Never heard of Research Security? Why safeguarding your research today is critically important

Posted on July 9, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

How did we get here?

Research Security refers to the ability to identify possible risks to your work through unwanted access, interference, or theft and the measures that minimise these risks and protect the inputs, processes, and products that are part of scientific research and discovery.

Source: Why safeguard your research? Government of Canada (2021).

Photo by Chokniti Khongchum on Pexels.com

Followers of my blog will know that I regularly write about the scourge of Intellectual Property (IP) theft. One of my observations from working with Australian organisations of all shapes and sizes (including research and development, or R&D intensive ones which depend on commercialisation for success) is that we all too often ignore the importance of protecting our IP and early stage research.

Indeed, according to The Commission on the Theft of American Intellectual Property (2013), theft of United States IP alone is estimated in the vicinity of US$300 billion per annum impacting jobs, GDP and innovation. According to testimony given by the former US National Security Agency Director General Keith Alexander:

“The stealing of U.S. private company information and technology has resulted in the greatest transfer of wealth in history”
HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS FIRST SESSION, 9 July 2013.

Is all research and development the target of theft?

Most commonly it is applied research which is stolen (i.e. outcomes that can be directly applied to a tangible application or outcome which can be commercialised), as opposed to basic or discovery research. The coordinated theft of IP focuses on Science, Technology, Engineering an Mathematics (STEM) domains, as opposed to social science or humanities research.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

One challenge with the R&D process is that you never know what you’re going to find – funding of R&D effectively involves placing strategic ‘bets’ to fund those programs assessed as having the greatest chance of success. So why don’t we put more time into protecting our research?

Part of the protection challenge stems from the nature of research itself, and of the knowledge creation process. Knowledge creators need to be able to operate in a creative environment that allows them to share ideas and concepts with others, and ultimately generate a positive R&D outcome over time. By their nature, many researchers are inclined to share and collaborate with others, and many (falsely) perceive the risk if IP theft as very low.

The knowledge creation process is very easily stimied through excessive security, which can inhibit creativity and innovation. But on the other hand, too little security can mean your research walks out the door either with an unscrupulous competitor or a departing employee. This is where the concept of research security comes in.

Photo by Tamu00e1s Mu00e9szu00e1ros on Pexels.com

What is research security?

Successful research and innovation requires collaboration and formal partnerships between multiple parties, including governments, businesses, and academics. These collaborations and partnerships can occur in one country or internationally, almost like a ‘patchwork quilt’ of skills, competencies and capital.

Unfortunately, some bad actors and unscrupulous organisations have taken advantage of this process for their own game. This includes nation states, some of which have been involved in state-sponsored industrial espionage (‘economic espionage’) for decades.

What is the impact of research theft?

Diminished trust and confidence in your research data and results
Loss of research data
Loss of exclusive control over intellectual property, patent opportunities, and potential revenue
Legal or administrative consequences
Loss of potential future partnerships
Tarnished reputation

Source: Why safeguard your research? Government of Canada (2021).

In response, countries such as the US, UK, Canada, New Zealand and more recently Australia have introduced ‘research security’ programs to help the research and innovation sector understand and manage this risk, as outlined below.

Source: US Director of National Intelligence, dni.gov

Canada’s Safeguarding Your Research program

The Government of Canada started raising research theft and research security as an issue in 2016, subsequently forming a joint Government of Canada-Universities Working Group to “advance open and collaborative research in a way that also safeguards research and maximizes benefits to Canadians”. The government has created the Safeguarding your Research portal which contains useful resources including:

Tools for building Security Awareness in the Academic Community
A checklist to help determine whether you are at risk
Information on mitigating economic and/or geopolitical risks in sensitive research projects
National Security Guidelines for Research Partnerships

United Kingdom

In contrast to Canada, the UK Government started its research security journey in 2019, with security programs being coordinated by the Center for the Protection of National Infrastructure (CPNI). With almost 20% of UK research funding coming from international sources, CPNI suggests three key actions to safeguard your research:

Due diligence – who are your research partners, actually? Who are their research partners or investors? Remember that affiliations and company ownership can change over time: who you partnered with on day 1 may not be who you are partnered with on day 365. Bad actors frequently materialise after you have signed the partnership agreement, so due diligence should be undertaken on an ongoing basis.
Conflicts of interest – identify any actual or potential conflicts and ensure they are managed. This could include your research partner’s collaborations with your competitors.
Segregation – use security programs to segregate your valuable research programs, both physically and logically (i.e. cyber, physical and personnel security).

United States

Since mid-2018, the US Government has introduced a range of rules, policies and regulations to address concerns about foreign interference in research and the theft of intellectual capital. Various departments and agencies have introduced new measures to address risks to the integrity of the research enterprise, such as the establishment of the Joint Committee on Research Environment by the Office of Science and Technology Policy at the White House.

In 2018, the National Institutes of Health (NIH), one of the largest R&D funding bodies in the world, took the unprecedented step of writing to NIH grant receipients to inform them of the threat of foreign interference and IP theft in relation to biomedical research. This step has set the tone in terms of the seriousness of this issue, and should highlight to the research community globally the nature of the threat – which is manageable with the right mitigations.

