Canadian university administrations and their faculty engaged in research partnerships with overseas entities, especially those linked to China, are under increasing, and probably long overdue, pressure to scrutinize such partnerships for outcomes that could be harmful to Canadian national security. The harms can include intellectual property theft or loss, illicit exploitation of data sets, knowledge transfer of sensitive information, and the exportation of advanced and innovative technologies. The most worrisome beneficiaries include adversarial state militaries (weapons research and development) and their security agencies (surveillance technologies, advanced insider threats). Methods for penetrating university research rarely depend on traditional espionage; instead cover techniques, including the use of proxies—what CSIS calls “non-traditional intelligence collectors”—and clandestine or deceptive practices around research partnerships, are more common.
The federal government is trying to set new rules of the road, alongside similar efforts by allies. As with efforts to create a foreign influence registry, the Canadian approach follows a preceding path laid out in Australia, where the government established a research security directive in November 2019 (updated in 2021).
https://www.education.gov.au/guidelines-counter-foreign-interference-australian-university-sector/resources/guidelines-counter-foreign-interference-australian-university-sector
In creating its own rules, the Canadian government must balance national security needs against a desire to maintain a vibrant research eco-system, sustain talent, especially in STEM (Science, Technology, Engineering, Mathematics) research, recognize the autonomy of the Canadian university sector, and respect core principles of academic freedom. Navigating these competing ends is delicate and experience is not yet a friend of the system. Initial federal guidelines for applying national security concerns to University research were only published in July 2021 and were met with understandable consternation about research restrictions, application burdens and potential racial bias.
The “National Security Guidelines for Research Partnerships,” published by the Department of Innovation, Science and Economic Development (ISED) initially had two objectives. One was to test, in a pilot project, their mandatory application to a specific stream of federal research partnership funding in the sciences; the other was to serve as a voluntary tool for all Canadian researchers in gauging security risks relevant to their projects.
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/national-security-guidelines-research-partnerships
The Guidelines were developed in a process dating back to 2018 and the formation of a joint Government of Canada-Universities working group, which included members of key government agencies, the granting councils, and the “U-15” Group of Canadian research universities (representing the major Canadian research-intensive Universities).
Let’s look at what the guidelines say.
The first thing that stands out is the wide range of national security threats they are meant to address. These come in two categories. One involves research activities that could advance the capabilities of adversarial foreign militaries and intelligence agencies. That seems clear enough. The second basket is much broader and less well-defined—research activities that could involve the “disruption of the Canadian economy, society, and critical infrastructure.”
The second characteristic, is the extent to which the guidelines are meant to uphold core principles, outlined in the guidelines, ranging from respect for academic freedom, through to the importance of transparency in the conduct of open science. The hand of the University community can be clearly seen in the drafting. The Government promises to do its bit to “provide transparent communication and support” to enable the guidelines. That may prove a difficult promise to live up to, given the centrality of classified intelligence in addressing national security threats and the limitations of the CSIS mandate.
The third element is an emphasis on both the identification of potential threats posed by research partnerships and their mitigation. Both identification and mitigation measures are downloaded on individual researchers and their academic institutions. Mitigation can include complex issues of cyber security and data management that are unlikely to be solved at the researcher level alone.
The tools provided for threat identification include an Annex listing sensitive research areas. Some of these sensitive areas are already covered by a complex web of regulations and legislation including the Export Control List, the Defence Production Act and sanctions measures at the state and international (UN) level. In addition, the guidelines include a list of research areas that “may be considered” sensitive or dual-use (military-civilian). The list includes 15 areas. It is that broad likely because of the determination to stretch the guidelines beyond research that might benefit adversary state military and intelligence/security capabilities to the all-encompassing “disruption” basket (disruption of the Canadian economy, society, and critical infrastructure.)
To widen the application of the guidelines still further, more is thrown in, including references to research on critical minerals, research involving critical infrastructure (using a list developed for a strategy released in 2009), large datasets, and personal data.
The end result is an undifferentiated, kitchen sink approach to what constitutes sensitive research areas.
The guidelines are also unhelpful in identifying what kinds of research partners pose risks. This is because it takes a country-agnostic approach, The guidelines “are not aimed at limiting partnerships with any particular country or company”. To which, the appropriate response can only be—ha.
Instead, the guidelines reference general concerns about research partnerships involving state-owned enterprises, countries with legal regimes that might compel knowledge transfer, and partnerships involving personnel with foreign military and government ties. That sounds like China (or Russia), because it is China (or Russia). Its just unspoken.
