Page 1Page 1

The Evolving Security Paradigm -- The Challenge for Research Universities

The Evolving Security Paradigm -- The Challenge for Research Universities

Richard A. JohnsonEDUCAUSE

richard_johnson@aporter.com

May 2004

Page 2Page 2

“Openness v. Security” -- Review 10 Key Reasons for the

Changing Security Framework Affecting Universities, Non-

Profit Research Institutes and IT

Dealing with a Web of Interrelated but Distinct Federal

Regulatory and Policy Frameworks for Security that

are Broadening and Deepening

Export controls as an “A” list priority -- ITAR and EAR

OFAC and transborder information flows

Information controls ( “in the formative stage”)

Federal funding and “regulation by contract”

Visas -- MANTIS and the Technology Alert List

Federal R&D agenda

Economic and high-tech espionage measures

Page 3Page 3

Reasons for the Changing Security Framework for Universities 1. More complex world: 9/11 and the anthrax attacks changed

everything National security now has multiple forms -- WMD; cybersecurity

and IT systemic damage; critical infrastructure; economic crises; and terrorism

States, non-state actors and threat diffusion -- who’s the enemy? The growth of “dual use” research -- increasing threat it can

used for harm (ex. Mousepox paper, advanced IT) New national research agenda driven by the perceived

imperatives of the “new” security “No one size fits all”

Page 4Page 4

Reasons for the Changing Security Framework for Universities 2. The public trust -- competing concerns

refocuses attention on the university as both an institution of public trust and a source of societal solutions

role of independent creators and arbiters of knowledge; impartial scholarship and take research wherever it leads

implications of becoming viewed as “unpatriotic” threatens public support for the research mission of academic

institutions and taxpayer support for funding fundamental research

3. The growing intersection of cutting-edge science, technology and engineering research with national security, foreign policy and homeland security

Page 5Page 5

Reasons for the Changing Security Framework for Universities 4. The evolving role of the research university in the 21st C.

Increasing globalization of universities and research in a security paradigm that remains rooted in nation-state defense

Increasing breadth and depth of multidisciplinary research with many of the most interesting intellectual challenges at the interfaces

Changing innovation and economic development roles Shifting approaches to fulfilling its core missions Emerging new legal status -- Madey v. Duke reasoning

Page 6Page 6

Reasons for the Changing Security Framework for Universities 5. Increasing intersection of non-traditional disciplines with

post-9/11 regulatory framework (and growing disconnects) Ex. -- Life sciences as a major security pressure point --

biological agents, toxins and chemical precursors Greatest increased threat; most unpredictable No culture of security; least govt. security experience Material transfers Controlling underlying information and data Regulatory uncertainty -- Select Agents (export controls,

state regs, Patriot Act, Biopreparedness Act)

Page 7Page 7

Reasons for the Changing Security Framework for Universities 6. Government security unease with university

“exceptionalism” and divergent world views Growing perception that universities “are not serious” about

compliance reinforced by a “we-them” divide Corporate complaints that universities “aren’t playing by the

same rules” with competitive implications University openness on the defensive -- GAO Report (2002);

OIG Reports (2004); Congressional oversight “Enhanced” compliance and enforcement focus Fall 2003 -- Federal interagency export control

investigation/audit of 14 research universities

Page 8Page 8

Reasons for the Changing Security Framework for Universities 7. A growing shift from “the right to know” to “the need to

know” as an operating principle of government 8. Tensions within the security community about the role

of research universities How do you define national security? Over what time? Will the research community initiate and accept tough new

self-governance and self-regulatory measures, or must they be imposed?

Will national security policy tilt toward advancement at the frontiers of knowledge or protection of current technology?

Page 9Page 9

Reasons for the Changing Security Framework for Universities 9. The changing allocation of federal R&D

Defining new areas of security-related research responsibilities

cybersecurity (ex. NSF) homeland security S&T (ex: DHSARPA) bioterrorism and public health (ex. NIH/NIAID and CDC) Fund translational tasks: research to useful applications fast Short-term security applications v. long-term security

solutions: who gets funded for what?

Page 10Page 10

Reasons for the Changing Security Framework for Universities 10. Universities as “critical infrastructure” and “vulnerable”

targets universities are one of the most porous gateways to cutting-edge

knowledge and technology -- including vast amounts of useful information on networks/databases

Ex: Cybersecurity prevent attacks from universities (hijack computer power) prevent attacks within universities (high levels of security) access to networks and info flows; information-sharing internal controls and security processes as source of key, innovative research in IT

Page 11Page 11

U.S. Export Controls and Trade Sanctions

Purposes U.S. export controls have multiple goals that sometimes

conflict

Advance Foreign Policy Goals Restrict Exports of Goods and Technology That Could

Contribute to the Military Potential of Adversaries

Prevent Proliferation of Weapons of Mass Destruction (nuclear, biological, chemical)