Australia – time for a change of attitude?

In Australia, how we protect our research and innovation is largely dependent on who the threat actor is. From a commerical perspective, we typically adopt a legalistic approach to protecting our valuable research, historically relying predominately on formal IP protections such as patents and copyright. This remains very important, but it is also largely ineffective against the threat of IP theft. By the time the matter gets to court, assuming you can find the thief, it’s too late and the only people who benefit are lawyers.

Once you have lost your valuable research, you face an expensive and time consuming battle to restrain the offending party from using the IP or gaining commercial advantage. Assuming you have the legal defence fund to pursue this course of action – noting your pockets may need to be deeper than your opponent in order to continue funding any litigation – you may not even recover 100% of what you lost. Further, if you didn’t take ‘appropriate’ actions to try and protect the information, a court may deem you also at fault.

Australia does not have formal trade secrets protection under IP law, unlike other countries. This means business is reliant on various Confidential Information provisions to protect its research and innovation, something which can be hard to defend. There is a litany of Australian case law showing companies which learned the hard way here when trying to protect their valuable information from competitors, third parties and former employees.

Where the threat actor is ultimately a nation state, Australians now have provisions in the Criminal Code 1995 (Cth) in relation to economic espionage – which also contains the first mention of the term ‘trade secret’ that I am aware of in Australian law – as well as the University Foreign Interference Guidelines. The Guidelines, which I will write about in a subsequent post, were refreshed in 2021 and provide an excellent introduction to developing what I would call a ‘research security framework’, but which can be applied to address all security threats to research and innovation, not just foriegn interference.

I’m a research or commercialisation manager – what can I do about it?

Effectively managing this risk involves understanding what your critical information assets are, who has access to them, and how. This will allow you to identify those areas of greatest risk and focus your limited resources and effort accordingly. Doing this effectively involves a combination of cybersecurity, physical security, non-cyber information security and personnel security (insider threats) measures deployed as part of a holistic program.

The second critical aspect here is managing your research partnerships via a supply chain (third party) security program. This is broader than security – you need to perform proper due diligence (before commencing, throughout the life of the relationship, and for a period afterwards), as well as implementing the right security and legal controls to manage these risks, all whilst creating an environment where the actual researchers can collaborate and work their magic.

This is not easy and requires a good understanding of both security and research / innnovation to be successful, but it is possible. As highlighted in this post, there are plenty of resources available to support you on this journey but remember, the one thing that is clear is the risk of inaction.

Critical Minerals – what’s the problem here?

Posted on May 28, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are critical minerals anyway?

Critical minerals are defined by Geoscience Australia as “metals and non-metals that are considered vital for the economic well-being of the world’s major and emerging economies, yet whose supply may be at risk due to geological scarcity, geopolitical issues, trade policy or other factors” (2022). One category of critical minerals, ‘rare earth elements’ (listed below) are particularly important:

(Ga) Gallium
(In) Indium
(W ) Tungsten
Platinum-group elements (PGE) including
- (Pt) Platinum (Pt)
- (Pd) Palladium
(Co) Cobalt
(Nb) Niobium
(Mg) Magnesium

(Mo) Molybdenum
(Sb) Antimony
(Li) Lithium
(V) Vanadium
(Ni) Nickel
(Ta) Tantalum
(Te) Tellurium
(Cr) Chromium
(Mn) Manganese

The problem with critical minerals is their availabiilty: they are not distributed evenly throughout the world, and in some cases it is not economical to extract them using current technology. This is particularly the case with rare earths, where according to InvestingNews, the top 10 countries for rare earth production are:

1 China	6 India
2 United States	7 Russia
3 Myanmar	8 Thailand
4 Australia	9 Vietnam
5 Madagascar	10 Brazil

InvestingNews (2021)

Readers will note that some of the countries are subject to greater geopolitical risks than others – ranging from emerging to developed economies and sanctioned to non-sanctioned jurisdictions. One of Australia’s strengths is our proliferation of critical minerals and our geopolitical and economic stability. As shown in the following figure, Australia has critical mineral deposits distributed across the country:

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As demands for the world’s critical minerals increase and supplies dwindle, rich countries will increasingly seek alternative sources. Deposits that were previously uneconomic to extract may become economical, whilst other countries may resort to war or coercion to achieve or maintain geostrategic advantage. Geoscience Australia has ranked Australia’s resource potential for critical minerals and their associated criticality (or scarcity):

Geoscience Australia (2022). Critical Minerals.

Understanding the criticality of raw materials is particularly important when assssing your supply chain threats and risks, as is understanding the geopolitical risks associated with the Critical Minerals value chain (refer figure below).

Geoscience Australia (2022) notes that some “category one and category two metals and semi-metals are primarily by-products of refining of the major commodities such as zinc, copper, lead, gold, aluminium and nickel”. Australia has abundant stockpiles for many of these commodities, however they are not always cost effective to extract. In the future, advances in processing techniques might mean these can be extracted in a highly targeted way at a cost that makes economic and environmental sense.

