Research security: Universities feel the compliance burden

When intelligence chiefs in the United States and the United Kingdom warned academics and business leaders in July that their world-leading expertise, technology, research and commercial advantage were at risk from “Chinese Communist Party aggression” and they needed to create a “thoughtful security culture”, many academics in Europe described the comments made by Chris Wray, head of the US Federal Bureau of Investigation, and Ken McCallum, head of the UK’s MI5 agency, as “unhelpful” and vague.

Nonetheless, it raised awareness of a key message: universities are now expected to grapple with keeping research open to outside collaboration yet secure from misappropriation or misuse by authoritarian regimes or other uses banned by the US and its European allies.

In 2021 the European Commission adopted enhanced regulations on dual-use export controls, including internal compliance requirements for universities.

The new EU rules on research security mainly updated scrutiny of dual-use technologies that can be used for both civilian and military use, but also included new restrictions on research with countries with a poor human rights record, or technologies that can be used by state security agencies for surveillance and suppression of populations.

In the past, such controls involved lists of sensitive technology hardware or chemicals, but the new EU rules apply more broadly to considerations of a country’s security apparatus and rights violations. Human rights are also currently being considered by the US for inclusion in its own export control regimes.

“The big challenge for everybody is not to make the application (to a national export control agency); it’s to work out when you need to make an application,” said Ben Wagner, assistant professor in the faculty of technology, policy and management at the Technical University of Delft or TU Delft, in The Netherlands.

But, he notes, it is not just about export controls; human rights monitoring should be part of good research.

“All universities right now are expected to demonstrate the societal impact of their research. So, as part of that, you also need to make sure you’re not creating a massively harmful societal impact, or that you’re not part of that process,” Wagner told University World News, adding: “It doesn’t mean that research is necessarily restricted. But it does mean that the research needs to take that context into account.”

Doing that in advance also means it is easier to respond in a dynamic situation, he noted, pointing to the swiftness of sanctions imposed on Russia and the disruption caused to some university research.

There are also specific EU rules on surveillance technologies, issued separately, that go even further in compliance requirements.

“That was because the EU was concerned about the spread of these technologies … so they wanted to take measures to ensure that they weren’t too widely spread. And so, those rules are distinct, but that means they go further than the others,” Wagner said.

Cyber-surveillance items are broadly defined in the regulations, but would include intrusion software, monitoring software and facial or emotion detection technologies.

Compliance burden

But, carrying out due diligence on research partners abroad relating to human rights and state security issues, particularly with regard to China, is not as straightforward as consulting a list of components, as in the past.

“It is complex to do due diligence on the possible impact of human rights. It may be that a partner in a certain country uses certain knowledge or technology against humans and their rights,” noted Marijk van der Wende, professor of higher education at Utrecht University in The Netherlands, who is also a guest professor at Shanghai Jiao Tong University.

Utrecht University looked at export controls and universities as part of a conference on EU-China relations held last November.

Rebecca Arcesati, an analyst at the Mercator Institute for China Studies (MERICS) in Berlin, Germany, who co-authored a report, Sharpening Europe’s approach to engagement with China on science, technology and innovation, published by MERICS last December, believes it could be a long time before the new EU rules translate into effective implementation and enforcement.

This is because, at the EU level, and in many member states, lists of Chinese tech firms that are implicated in human rights abuses do not yet exist.

“In many cases, it requires a fairly sophisticated process of due diligence that many universities simply don’t have in place, either because they have not had to deal with this issue before or because they don’t have the resources,” she told University World News.

Some European universities have expressed concern about growing scrutiny of their China research and the demands and obligations they now face to re-examine them to ensure they don’t violate EU rules. “The compliance burden is really an issue right now [as is] the feeling that what exists [to help universities] isn’t enough,” Arcesati said.

“China’s military-civil fusion policy has been moving very fast, and the lines between civilian and military, but also state security-related research, have been blurred so much over the past few years that it is difficult for a university in Europe to understand who the end users of a research project can be,” according to Arcesati.

“This is something that needs a lot of China expertise and China literacy, especially language skills. So it cannot all be done at the level of universities,” she said.

