is working, according to Ouellette. “Not infrequently, we'll get a phone call from somebody who was on a webinar who will tell us that something we mentioned raised a concern for them," she said.

Those phone calls have led to investigative leads, and similar but independent leads, received from institutions across the country, are a signal of coordinated, state-sponsored activity, Ouellette added.

Research partnerships are a source of vulnerability, CSIS says

CSIS has developed a “four gates” model to communicate the major avenues through which “threat actors” may try to access valuable information held by the research community: export, investments, knowledge and licenses. All gates could be tapped, the agency warns, so researchers and their companies and institutions should take an “all-hazards approach” to research security.

Aaron Shull at CIGI cautioned that Canadian researchers and start-ups need to be particularly vigilant about investments. “The strategic acquisition of IP assets through targeted investment in universities, and basically getting a foot in the door, is the one that you'd want to watch very, very closely," he said.

Ottawa has come under fire recently for funding research partnerships that include the Chinese communications technology company Huawei Technologies, which critics said raised intellectual-property and national-security concerns.

The Canadian government and its partners have begun the process of developing risk guidelines for research partnerships. The guidelines are intended to help researchers and research institutions integrate national security considerations into the evaluation and funding of research partnerships. A Government of Canada-Universities Working Group, including representatives from CSIS and the U15, is expected to produce recommendations by the end of June.

“Innovation thrives on partnerships and collaborations. Those open, cooperative agreements that allow for the innovation are also a big source of vulnerability that we notice,” Ouellette said.

Through the Working Group, CSIS will let the universities know what the agency is seeing on the other end of these partnership agreements, and provide “a checklist of things that you should be considering before you sign on the dotted line,” Ouellette added.

The checklist would include doing due diligence on potential partners, putting funding disclosure agreements in place, building dispute resolution mechanisms into partnership agreements and recognizing that some research can be used for a rival purpose, such as perpetrating human rights abuses or advancing military programs abroad. 

The Ontario government has already begun building security concerns into its funding process, which could help inform the conversation at the federal level, Ouellette said. 

In a review of proposals submitted to the Early Researcher Awards competition, launched earlier this month, the Ministry of Colleges and Universities may undertake an assessment of the potential economic and/or geopolitical risks associated with the project, according to Tanya Blazina, a ministry spokesperson.

“Results of this review may be shared with members of the review panels and others involved in the adjudication process and may impact funding decisions. The Ministry has included some additional questions and a mitigating economic and geopolitical risk checklist as part of the online application form,“ she wrote in a statement to Research Money.

R$