Guidelines to counter foreign interference in HE unveiled
The guidelines, which have been developed in collaboration with universities and national security agencies working in a University Foreign Interference Taskforce, set out practical steps universities can take to preserve the integrity of the higher education system.
Minister for Education Dan Tehan said the guidelines would ensure that universities had the policies, frameworks and strategies in place to protect against foreign interference while maintaining their autonomy.
“The government is working with universities to ensure they have the necessary protections for students, research data, and academic integrity,” Tehan said. “We have taken action to ensure universities understand the risks and know what steps to take to protect themselves.”
Minister for Home Affairs Peter Dutton said Australia’s security agencies are leading efforts across government to respond to foreign interference and to protect the university sector.
“The director-general of ASIO [the Australian Security Intelligence Organisation] says foreign interference against Australia’s interests is at an unprecedented level that includes universities and the research sector,” Dutton said.
The guidelines set out five key themes backed by concrete actions that cover:
- • Governance and risk frameworks
- • Due diligence
- • Communication and education
- • Knowledge sharing
- • Cyber-security.
RMIT University Vice-Chancellor and President Martin Bean, one of the co-chairs of the taskforce, said he was delighted to see the shared commitment of universities and the government to safeguard the security of Australia’s university sector without undermining the invaluable asset of its openness.
“The guidelines are a fantastic new resource for universities to add to their existing tools and to assist decision-makers in continuing to assess the evolving risks from foreign interference,” he said.
Universities Australia will coordinate the collection of best practice examples to share across the higher education sector.
The guidelines have been published jointly by the Australian government, Universities Australia and the Group of Eight Australia.
They have been developed jointly through a steering group and four working groups (research and intellectual property, foreign collaboration, cyber-security, communication and culture), with approximately 40 members across government and the sector, representing 13 universities and 10 Australian government agencies.
The overarching principles to inform the development of the guidelines were:
- • Security must safeguard academic freedom, values and research collaboration.
- • Research, collaboration and education activities must be mindful of national interest.
- • Security is a collective responsibility with individual accountability.
- • Security should be proportionate to organisational risk.
- • The safety of Australia’s university community is paramount.
Universities Australia Chair Professor Deborah Terry said the nation’s university leaders commended the collaborative process for developing the guidelines and noted the university sector’s strong commitment throughout.
“This has genuinely been an equal partnership between universities and government. Our shared aim is to build on existing protections against foreign interference, without damaging the openness and global engagement that are essential to Australia’s success,” she said.
“The intent is not to add to the regulatory or compliance burden for universities, nor to contravene university autonomy – but to enhance resources and intelligence to further safeguard our people, research and technology.”
The guidelines say that in a world of more complex risks, with new challenges and threats evolving globally, including to intellectual property and IT systems, universities and the Australian government are “working together to add to the current protections, while preserving the openness and collaboration crucial to the success of Australia’s world-class university system”.
A cyber-attack on the Australian National University in 2018 is a high-profile example of these threats. The massive data breach compromised the personal details of thousands of Australian National University students and staff, including the bank numbers, tax details, academic records and passport details of students and staff dating back almost two decades.
The guidelines state that a proactive approach by the university sector to the threat of foreign interference helps to safeguard the reputation of Australian universities, protect academic freedom, and ensure academic institutions and the Australian economy can maximise the benefits of research endeavours.
While the majority of international interactions are “welcome and to Australia’s benefit”, there may be foreign actors who seek to engage in foreign interference in the university sector, through efforts to skew or control the research agenda, economic pressure, solicitation and recruitment of post-doctoral researchers and academic staff, and cyber-intrusions, the guidelines warn.
Among the issues they cover are including foreign interference risks in existing risk frameworks, policies and procedures and identifying capabilities in the university that contribute to the security of people, information and assets.
For instance, the report warns that “those seeking to interfere with, or exert undue influence on, Australia’s research effort may attempt inappropriately to alter or direct the research agenda into particular areas of research. This can occur through subtle forms of undue influence and engagement and through funding arrangements that may lead to loss of future value and-or control of intellectual property.”
It says at the organisation level, internal reporting of international contacts – or at least international collaborative partners – in research and potentially as donors, helps to build the capacity for early awareness and transparency among the university’s stakeholders.
Then it offers a series of questions to help universities to guide decision-makers on this particular issue:
- • What ability and capacity does the university have to analyse and respond to the information gathered from internal reporting arrangements?
- • What level of oversight exists for staff appointments, including secondary appointments (eg honorary and adjunct roles)?
- • What minimum level of due diligence is applied to foreign investments and partnerships?
- • What level of internal reporting applies to foreign investments and partnerships and how does this aid accountability and risk management?
Other areas covered include knowing your partner, research collaborators and staff by undertaking appropriate due diligence, supported by university processes, taking account of the potential foreign interference and reputational risks.
The guidelines also look at communication strategies and education programmes to raise awareness of foreign interference risks, and arm decision-makers with knowledge to enable levels of vigilance proportionate to the risk; and protecting information held on ICT systems through the development and implementation of robust cyber-security strategies, engaging with Commonwealth agencies, sharing best practice and cyber threat modelling.
Greater assistance from security agencies
The guidelines also underline the need for security agencies to provide greater assistance to universities to identify risks and proportionate responses, but also for universities to share information with government and intelligence agencies.
For instance, sharing cyber intelligence between universities and with government “helps to build a common picture of threats across the sector. This enables universities to respond to evolving risks from cyber threats, share counter-measures and enable government to provide timely and tailored assistance,” the guidelines say.
“It will also help Australian government departments and agencies to gain a deeper understanding of the operational realities of the sector, and the practices that contribute to the success of our higher education and research system.”
Professor Terry said a key aim of the taskforce in developing the guidelines was to deepen the level of advice and cooperation between universities and agencies in a shared responsibility to understand and manage risk, but stressed that university autonomy would be respected.
“University autonomy remains a foundational principle of Australia’s university system, and this partnership approach respects this central tenet of universities whilst managing risk.”
In the United Kingdom, the Centre for the Protection of National Infrastructure, which reports to the domestic intelligence agency MI5, offers detailed practical advice on its website to universities and academics on how to protect research, manage risk and stay safe.