University researchers are also provided with a “National Security Guidelines for Research Partnerships Risk Assessment Form.”
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/national-security-guidelines-research-partnerships/national-security-guidelines-research-partnerships-risk-assessment-form
The form is currently mandatory for applications to the NSERC Alliance Grants competition, but is more broadly described as something that can be used by all researchers to conduct due diligence about research risks.
Good luck with that.
The risk assessment form has four sections. The first section of the form asks six questions with yes/no/unsure choices as answers. They range from identifying research involving critical minerals, critical infrastructure, personal data, large datasets and research related to the Export Control List. The kicker is the last question, which asks whether research touches on sensitive or dual-use areas, as identified in the extensive list provided in the research guidelines.
The final two sections asks researchers to write essays—homework!
One of the essays (maximum 4,800 characters with spaces) elaborates on risk factors that have been identified in previous questions; the other (5,400 characters with spaces) asks for a risk mitigation plan, including with regard to security awareness across the research team, cyber security and data management, and an agreement on the intended use of research findings with partners entities.
Researchers are asked to do their own open source research to answer questions about the sensitivity of their projects and the nature of potential partners. In some senses this can be an obvious approach and yield easy results. For example, if your potential research partner is affiliated with the Chinese National University of Defense Technology (NUDT) you won’t need a CSIS briefing, even if one was available. All you need to do is google the University and read its web page description of itself (handily available in English). Here are a couple of excerpts:
“National University of Defence Technology (NUDT) was founded in 1953 as the People’s Liberation Army (PLA) Military Academy of Engineering…It is under the direct leadership of the Central Military Commission and has been a key university heavily invested in by the state and the military…”
The description cites a speech given in 2013 by President Xi Jinping at the University which declared, “We will accelerate the building of the University into a world-class university with Chinese military characteristics, and strive to turn the university into a highland for training high-quality new military personnel and for independent innovation in national defence technology.”
OK, that seems pretty clear. A place for Canadian researchers to do business with? Not really. Yet according to a study commissioned by the Globe and Mail, a whole host of Canadian universities have engaged in research projects with scientists affiliated with the NUDT.
https://www.theglobeandmail.com/politics/article-chinese-military-scientists-canadian-universities/
In terms of collaboration on research since 2017 the top Canadian universities involved with the NUDT were:
University of Alberta
University of Waterloo
McGill
University of Victoria
University of British Columbia
In response to the Globe and Mail’s questions about these research affiliations, officials at Canadian universities suggested they were waiting on the federal government to provide a clear dictation against such collaboration. But as university officials should know, that is not how the national security research guidelines are meant to work. They place the onus clearly on the Universities to self-scrutinize research projects for national security harms. University uptake of the spirit and intent of the guidelines appears to be an on-going problem, but we need a clearer sense of their impact since 2021, especially in terms of their voluntary application.
Where the federal government wields a stick is in money for research, provided at arms length through research councils. Nearly 90% of federal government funding for universities flows through sponsored research. In the case of STEM research, the relevant council is the Natural Science and Engineering Research Council (NSERC). There are sister councils for the Social Sciences and Humanities (SSHRC) and for health research (Canadian Institutes of Health Research).
Less than two years into the process we have an initial snapshot of how the pilot project for mandatory national security scrutiny under the ISED guidelines of one stream of NSERC funding has gone.
NSERC received c. 1,000 applications for the targeted collaborative “Alliance Grants.” Of those 48 (or about 4% of the total applications) underwent additional scrutiny by national security agencies. 32 of the 48 applications (67%) were denied.
https://www.universityaffairs.ca/news/news-article/researchers-decry-a-lack-of-clarity-under-national-security-risk-assessments/
What can we make of these statistics? One conclusion is that the scale of the problem is small and manageable. Applying a national security lens to STEM research partnerships is unlikely to fundamentally alter the scientific endeavour in Canada. A second interim finding is that although the numbers are small, the problem of sensitive research involving potentially harmful partners is real. Assuming denials were reasonably well founded, we can see this reality in the high percentage of research grants that were subject to additional scrutiny and were not approved for funding.
Early statistics from the pilot project do not mean that all is smooth sailing. There remain major problems in finding ways to communicate the precise nature of research security risks. As noted above, the generic description of areas of potentially sensitive research is far too broad. The failure to specifically identify countries and foreign research entities of concern is not helpful. The burden of national security scrutiny has been downloaded to the university sector, which is currently ill-equipped to perform such a mission.
Despite the known problems with the current scheme, the government has recently announced an intention to extend mandatory security scrutiny practices to research grants provided through all three councils.
