320 likes | 442 Views
The Evolving Security Paradigm -- The Challenge for Research Universities. Richard A. Johnson EDUCAUSE richard_johnson@aporter.com May 2004. “Openness v. Security” -- Review 10 Key Reasons for the Changing Security Framework Affecting Universities, Non-Profit Research Institutes and IT
E N D
The Evolving Security Paradigm -- The Challenge for Research Universities Richard A. Johnson EDUCAUSE richard_johnson@aporter.com May 2004
“Openness v. Security” -- Review 10 Key Reasons for the Changing Security Framework Affecting Universities, Non-Profit Research Institutes and IT • Dealing with a Web of Interrelated but Distinct Federal Regulatory and Policy Frameworks for Security that are Broadening and Deepening • Export controls as an “A” list priority -- ITAR and EAR • OFAC and transborder information flows • Information controls ( “in the formative stage”) • Federal funding and “regulation by contract” • Visas -- MANTIS and the Technology Alert List • Federal R&D agenda • Economic and high-tech espionage measures
Reasons for the Changing Security Framework for Universities • 1. More complex world: 9/11 and the anthrax attacks changed everything • National security now has multiple forms -- WMD; cybersecurity and IT systemic damage; critical infrastructure; economic crises; and terrorism • States, non-state actors and threat diffusion -- who’s the enemy? • The growth of “dual use” research -- increasing threat it can used for harm (ex. Mousepox paper, advanced IT) • New national research agenda driven by the perceived imperatives of the “new” security • “No one size fits all”
Reasons for the Changing Security Framework for Universities • 2. The public trust -- competing concerns • refocuses attention on the university as both an institution of public trust and a source of societal solutions • role of independent creators and arbiters of knowledge; impartial scholarship and take research wherever it leads • implications of becoming viewed as “unpatriotic” • threatens public support for the research mission of academic institutions and taxpayer support for funding fundamental research • 3. The growing intersection of cutting-edge science, technology and engineering research with national security, foreign policy and homeland security
Reasons for the Changing Security Framework for Universities • 4. The evolving role of the research university in the 21st C. • Increasing globalization of universities and research in a security paradigm that remains rooted in nation-state defense • Increasing breadth and depth of multidisciplinary research with many of the most interesting intellectual challenges at the interfaces • Changing innovation and economic development roles • Shifting approaches to fulfilling its core missions • Emerging new legal status -- Madey v. Duke reasoning
Reasons for the Changing Security Framework for Universities • 5. Increasing intersection of non-traditional disciplines with post-9/11 regulatory framework (and growing disconnects) • Ex. -- Life sciences as a major security pressure point -- biological agents, toxins and chemical precursors • Greatest increased threat; most unpredictable • No culture of security; least govt. security experience • Material transfers • Controlling underlying information and data • Regulatory uncertainty -- Select Agents (export controls, state regs, Patriot Act, Biopreparedness Act)
Reasons for the Changing Security Framework for Universities • 6. Government security unease with university “exceptionalism” and divergent world views • Growing perception that universities “are not serious” about compliance reinforced by a “we-them” divide • Corporate complaints that universities “aren’t playing by the same rules” with competitive implications • University openness on the defensive -- GAO Report (2002); OIG Reports (2004); Congressional oversight • “Enhanced” compliance and enforcement focus • Fall 2003 -- Federal interagency export control investigation/audit of 14 research universities
Reasons for the Changing Security Framework for Universities • 7. A growing shift from “the right to know” to “the need to know” as an operating principle of government • 8. Tensions within the security community about the role of research universities • How do you define national security? Over what time? • Will the research community initiate and accept tough new self-governance and self-regulatory measures, or must they be imposed? • Will national security policy tilt toward advancement at the frontiers of knowledge or protection of current technology?
Reasons for the Changing Security Framework for Universities • 9. The changing allocation of federal R&D • Defining new areas of security-related research responsibilities • cybersecurity (ex. NSF) • homeland security S&T (ex: DHSARPA) • bioterrorism and public health (ex. NIH/NIAID and CDC) • Fund translational tasks: research to useful applications fast • Short-term security applications v. long-term security solutions: who gets funded for what?