Prevent Terrorism

Fulfill International Obligations

Page 12Page 12

Export Controls

Covers all U.S.-origin goods, technology or information (jurisdiction follows the item worldwide) not in the public domain ex. “deemed exports” to foreign nationals in U.S. ex. int’l scientific collaborations and conferences ex. technology and information related to tangible goods and

prototypes, plus encrypted software ITAR v. EAR Fundamental research and public domain exemptions -- “yes,

but”

Page 13Page 13

Export Controls

Post 9/11 exacerbates existing export control issues uncertainty, complexity, limited transparency, lack of flexibility,

and few procedural protections Exports of most high-technology and military items, and associated

technology and information, are subject to U.S. export controls (require either a license or an applicable exemption) -- an increasing amount of university research is covered

increasing compliance risks and administrative burden for the institution, for individual faculty members and for international collaborations and “openness” of campus

Criminal and civil penalties taken seriously Increasing number of government investigations/audits Imperil federal funding

Page 14Page 14

International Traffic in Arms Regulations (“ITAR”) -- State

Dept. Regulates goods and technology designed to kill people or defend against death in a military setting (“munitions” or “defense articles”

Includes space-related technology and research; increasing applicability to other university research areas such as nanotechnology/new materials, sensors, life sciences and advanced IT components

Covers “defense articles” (includes tech data which encompasses software unlike EAR) and “defense services” (certain information to be exported may be controlled as a “defense service” even if in the public domain)

— Includes technical data related to defense articles and defense services (furnishing assistance including design, engineering, and use of defense articles)

Page 15Page 15

Export Administration Regulations (“EAR”)

Commerce Department

Covers dual-use items: 10 CCL categories of different technologies covering equipment, tests, materials, software and technology

Regulates items designed for commercial purpose but that can have military or security applications (e.g., computers, pathogens, civilian aircraft

Covers goods, test equipment, materials, technology (tech data and technical assistance) and software

Also covers “re-export” of “U.S.-origin” items outside the United States

Page 16Page 16

U.S. Export Controls and Trade Sanctions

“Deemed” Exports U.S. export controls cover transfers of goods and technology within the U.S. (the transfer outside the U.S. is deemed to apply when a foreign national receives the information in the U.S.)

— Applies to technology transfers under the EAR and the provision of ITAR technical data and defense services

— Unless the fundamental research exemption applies, a university’s transfer of controlled technology to a non-permanent resident foreign national who is not a full-time university employee in the U.S. may be controlled and/or prohibited

— Visa status important: permanent resident (“green card holder”) has same right to controlled information as U.S. citizen

Page 17Page 17

Export Controls - Fundamental Research (FR) Exemption

FR exemption: applies to basic or applied scientific or engineering research at an accredited university in the United States; ITAR FR excludes research abroad

no FR exemption if accept restrictions on publication or any “access and dissemination” controls

no FR exemption if research results are proprietary expansion of technologies ineligible for FR

(encryption, biotech, composite materials)

Page 18Page 18

Export Controls -- Public Domain Exemption Exemption for published information through one or more of

the following: libraries open to the public unrestricted subscriptions for a cost not exceeding

reproduction/distribution (including reasonable profit) published patents conferences, seminars in the United States accessible to public

for a reasonable fee and where notes can be taken (ITAR) --or also abroad only if EAR

Generally accessible free websites w/o knowledge General science/math principles taught at universities

Page 19Page 19

U.S. Export Controls and Trade Sanctions

Application to University Research Export of research products— Certain oceanography or marine biology equipment may be

controlled by ITAR

— Specially designed electronic components could be controlled

Temporary transfer of research equipment abroad— Carrying scientific equipment to certain destinations for

research may require authorization (e.g., Iran, Syria, China, etc.)

Software Software that is provided to the public for free may not require

licenses, but proprietary software of controlled technology could require licensing

— Encryption technology could require licenses or could be prohibited for transfers to certain foreign nationals/countries

— Source code licenses as “dissemination controls”

Page 20Page 20

U.S. Export Controls and Trade Sanctions

Application to University Research (cont’d) Corporate grants may limit access by foreign nationals

— Proprietary restrictions or restrictions on publication by corporate grants may invalidate fundamental research

— Could trigger licensing requirements for certain foreign nationals

Conferences— Potential restrictions on participants or information flows

— Inability to co-sponsor with certain countries or groups (e.g., restrictions on co-sponsoring conference with Iranian government)

Transfer of defense services— Potential license requirements for work with foreign nationals

to launch research satellite or development of advanced cyberinfrastructure

Page 21Page 21

U.S. Export Controls -- the breadth of export control issues

Software license terms -- especially source code; software license terms as “access and dissemination controls” that invalidate the fundamental research exemption

Server access: a demanding compliance challenge because you must be able to prove the negative

Can you show that non-US persons do not have access to export-controlled technical data?

Can you demonstrate that nothing on the open server is export-controlled?

Do you know the export classifications of the technology and software on the university’s servers?