A collective statement from three Ministers (for ISED, Health and Public Safety), issued on February 14, 2023 ,was framed as a “request” to the three federal research grant councils, plus the Canada Foundation for Innovation, to “adopt a further enhanced posture regarding national security.”
The interesting thing about the statement was that while it did not alter the broad, kitchen-sink, definition of what might constitute a sensitive research area it did try to narrow the aperture of research partners of concern, specifying researchers affiliated with “a university, research institute or laboratory connected to military, national defence or state security entities of foreign state actors that pose a risk to our national security.” This is an advance on the more generic description of “partner risks” contained in the 2021 guidelines.
But the Ministers’ statement does make clear that national security scrutiny of research applications will not be voluntary but will be required going forward. Those that meet the thresholds of sensitive research and partner risk will be scrutinized by the national security agencies. Some applications will be refused.
The value and purpose of this wider extension, particularly to social science and humanities research funding, is very doubtful. Again, this goes back to the problematic definition of sensitive research, and a failure to identify and focus on priority areas of concern within STEM research. Keep in mind the statistics from the application of the pilot project. It’s the 4% of funding applications that warrant concern, not the 96%. The funnel must be tightened.
But the Ministers’ intent to proceed even with a problematic scheme raises other issues. One is where is the carrot?
The carrot in the research security scheme is, well, not using the stick. In the long run, that may not be good enough and additional incentives to encourage compliance with national security guidelines may be required. Such incentives could include fast tracking mechanisms for compliant research grants, research grant top ups, and priority status to Universities that can demonstrate a track record of organizational effort and compliance with national security guidelines for protecting the integrity of research. A start was made with funding provided in Budget 2022 in the amount of $125 million over five years for a “Research Support Fund” to “build capacity within post-secondary institutions to identify, assess and mitigate potential risks to research security.” More federal government support, with money and learning exchanges may be required.
Budget 2022 also launched a Research Security Centre, established at Public Safety Canada, as a key point of contact with the Universities on national security issues. As early as May 2021, Public Safety began generating a “Research Security Information Update.” This seems a useful practice, but needs to be accelerated beyond its current status as an annual product with a perhaps uncertain audience.
As the federal government takes steps at organizational change, University administrations also face the onus of similar upgrades to improve internal and external communications about approaches to national security and to ensure there is a strong central office responsible for pan-University research security initiatives and connectivity with the federal government (and other levels of government). This may not be a favourite area of spending for perpetually cash-strapped universities, nor will it be met with universal enthusiasm from faculty members, who often see a zero-sum game between spending on teaching and research and spending on administration.
The current University sector approach to implementing national security risk monitoring of research appears to be a patchwork. Universities that have tried to take a lead have found themselves in a minefield of public relations challenges and internal battles with faculty.
University administrative spokespersons from some leading Canadian universities have attempted to defend partnerships with the Chinese National University for Defence Technology (NUDT) in comments to the media. Bad call. Individual researchers with projects impacted by the new national security guidelines are easily presented as blind to national security risks.
A key Canadian STEM research university, the University of Waterloo, (also a leading partner in the past with the Chinese NUDT) has taken considerable heat for its efforts to step between CSIS and its researchers in guidance it issued recently to its faculty.
https://www.theglobeandmail.com/politics/article-waterloo-university-csis/
While the guidance was clearly intended to reassure researchers about their rights, instruct on how to deal with CSIS inquiries, and provide a channel for advice from the University’s newly established Director of Research Security, it nevertheless came across as maladroit. It made no mention of the new federal guidelines on research security, or a changing geo-political threat environment. It failed to help faculty understand that universities were meant, in the spirit of the national security guidelines, to be partners with the federal government and its national security agencies in protecting research integrity. The Waterloo guidance could easily be read as casting doubt and suspicion on a legitimate role that CSIS might play in investigating threats to national security.
In that regard, the Waterloo guidance made no mention of the fact that CSIS continues to operate according to a principle of “sensitive sectors.” This is a long-established practice going back to the very origins of CSIS, that identifies a set of societal entities that require higher levels of internal approval before investigations can be authorized. These sensitive sectors include higher education institutions, the media, religious establishments, political office holders, and minors. Sensitive sectors are not no-go areas for CSIS, but the recognition is that they are sensitive and need extra prudence when it comes to investigations. It’s a reasonable policy, and if better understood might be helpful to University administrations in damping down fears on the part of their own researchers.