“One good approach would be for governments to create either national task forces or committees whereby universities can be linked with China experts who can assist in the due diligence work,” said Arcesati.

Guidance on human rights

This year, the EU published a toolkit to “help mitigate foreign interference in research and innovation”.

“The European Commission guidance doesn’t say much about how precisely universities can integrate human risk assessment – I don’t think there is a ready-made template answer to this. So there are lots of concerns and questions without clear answers,” said Machiko Kanetake, a law professor at Utrecht University who has been researching export controls issues.

“If you don’t do any due diligence at all, you are still considered in breach of the regulation,” she noted.

She pointed to the risk of “over-compliance”, and some universities dropping projects due to the complexities of due diligence. “Public scrutiny around human rights violations in China may cause some universities to lean in the direction of caution,” Kanetake said.

“Some universities go beyond what is prescribed” in the regulation, “and, instead, just look at the political repercussions of working with specific Chinese actors and then walk back from a collaboration. I think that is happening already and we’ll probably see more of that,” Arcesati said.

Several universities in Germany and the Netherlands and in other European countries have been working on incorporating dual-use export control requirements in the university research environment.

“But, because of the new EU update [in 2021], they’re wondering how to change their internal compliance mechanisms, and one of the main questions is how to interpret and how to operationalise risk assessment when it comes to human rights risk assessment,” Kanetake said.

Kanetake also pointed to governments’ limited means to verify the information or go after certain cases, or dig further into some sensitive cases, with perhaps only some governments in Europe, such as Germany and the Netherlands and a few others able to do so.

Agencies in some countries have to deal with hundreds of licensing requests with a very small group of officers. “They cannot possibly go deeper in order to understand the context or possible information that they haven’t covered. They can spend hours just investigating one export control request,” said Kanetake.

Government information

Germany, The Netherlands, Sweden, the UK, Denmark and Finland have issued specific guidelines for universities in the past year. Some, like the German and Dutch guidelines, are China-specific and talk about how universities can manage China-related risks, while other country guidelines and the EU’s guidelines remain country-agnostic.

The Netherlands, for example, has set up a help desk on knowledge security from which universities can seek assistance from the intelligence services. “It’s a channel aimed at providing access to resources and expertise, and is advised by security experts,” according to Arcesati.

In Germany, especially, the larger research organisations have developed robust due diligence mechanisms to work with Chinese partners. “These large research organisations are also providing training for smaller research organisations and universities and sharing with them their experience on due diligence of Chinese partners,” Arcesati said.

France also provides information to universities. Mathias Vicherat, president of Sciences Po, told University World News: “We stick to the European rules. We have due diligence with any cooperation that we have with international universities,” adding that this included human rights.

“We are in very, very close cooperation with the foreign ministry in France,” Vicherat said. “If there was a problem, we would interrupt our cooperation with the [foreign] university.”

Role of intelligence agencies

Not everyone agrees that national intelligence agencies should be involved in universities’ due diligence.

Van der Wende is among those who considered the intelligence chiefs’ warnings in July, and many others before that, as “not very useful”.

“I have been in such a session with people from our intelligence services, and it was very vague and very general and not that useful. What we have is the EU regulation, which is clear enough,” she told University World News, adding that the regulation was both transparent and binding.

She noted some very antagonistic language coming from the US and UK intelligence agencies which she noted can have an impact on universities which are intentionally diverse and inclusive.

Wagner also pointed out that intelligence agencies may not always have the type of information required.

“When I was speaking to intelligence agencies during the [2021] revision of the European laws [on export controls] they were quite explicit in saying they don’t feel comfortable with many of these human rights provisions, because they don’t have sufficient in-house human rights expertise to be able to assess this.

“That doesn’t mean that intelligence agencies might on an individual level have knowledge or expertise that is relevant, but to make intelligence agencies arbiters of human rights – I don’t think they would want that,” he said.

Intelligence agencies have historically been involved in export control processes but, said Wagner, “I struggle to imagine the academic institution that would look to intelligence agencies as the main actor to tell them with whom they should collaborate and with whom they shouldn’t.”

He pointed to non-government organisations, including human rights groups such as Amnesty International or Human Rights Watch, as the main sources of such information to universities.