What industries use critical minerals?

Critical minerals underpin the world’s 4th Industrial Revolution as well as the high tech gadgets as well as enabling a green low-carbon, digitised economy. Without access to critical minerals, we would not be able to have our computers, phones, wind turbines, electric vehicles or solar panels that are decoming de rigueur in Australia and worldwide. Here are some lesser known examples and their applications:

Critical Mineral	Usage (examples, not exhaustive)
Yttrium	Ceramics (abrasives, jet engine coatings, oxygen sensors in cars, and corrosion resistant cutting tools) Electronics (microwave radar, dental and surgical procedures, digital communications, industrial cutting and welding, photochemistry, distance and temperature sensing) Metallurgy (superalloys, high-temperature superconductors)
Tantalum	Production of tantalum alloys, capacitors, compounds and metal Major end uses for tantalum capacitors include automotive electronics, mobile phones and personal computers Tantalum oxide is used in glass lenses and tantalum carbide is used in cutting tools
Germanium	Fibre optics, infrared optics, electronics and solar applications including solar cells for satellites

Critical Minerals Supply Chain in the United States: Mapping the Landscape for Australian Suppliers (AUSTRADE, 2019)

As you can see, the applications for critical minerals are diverse – without them, much the advanced civilisation we live in today would cease to function.

What are the security and supply chain risks for Australian companies?

Two principal security and supply chain risks associated with critical minerals are worth highlighting, both of which have a geostrategic flavour – (1) foreign ownership, control and influence, and (2) sanctions and trade embargo risks, as illustrated below:

Paul Curwell (2022) – adapted from AUSTRADE *Critical Minerals Supply Chain in the United States* (2019)

The Foreign Ownership, Control and Influence (FOCI) risks we have seen globally tend to materialise in two scenarios, outlined in the following table:

FOCI Risk	Risk Description / Scenario
Mining rights (licences) are held by a single company which controls a substantial percentage of production	This scenario is particularly applicable to Rare Earth Elements which are only found in a few locations around the world, hence global supply is very low in comparison to demand. In this case, a single company could conceivably control a substantial percentage of the production for a given rare earth element globally.
Ownership of multiple mines is held by shareholders of the same nationality (i.e. a concentration risk)	This effectively gives the parent country ‘control-by-proxy’ of critical minerals production, meaning the minerals can be exported under the guise of legitimate trading contracts to the parent country for stockpiling and / or use in manufacturing. Once extracted and shipped, there is no easy way of getting the minerals back, and the country which holds all the stockpiles effectively controls both market pricing as well its permitted end use (for example, military end-use export controls might be applied, effectively giving the controlling country a military advantage).

The second type of risk is sanctions and embargos risk. Historically, when we think of sanctions, trade embargos or even naval blockades it is typically on countries such as North Korea and Iran for their actions against the global community and internationally acceptable norms and behaviours.

As a source country for critical minerals, there is always the possibility that Australian companies or Australian exports could be sanctioned. However, two factors act in our favour to mitigate this risk with critical minerals:

First is global availability, being that critical minerals are either only located in specific geographic regions or can only be extracted in a way that makes economic sense from a small number of locations.
Second is the global balance of power. Whilst geostrategic power is shifting away from the United States, we are not yet at the point where other geostrategic players have sufficient power or leverage to impose meaningful sanctions or export restrictions at a large scale (note this does not mean that targeted, and even non-conventional forms of sanctions would not be possible or effective).

Another commonly used sanctions and embargo tool is the naval blockade would be very oenerous to enforce in a country such as Australia, which is so large and surrounded by navigable waters.

What can we do about it?

Like an increasing number of countries around the world, Australia has implemented foreign ownership and foreign investment restrictions to prevent the scenario arising whereby our mining companies or mining licences are owned by foreign investors either at issue or throughout their period of validity, without appropriate review. Additionally, we have introduced a range of foreign intereference laws to criminalise and help prevent actions by foreign governments and their proxies (including legal entities) from interfering in Australia’s sovereignty.

As with saw with trade restrictions on Australian exports, the management of sanctions, embargos and the like are much harder to mitigate. This is particularly the case where Australia sends extracted ore to a third country for processing and refining, which may then be purchased for re-import back to Australia. In this scenario, Australian manufacturers or businesses are immediately exposed to potential sanctions risks. One way to mitigate this is to conduct mineral processing and refining here in Australia, allowing Australia to export refine material as well as to use it directly in Australian manufacturing.

If there is one positive thing that can be said for the COVID-19 pandemic (aside from introducing more flexible working practices), it is that the supply chain disruptions have really refinforced the need for Australia to expand our domestic manufacturing capability and the need to be less reliant on other countries for our critical supplies and services in the Australian psyche. Understanding where security, geopolitical (country) and resilience risks lie in your supply chain, and implementing appropriate risk treatments, is critical for every Australian business.

ForewarnedBlog.com

Actionable insights on security, fraud, integrity and resilience for innovative industries

Tag Archives: Foreign Interference