To its credit, the University of Waterloo has understood the need to make organizational changes to ensure its internal ability to engage in research security and liaise with the federal government. The guidance on CSIS is but a poorly conceived offshoot of a necessary effort to provide a research security office embedded in the senior ranks of the University, staffed by an academic with experience of working in the national security system and presumably with an appropriate federal security clearance (the University of Waterloo declined to confirm this, presumably on the mistaken belief that security clearances are themselves secret).
News update: just after I posted the original version of this column I learned of news that the University of Waterloo had decided to end its research collaboration with the Chinese communications technology giant, Huawei. That collaboration dates back to 2016 and involved research in such fields as cloud computing, next generation (5 and 6 G) communications, data management and data analytics. Huawei was banned from participation in 5G telecommunications networks in Canada in a government decree in May 2022. The timing of the Waterloo decision, coming a year after the 5G ban, may have something to do with controversial remarks attributed to the director of the Waterloo-Huawei Joint Innovation Lab, Professor Tamer Ozsu, who indicated that is was his belief that CSIS should have no role in scrutinizing University research and that its activities “put in danger Canada’s STEM research sector…”
https://www.theglobeandmail.com/politics/article-waterloo-university-csis/
Four of Professor Ozsu’s research grant applications to NSERC derived from the Joint Innovation Lab were denied funding under the National security guidelines pilot project, so the writing may have been on the wall.
University of Waterloo initiatives in strengthening internal research security monitoring need to be replicated across the ranks of the U-15 universities. When asked by the Globe and Mail several major Universities (U of T, UBC, Western, the University of Calgary) indicated they had provided no advice to faculty regarding CSIS inquiries, while one (McGill) indicated it wanted CSIS to talk to administrators not to professors (well, I don’t think McGill gets to decide on that one).
https://www.theglobeandmail.com/politics/article-waterloo-university-csis/
How many U-15 universities have dedicated executive office research security staff with security clearances and knowledgeable of national security agencies and practices is unknown to me. I suspect it is not many.
The end result of an initial effort to establish a research security framework in Canada has resulted in a system that is self-defeating by being overly broadly defined, has major impediments to the flow of national security threat information between the federal government and Universities, and downloads responsibility to scrutinize “sensitive” research partnerships to University administrations which are, as yet, ill-equipped to play such a role, and ultimately to individual researchers, who may have little understanding of the national security threat environment and little appetite (or time) to engage in a burdensome process of risk scrutiny.
Much needs to change before research security at Canadian universities can be properly managed. Money and organizational change may solve some issues. But ultimately an era of stronger research security will only arrive when cherished hopes and practices, including the promise of globalised research, and the academic ‘gold-standard’ test of peer-reviewed publication, are recognized as wanting in a new age of geo-political contestation and fracture.
Just as western economies are in the midst of a shift to the “friend-shoring” of supply chains, so ultimately may the University community need to contemplate its own version of ‘friend-shoring’ research partnerships, particularly in designated areas of STEM research. While that would restrict or eliminate research endeavours with entities connected to adversarial, authoritarian states—especially China--it might also open up new frontiers for research partnerships in the “global south,” and strengthen research partnerships in the trans-Atlantic and North American space.
Research security will ultimately depend on cultural change within the University community, leading to a stronger understanding of the national security environment and the reality of threats. For too long this has been a desperately under-valued aspect of the University sector’s educational mission.
Universities need to be able to come to the table with national security agencies as equal and trusted partners. Universities have special knowledge about the world of research; CSIS and other national security agencies have special knowledge about the world of threats. Both have a responsibility to learn from the other. Universities, in particular, are going to have to get vastly better at appreciating the reality of an altered national security threat environment. They can also start to bring their own special research expertise to bear on potential research partners that might be deemed threats, following the example set by publications coming out of the Australian Strategic Policy Institute (See: “Picking flowers, making honey: The Chinese military’s collaboration with foreign Universities,” https://www.aspi.org.au/report/picking-flowers-making-honey. They should not be content at sitting back and waiting for some federal national security agency to bring them the goods.
Canadian research-intensive universities must become their own experts in national security risks. That is the only way in which proper contestation of assessments of security threats in research will be arrived at and important principles of academic freedom and university autonomy be sustained.
As this challenge is tackled, we can also keep reminding ourselves that the problem of research insecurity is real, but relatively small, and manageable.
Wow! Although of course the answer is obvious. Just add a political commissar to each university department or business unit, to monitor its workings. Take the same approach as DEI?
Thanks.
Another messy area is evaluating security risks of P3 research projects. Security risks of individual corporations seems complex and tricky to me due to their webs of ownership and international reach.