NEW RESEARCH SECURITY RULES ON THE WAY AT AU: “THE UNIVERSITY’S JOB ISN’T CATCHING SPIES – BUT WE HAVE TO MAKE SURE THEY CAN’T ACCESS OUR RESEARCH”
Background checks on new staff members from selected countries in certain fields and more control over who can access what are some of the measures AU is expected to introduce in the new guidelines for international research and innovation collaboration. AU staff will also have to get used to leaving their work computer at home when travelling to certain countries.
This article is translated by Lenore Messick
The security policy landscape has gotten a lot rockier in recent years, which presents challenges for Danish universities: according to PET, the Danish Security and Intelligence Service, they need to be more vigilant about the threat of espionage from the intelligence services of authoritarian regimes.
The active involvement of Danish research institutions in international collaboration “is, in the vast majority of cases, to Denmark’s advantage, but PET has seen examples of research unlawfully falling into the wrong hands,” writes PET in a report from August 2023 on research security. On this background, the report (in Danish) concludes
that “it is important to achieve the right balance by which Danish universities and companies carry out their work as openly as possible – and as securely as necessary”.
The URIS guidelines
URIS is the acronym for the Danish committee on guidelines for international research and innovation collaboration. The committee was formed in 2020 by the Ministry of Higher Education and Science. In 2022, it published a report with recommended national guidelines for the country's educational institutions. These are the guidelines AU is going to implement.
At AU, a steering group was tasked with coming up with recommendation for how to implement the URIS guidelines. These recommendations will be considered by the Research Committee, after which they will be submitted to the senior management team for approval. The first measures under the URIS guidelines will be rolled out at AU in the spring of 2024.
What does ‘dual-use’ mean?
If a research field or technology is dual-use, this mean it can have either civilian or military applications. Examples of dual-use technologies include sensors, lasers, IT programs and software; and while they are not necessarily being used or researched for military purposes at the university, foreign states may be interested in their military applications, which complicates the espionage threat landscape.
Source: PET’s rapport Er jeres forskning i fare? (‘Is your research in danger?’)
Cyberattacks in Aarhus
To get an idea of how many cyberattacks take place on a daily basis, we can take the City of Aarhus as an example: On a daily basis, the City of Aarhus neutralizes 25,000 - 30,000 targeted cyberattacks on the municipality’s employees. For example phishing attacks, spoof attacks and malware attacks.
In November 2022, Central Denmark Region reported that 145 million cyberattacks on Aarhus University Hospital had been neutralized.
Source: AU
The person responsible for the implementation of the URIS guidelines at AU is Brian Vinter, who is vice-dean for research at the Faculty of Technical Sciences.
He told Omnibus that AU will be rolling out new security guidelines this year to protect the university against such threats. The new guidelines were drafted by the Danish committee on international research and innovation collaboration (URIS).
Vinter said: “It’s a matter of protecting our research and our researchers. We must protect it and them from countries that have a democratic deficit. To a large extent, it’s about dual-use technologies – in other words something we at AU would typically develop for civilian applications, but that also has a military or intelligence application.”
Examples of dual-use technologies are sensors, lasers, computer programs and software.
According to PET, there are a number of high-tech and defence-related research fields relate that are particularly vulnerable: among them are energy technology, biotechnology, quantum technology, space technology, robotics, defence industry products and controlled goods (products with export restrictions).
BACKGROUND CHECKS
Background checks – also known as screening – are among the first measures AU will implement. These background checks will be made before hiring researchers from non-democratic countries. This measure has already been introduced on a pilot basis at Vinter’s faculty, Technical Sciences, and is also used in some cases at the Faculty of Natural Sciences. As Vinter explained:
"The decision to screen someone’s background is triggered by which passport they have, and we also focus heavily on what research field we’re dealing with and what kind of knowledge they’ll get access to. If you come from an undemocratic country and want to be part of our energy research, we do a really thorough investigation of what kind of relationships you have in your country, what kind of research you’ve done before and whether you will make a substantial contribution to AU’s research. On the other hand, if you’re interested in working on sustainable agriculture, that’s something we’re naturally interested in sharing with the whole world, so in that case we’d be a lot more open.”
AU is particularly aware of the threat posed by Russia, China and Iran, which are considered adversary states whose intentions are not aligned with Denmark’s. In addition, the university looks at the new staff member’s research interests.
“We’re already doing what we need to do in telling our staff that they aren’t allowed to take data out of the lab. Our basic assumption is that people at AU comply with the law. So now we’re looking a bit more closely at whether some people may apply to AU for other reasons than wanted to get a good job,” Vinter said.