Page 22Page 22

OFAC and U.S. Trade Sanctions

U.S. economic sanctions focus on the end-user or country rather than the technology

Embargoes administered by Office of Foreign Assets Control, U.S. Department of Treasury (“OFAC”)

— Prohibitions on trade with countries such as Iran, Cuba

— Restrictions on travel

— Limitations on activities in certain areas of countries or with certain non-state actors

OFAC prohibits payments or providing “value” to nationals of sanctioned countries and to specified entities even if the country is not subject to sanctions (ex. sponsorship of an academic conference in Iran)

Separate prohibitions under the ITAR and EAR — ITAR proscribed list/sanctions (e.g., Syria or requirement for

presidential waiver for China)

— EAR restricts exchanges with some entities and universities in India, Israel, Russia, etc. because of proliferation concerns

Page 23Page 23

OFAC and Transborder Information Flows

Berman amendment -- transactions in “information and informational materials” exempt from OFAC trade sanctions

OFAC policy -- (1) info not fully created on date of transaction or substantive/artistic alteration of info is not exempt; and (2) can’t provide anything of “value” without prior U.S. government approval

Peer reviewed journals and the editing Iranian manuscripts controversy

Page 24Page 24

Information Controls -- “fumbling like newlyweds in an arranged marriage” Pressure from federal funding sponsors to control access to

and limit dissemination of certain research Proposed designations between classified and unclassified

(NSDD-189) “Sensitive but unclassified” information “Critical research technology”

Withdrawal or limitations on public domain information Pre-publication reviews Problems with sponsors’ documents -- “sensitive”;

“no foreign nationals”, “special access conditions”

Page 25Page 25

Information dissemination -- “sensitive” and other restrictive designations

NSDD-189: Reagan Cold War decision (1985) Fundamental research generally should be unrestricted Use classification only if national security requires control

Card memo to federal agencies (3/19/02) withhold “sensitive but unclassified” information; OMB review no “inappropriate” disclosure of govt.info or data; denying

researcher access to even unclassified govt. information DoD proposal for “critical research technology” (2002) OHS/NSC: “sensitive homeland security information”

Page 26Page 26

Sensitive and other restrictive designations for university information

DoD “Critical research technologies” (March 2002) Publication control over all DoD-funded research, including

fundamental research; criminal penalties New restrictions on foreign nationals if CRT Travel reporting and restrictions

New DoD Draft Directive (Nov. 2002) “Controlled Unclassified Information” Largely focused on research within DoD Recognizes NSDD-189

DoD reviews of certain unclassified research deemed “critical” to national security still alive

Page 27Page 27

Emerging Problems with Information Controls for IT/Research Offices Problems in defining what is “sensitive”

Reasons unrelated to national security Short-circuiting public debate State FOIAs for land-grant universities

What is the presumption for or against publication? How to overcome whatever presumption is set?

Who decides what is dangerous? Process? Appeals? Can you develop rules to restrict WMD information without

“overbreadth” effect on other S&T research? Risk-based security model: no one size fits all

Page 28Page 28

Emerging Problems with Information Controls for Research Administrators

Other pragmatic, administrative burden issues confronting research community related to information Defining categories of information and materials Setting levels of access/restriction Deciding on appropriate body to regulate and oversee

-- in government and on campus Establishing and implementing international norms

Applicability of other non-classified models to post-9/11 (ex. proprietary data, patient confidentiality)

Page 29Page 29

Information Controls -- New National Science Advisory Board for Biosecurity (NSABB)

Guidance for all “dual use” biological research and criteria for “acceptable” dual use research

Not mandatory but “stick” will be “conditionality” of federal funding

Development of new “security” culture programs NSABB’s role will extend to publication and

communication of research results and methods “New level of sensitivity” for information flows

Page 30Page 30

Sensitive and other restrictive designations for university information

National Academies “action points” for scientific, engineering and health community

Are there unclassified areas of research that should be classified?

How can universities monitor this issue as science and potential threats change over time?

Need for new security procedures for research materials? How to detect new potential threats, and opportunities to

counter them, and, then, convey them to government agencies in a timely manner?

Page 31Page 31

Sensitive and other restrictive designations for university information

National Academies “action points” for policymakers - How to apply principle of “high fences around narrow

areas” in new security environment to achieve proper balance?

How can these decisions be made at outset of research project to avoid disruptions?

How to avoid vague and unpredictable categories such as “sensitive but unclassified” information?

How best to enlist universities for both unclassified and classified research needed for counterterrorism?

Page 32Page 32

Federal Funding and “Regulation by Contract”

Contracts and funding are becoming the new lever of power rather than new regulations -- federal $$$ increasingly linked to new contractual restrictions and compliance with government information policies

AAU/COGR “Troublesome Clauses” Report (2004) - sample reported 180 instances in last 6 months

restrictions on publication new types of access and dissemination reviews limitations on the use of foreign nationals both a government and a corporate subcontract problem