White House revamps guidelines for research security at top universities

In a push to tighten research security, the White House issued broad new guidelines for big American universities to track foreign travel by their researchers, provide regular security training, and toughen cybersecurity.

The new policy will affect about 150 of the largest US universities, an official of the White House Office of Science and Technology Policy told Science|Business. The aim is to toughen safeguards against sensitive US research leaking to China, Russia or others. “This stems from a need to bolster our national security,” the official said.

The policy memo, by OSTP director Arati Prabhakar and addressed to US funding agencies, could be sweeping in its impact on big American research universities. But, say university officials who have been following it in the drafting phase over the past few years, the practical impact is hard to gauge. That’s because it gives federal funding agencies and the universities wide latitude in exactly how they implement the policy, and it allows the universities to modify or expand their existing security measures rather than entirely reinvent them.

“All of our members are affected,” said Tobin Smith, senior vice president for government relations and public policy at the Association of American Universities, representing 69 of the leading US research universities. But exactly how big the impact will be is yet to be determined, he and other academics said.

Compared to a draft policy the White House floated in February 2023, Smith said, “this is much better” for universities, allowing them flexibility in how they meet the new requirements. “Many of our institutions have already taken steps to address these research security concerns, so my belief is it won’t have a significant impact.” But whether it actually turns out that way will depend on how each US science agency implements the policy, programme by programme and grant by grant.  “If different agencies do different things, that will make it harder to comply and increase costs.”

Indeed, variations in how different agencies interpret the guidelines “was always going to be a question of concern” for universities, agreed Jarret S. Cummings, senior adviser for policy and government relations at Educause, a non-profit advising universities on tech and data systems. Compared to other countries, the US has a flock of different, special-purpose funding agencies, whose rules and methods often differ. “That’s just a traditional problem with the federal regulatory apparatus in this (R&D) space.”

Channeling Trump?

The new policy is the latest ratcheting-up of security at US universities and research institutes since 2016, largely due to mounting fears of Chinese tech competition that started in the Trump administration but has continued today. Indeed, in language that sounds Trumpian, the new White House policy document accuses China of having “exploited international research collaboration by undermining values – such as transparency, accountability and reciprocity – in order to advance its strategic objectives and military modernization.”

With similar reasoning if more moderate language, all major US allies from Europe to Australia have been tightening their own security – despite complaints that they are hampering the advancement of science. The European Commission’s approach has been incremental, publishing a “toolkit” of information to help universities strengthen security and scaling back funds for European research projects that involve Chinese partners. Canada’s policy is more prescriptive, publishing blacklists of Chinese institutions and technologies on which Canadian researchers can’t collaborate if they want federal funding.

With all of these policies, one frequent complaint is that, whatever the rules actually say, their mere existence frightens researchers away from even attempting to collaborate across borders – with allies, as well as with China. Indeed, at a meeting of Group of Seven ministers this week, European Research Council president Maria Leptin urged them not to strangle scientific cooperation with security measures. 

In Washington, when asked how the new US policy might affect transatlantic cooperation, the OSTP official said, “We’ve been pretty closely partnering with our allies on how this works, to try to make sure we’re thinking about this in similar ways.”

The US crackdown on security began under Trump with some mostly unsuccessful prosecutions of Chinese-American researchers, new defence legislation and a presidential order on security. In 2022, under Biden, the CHIPS and Science Act spelled out more security requirements, and then research agencies such as the National Science Foundation began drafting new grant rules and building a national clearing house for research security information. A tangle of other security initiatives – involving classified research, “controlled unclassified information” and other hard-to-decipher concepts - have cropped up across government, pushed by Congress.

Interpreting the rules

This week’s White House policy statement is intended to make sense of all this, providing guidance on how federal R&D funders from the Pentagon to NSF are to operate. The key provisions require universities, federally funded R&D centres, and non-profit institutes – if any of them get more than $50 million a year in federal grants – to make sure their internal security systems cover foreign travel, training, computer networks and a long-regulated category of R&D into sensitive technologies requiring export licenses for foreign collaboration.

The original draft scared the daylights out of many university administrators. It would have required big universities to certify their compliance with the security rules annually, publish their security plans, and designate a security “point of contact”. It listed nine different topics security training must cover, and 12 different features that cyber-security systems must include. It would have required advance authorisation of foreign travel by their researchers.

The proposal unleashed a storm of opposition from the research world – reinforced by a rare public report by the “Jasons”, a secretive Pentagon science advisory group, reminding officials that even president Reagan at the height of the Cold War recognised fundamental researchers need freedom to collaborate. 

The broad guidelines

Thus the final policy memo this week deleted most of the prescriptive language, and instead focused on broad guidelines. Under the new system, the universities must certify they are compliant, but in many cases their existing systems may already do the job. For instance, the memo leaves it to the National Institute of Standards and Technology to detail how universities are to organise their cybersecurity. But draft rules that NIST has published so far haven’t alarmed the big universities, which already have extensive cyber systems. A bigger question, some say, is whether they will harm smaller, poorer universities.

Still, the result might just be a tweaking of existing cyber systems, rather than wholesale upgrades. “Could there be additional costs? That’s indeed possible,” Cummings said. “But most likely that would have been necessary in any case” with Internet security concerns rising across all sectors of the economy, he noted.

But the biggest impact may be on individual researchers who will have to undergo periodic security training  – both for their research projects, and for work-related travel abroad. Their universities must keep a record of such travel, whether funded by the government or other sponsors (personal travel was deleted from earlier drafts.) Of course, big universities already provide security training for obviously sensitive or classified projects, and they have to track travel costs on federally funded projects. The White House memo also gives the agencies latitude to designate what projects and which researchers are covered by the new policy – meaning it’s impossible yet to say how many researchers will ultimately be affected.  

The White House statement orders the agencies to report back within six months on exactly how they will proceed, and then gives the universities another 18 months to certify to the agencies that they are compliant with whatever the final procedures are.