CATCHING SPIES ISN’T AU’S JOB
At present, the way background checks work in practice at Natural Sciences is that the researcher at AU who has been given the opportunity to hire a researcher, for example a PhD student or a postdoc, fills out a form about the potential future employee's research and collaborations. Once this has been done, the head of department vets and green-lights the candidate before final approval for the hire is granted by the vice-dean. However, AU is currently waiting for PET to develop a more structured tool for this process, Vinter explained.
Even though AU carries out the background check, ultimately it’s PETs responsibility to prevent espionage, not AU’s, he stressed:
“Catching spies is not the university’s job. This is the job of the security and intelligence service. Our job is to catch whether there are people who might be induced to share information they shouldn’t have, and to make sure they don’t have access to that information. Catching spies is far outside our remit.”
And in fact, he’d prefer it if PET would take over the background checks instead of leaving it up to the universities, he said:
“It would be better if PET collected the information about us about what these candidates would be working on at AU, and then they could perform an assessment. This would be a much more effective way of catching unwelcome persons, and it would remove the burden from the university, which has to tell people: You can’t work here because of what your passport looks like and because you published with these people.”
Although background checks haven’t been rolled out to the entire university yet, the senior management team has stated in no uncertain terms “at AU, anyone considering collaboration with one or more researchers from ‘the URIS countries’ should proceed with caution”, according to theminutesof a meeting of the senior management team on 13 September last year.
NEW TRAVEL POLICY ON THE WAY
Another security measure that will soon be implemented is a new travel policy. Currently, AU recommends that staff not take their work phone and computer with them on business trips to certain countries, including China and Iran; instead, they should use a secure device approved by the IT department. Vinter said that he expects that this recommendation will soon be formalised as official AU policy after consideration by the URIS committee and approved by the senior management team.
“The moment you log on to a network in China, Russia or Iran, you will be attacked. They will try to extract information and will install software that can be activated when the device is back on AU's network. All devices brought in from outside will be attacked. It’s completely automated,” Vinter said.
"It's about research data, but it's also about GDPR. It’s not enough to say that you work on 19th century Danish art, so you don’t have anything they could be interested in on your pc. You might have sensitive personal data, and your PC can be used by intruders when you get back on AU’s network.”
In parallel with the URIS guidelines, AU IT has been working to improve cybersecurity for quite some time. One aspect of this work Vinter highlighted is the introduction of a segmented network at AU: when this has been implemented, staff will only be able to access the part of the network they need to access. What this represents is a shift in focus when it comes to security: from simply having a firewall that keeps out intruders to a focus on what kinds of threats might come from inside the network.
COOPERATION WITH PET
According to Vinter, the shift in the threat landscape to a focus on states makes it difficult to assess the magnitude of the threat to Aarhus University. The collaboration between PET and Aarhus University is purely advisory; PET doesn’t contact AU about specifics.
“We can ask them about something, and we’ll get a general description. The intelligence service doesn’t tip us off about specific things we need to keep an eye on. We have to interpret their threat assessments ourselves,” Vinter said.
However, AU can draw on PET’s expertise in the event that the university needs a more detailed background check on someone. Vinter said:
"We never get a reply, but we can send them a CV, and the assumption is that if this is a person they don’t want in Denmark, they’ll find a way to stop them in some other way than through us. So this means we know that we’ve done what we can.”
Vinter confirmed that AU has worked with PET in this way:
"In every case where we can’t find anything negative about the person, and are ready to hire them on that basis, we tell PET about our intention to hire them if they come from an area that’s extremely critical for Denmark.”
VICE-DEAN STRESSES: FREEDOM OF RESEARCH NOT UNDER THREAT
As they stated in the report cited above, PET’s goal is to find the right balance. And in this connection Vinter emphasizes, the university is “very far from the limit where we start seeing a threat to freedom of research”.
“The university is nowhere near accepting anything whatsoever that will affect researchers’ freedom of research,” he said.
“We won’t prevent anyone from having research collaborations. That’s not where we’re at, not at all. Then the university would draw the line: Watch it, now we’re strangling freedom of research.”
PET isn’t interested in putting a stop to international academic collaboration either, Vinter went on to explain. And forbidding researchers to travel, for example to China, is not on the table, he said:
“PET states explicitly that we don’t have to stop collaborating with these countries. We just need to be conscious of what kinds of research we collaborate on.”
At the end of the day, he doesn’t believe that the URIS guidelines will have much of an impact on AU’s researchers:
“They won’t notice much of a difference. They will have to fill out a form if they want to hire certain researchers, and it might a bit of a bother to take a different pc with you when travelling, but overall researchers won’t find that this changes anything radically.”