How will the new US research security centre work?

Last week the US announced a $67 million effort to boost security at American research organisations. But it intends to aid security with a difference: working in collaboration with researchers and administrators – and open to cooperation with allied countries.

“We are going to co-design what the community wants and needs to enhance security at its institutions,” says Mark Haselkorn, a University of Washington professor and one of the project leaders. Rather than simply dictating security measures, he says, the new National Science Foundation-supported SECURE Center’s message to researchers will be, “Let’s define the problems, let’s design the solutions, and together we’ll make them happen. That is a radically different approach.”

It will also aim to assure security doesn’t happen at the cost of international scientific  cooperation. For instance, he says, CRISPR gene editing - a foundational technology for vaccines and drugs – wouldn’t exist if there hadn’t been transatlantic cooperation among the scientists developing it. Now, as the Netherlands, UK, Canada, Germany and other nations set up academic security centres of their own, he says, at SECURE, “We have to include international stakeholders in this effort.”

Whether Haselkorn and his colleagues can make broad collaboration work in the normally closed world of security is an open question – and an important one, as the US has been leading allied concerns about sensitive technologies leaking to China.

Given the new centre’s prominence, Science|Business asked Haselkorn for details of the group’s plans.

What is the SECURE Center?

On a $50 million, five-year NSF funding agreement, Haselkorn and co-director Lynette Arias at the University of Washington are organising a national effort to inform, train and advise the US research community on security. It will have five regional centres working to develop an online system, or “virtual environment”,  that can provide security information, tools, training modules and alerts. The goal is to serve higher education institutions, non-profit research organisations and small-to-medium sized companies trying to comply with ever-expanding government guidelines on research security. Paired with it is a $17 million project led by Texas A&M University on security analytics.

What will it do?

The NSF’s project solicitation last year called for a “clearinghouse of information” for research organisations trying to understand and “identify improper or illegal efforts by foreign entities to obtain research results.” It is to develop risk assessment tools and best practices, share information and reports about security threats, provide security  training and support for researchers, and help gather data and analysis of “bad actors.”

Exactly what all that means will be worked out in coming months with SECURE partners and the wider US research community. Haselkorn gives a few possible examples:

• When researchers get an invitation out of the blue to speak at a conference or university abroad, especially when an honorarium is offered, how can they know whether it’s a legitimate scientific event or a lure to gather information? Without divulging classified information – SECURE won’t have direct access to that – it could advise researchers and universities on spotting fake events, so they can be avoided.
• Individual universities may get hacked or have other security breaches; and other universities should know enough about it to avoid similar attacks. The centre could devise an alert system that doesn’t publicly name or shame the targeted institution, but ensures that useful information gets shared.
• Institutions may want help in meeting cybersecurity or security training requirements. SECURE is to help design, develop, and implement these desired components.

How will it affect scientific collaboration?

Many researchers, especially in Europe, say all these mounting security measures will harm scientific cooperation. Haselkorn says the centre will strive to avoid that.

For starters, Haselkorn says, he wants to talk with those involved in research security in allied countries. There are already governmental efforts, among the Group of 7 leading economies and their national science funders, to coordinate and share security information. The SECURE Center plans to work with these similar research security-focused organisations elsewhere. Given the project’s time pressures, his first priority is setting up the SECURE staff, organisation and systems in the US. But when asked what his message to international counterparts might be, Haselkorn says, “We need to talk.”

Another risk to collaboration is administrative friction: too much paperwork, poorly designed and varying from funder to funder. For instance, he says, it’s a requirement for grant applicants to upload biographical information to potential funders – including an exhaustive list of all prior funding sources at home and abroad. That kind of security-related filing is manageable if a researcher can do it once for all grants and funders – but not if it has to be repeated over and over again, in different formats. “If you make the process too hard, then people will throw up their hands and say it isn’t worth it.”

What can SECURE do about that kind of problem?  In this case, he says, universities and funding agencies can work together to define better processes and tools that reduce the burden. In theory, SECURE won’t provide policy advice. But it will be overseen by a steering committee of government officials chaired by NSF and likely to include policy, law enforcement and intelligence agencies. So the research community’s perceptions on a problem can filter upwards to government.

What happens next?

The five-year agreement officially starts on 1 September with an initial award of $9.58 million. The first task, Haselkorn says, is setting up the administrative structures and hiring staff. He expects a core staff of about 50  joined by many others on various advisory, planning and expert committees recruited from across the country.

Within three months of the start, the project aims to have the five regional centres ready to roll, and by the sixth or seventh month to have begun a standard process for turning the ideas of the broader research community into the services it wants. By September 2025, the first online services should be up and running and in use. The US CHIPS and Science Act of 2022 that authorised SECURE envisions possible user fees for services, but Haselkorn says that at least for the foreseeable future that won’t be expected of any universities using the system.

Haselkorn, the principal investigator named in the SECURE agreement, has an academic specialty of developing virtual environments that enable large, complex groups to collaborate effectively – such as on a recent project to improve coordination among various US transport agencies and groups. His co-principal investigator is Sonia Savelli, a specialist in design and cognitive science, who is also at the University of Washington in Seattle. The companion SECURE Analytics project is led by Kevin Gamache of Texas A&M and Glenn Tiffert of Stanford’s Hoover Institution. The other partner institutions are Northeastern University, Emory University, the University of Missouri, the University of Texas-San Antonio, Mississippi State University, the University of Michigan, and the College of Charleston, South Carolina.

This project, Haselkorn says, represents NSF empowering the research community to develop its own security soutions. “It gives us ownership of the problem,” he says. And lots of work: “We’re dizzy with all the stuff we’d like to get done,” even before the September 1st start.