Blog Viewer

Developing a Proactive Research Security Program in an Era of Heightened Foreign Influence

As the U.S. Government works to provide uniform research security requirements to address malign foreign influence, you should already be thinking about what comes next. 

 Since NIH Director Francis Collins delivered his “Dear Colleagues” letter to universities in August 2018 warning us of foreign security threats, we have been struggling to balance our open and collaborative research environments with the obligation to protect our valuable research and development against those who seek to exploit it. As research administrators in pre-award and compliance offices, we often find ourselves right in the middle, managing the implementation of fast-moving and sometimes opaque guidance. As your university responds to the need to develop more robust research security programs and disclosure procedures, there are some things you should keep in mind to make your program both proactive and adaptive. 

The most critical first step is to get buy-in from both leadership and faculty. Leadership will set the tone by providing guidance to stakeholders and allocating resources. However, it is critical that deans and department heads function as co-implementors of the university’s research security program at the college, department, center, and institute level. Through case studies and other examples, you can demonstrate how nonchalance toward research security can do real harm to a university’s reputation, finances, and research portfolios. 

Second, the federal government will always struggle to regulate academia due to its inherent openness and the consequent, and inevitable, exploitation from malign actors. As a result, you should develop, over the long-term, a research security program that proactively identifies and mitigates emerging threats in lieu of rigid government guidance. NSPM-33’s guidance for your research security program represents a positive step toward a uniform understanding of, and response to, the threat of foreign influence in academia – but it’s not enough. Your research security program must operate in a continuous cycle of identifying vulnerabilities, recommending and implementing solutions, and assessing effectiveness. 

     We recommend research security staff, with support from leadership, consider the following: 

1. The federal government is in the process of developing uniform research security training modules for PIs/Co-PIs and other senior/key research personnel that will meet the NSPM-33’s research security training requirement. However, you shouldn’t wait for this training. If you develop your own, we recommend you append it to RCR and export control training.
2. Merge disclosure systems such as financial conflict of interest (FCOI) and outside employment. When you do, ensure your training thoroughly explains disclosure requirements, defines foreign influence, and provides examples.
3. Make your disclosure forms easily modifiable. When federal grant agencies release coordinated disclosure requirements in response to the NSMP-33 implementation guidance, you’ll want to ensure your forms are aligned to funding agency requirements.
4. Ensure transparency between offices such as research security, sponsored projects, travel, technology management, and procurements. We recommend cross-training appropriate staff not just on federal grant disclosure requirements, but also how to spot red flags.
5. Ensure research security staff should have access to all proposal, grant, FCOI, and outside employment data for research faculty.
6. Develop vulnerability profiles for faculty at risk for recruitment into malign talent plans or other types of insider risks. It is critical that your research security program comply fully with NSPM-33’s clear nondiscrimination mandate, so you must base these profiles strictly off behavioral indicators or professional demographics (e.g., well known researcher in a field that’s also a critical or emerging technology). You may want to consider offering additional security briefings/outreach to this group.
7. Get proficient at foreign influence investigations. It’s critical you have both a policy and trained investigators. You don’t want to tell a grant agency or the FBI that you have an issue to report, but no systematic process that led you to it. That only invites more scrutiny.
8. Put as much research security information as possible on your website, especially FAQs. This not only helps your faculty, but it demonstrates to potential adversaries that you are not an easy target.
9. Provide a way for faculty to report their concerns about research security anonymously (e.g., through an ethics hotline). Ensure your security and compliance staff put this information on websites and in signature blocks.
10. Establish a research security working group that constantly monitors vulnerabilities in your research security program. Keep it at the director/assistant director level, but establish smaller subcommittees assigned to tackle topic-specific issues, such as cybersecurity, export control, or foreign influence. A good resource for thinking about this process is the Hoover Institution’s Global Engagement: Rethinking Risk in the Research Enterprise. 

It is never too early to start developing a robust research security program. The first step is to get buy in, and there is no shortage of examples from the media of researchers prosecuted for non-disclosure, theft, export-control violations, or other actions that are harmful to the integrity of our universities. Use these examples to make your case to leadership, and then determine whether you have sufficient resources. Ensure your implementation priorities and timelines align first with NSPM-33, but don’t lose sight of longer-term program goals that will allow you to stay ahead of the steps that malign actors will certainly take in response to new government guidance.

Authored by

Clay Hardwick, Senior Research Security Analyst, Office of Research Compliance and Security
Mississippi State University

Kacey Strickland, Director, Office of Research Compliance and Security
Mississippi State University