Reasons for the Changing Security Framework for Universities • 10. Universities as “critical infrastructure” and “vulnerable” targets • universities are one of the most porous gateways to cutting-edge knowledge and technology -- including vast amounts of useful information on networks/databases • Ex: Cybersecurity • prevent attacks from universities (hijack computer power) • prevent attacks within universities (high levels of security) • access to networks and info flows; information-sharing • internal controls and security processes • as source of key, innovative research in IT
U.S. Export Controls and Trade SanctionsPurposes • U.S. export controls have multiple goals that sometimes conflict • Advance Foreign Policy Goals • Restrict Exports of Goods and Technology That Could Contribute to the Military Potential of Adversaries • Prevent Proliferation of Weapons of Mass Destruction (nuclear, biological, chemical) • Prevent Terrorism • Fulfill International Obligations
Export Controls • Covers all U.S.-origin goods, technology or information (jurisdiction follows the item worldwide) not in the public domain • ex. “deemed exports” to foreign nationals in U.S. • ex. int’l scientific collaborations and conferences • ex. technology and information related to tangible goods and prototypes, plus encrypted software • ITAR v. EAR • Fundamental research and public domain exemptions -- “yes, but”
Export Controls • Post 9/11 exacerbates existing export control issues • uncertainty, complexity, limited transparency, lack of flexibility, and few procedural protections • Exports of most high-technology and military items, and associated technology and information, are subject to U.S. export controls (require either a license or an applicable exemption) -- an increasing amount of university research is covered • increasing compliance risks and administrative burden for the institution, for individual faculty members and for international collaborations and “openness” of campus • Criminal and civil penalties taken seriously • Increasing number of government investigations/audits • Imperil federal funding
International Traffic in Arms Regulations (“ITAR”) -- State Dept. • Regulates goods and technology designed to kill people or defend against death in a military setting (“munitions” or “defense articles” • Includes space-related technology and research; increasing applicability to other university research areas such as nanotechnology/new materials, sensors, life sciences and advanced IT components • Covers “defense articles” (includes tech data which encompasses software unlike EAR) and “defense services” (certain information to be exported may be controlled as a “defense service” even if in the public domain) • Includes technical data related to defense articles and defense services (furnishing assistance including design, engineering, and use of defense articles)
Export Administration Regulations (“EAR”)Commerce Department • Covers dual-use items: 10 CCL categories of different technologies covering equipment, tests, materials, software and technology • Regulates items designed for commercial purpose but that can have military or security applications (e.g., computers, pathogens, civilian aircraft • Covers goods, test equipment, materials, technology (tech data and technical assistance) and software • Also covers “re-export” of “U.S.-origin” items outside the United States
U.S. Export Controls and Trade Sanctions“Deemed” Exports • U.S. export controls cover transfers of goods and technology within the U.S. (the transfer outside the U.S. is deemed to apply when a foreign national receives the information in the U.S.) • Applies to technology transfers under the EAR and the provision of ITAR technical data and defense services • Unless the fundamental research exemption applies, a university’s transfer of controlled technology to a non-permanent resident foreign national who is not a full-time university employee in the U.S. may be controlled and/or prohibited • Visa status important: permanent resident (“green card holder”) has same right to controlled information as U.S. citizen
Export Controls - Fundamental Research (FR) Exemption • FR exemption: applies to basic or applied scientific or engineering research at an accredited university in the United States; ITAR FR excludes research abroad • no FR exemption if accept restrictions on publication or any “access and dissemination” controls • no FR exemption if research results are proprietary • expansion of technologies ineligible for FR (encryption, biotech, composite materials)
Export Controls -- Public Domain Exemption • Exemption for published information through one or more of the following: • libraries open to the public • unrestricted subscriptions for a cost not exceeding reproduction/distribution (including reasonable profit) • published patents • conferences, seminars in the United States accessible to public for a reasonable fee and where notes can be taken (ITAR) --or also abroad only if EAR • Generally accessible free websites w/o knowledge • General science/math principles taught at universities
U.S. Export Controls and Trade SanctionsApplication to University Research • Export of research products • Certain oceanography or marine biology equipment may be controlled by ITAR • Specially designed electronic components could be controlled • Temporary transfer of research equipment abroad • Carrying scientific equipment to certain destinations for research may require authorization (e.g., Iran, Syria, China, etc.) • Software • Software that is provided to the public for free may not require licenses, but proprietary software of controlled technology could require licensing • Encryption technology could require licenses or could be prohibited for transfers to certain foreign nationals/countries • Source code licenses as “dissemination controls”
U.S. Export Controls and Trade SanctionsApplication to University Research (cont’d) • Corporate grants may limit access by foreign nationals • Proprietary restrictions or restrictions on publication by corporate grants may invalidate fundamental research • Could trigger licensing requirements for certain foreign nationals • Conferences • Potential restrictions on participants or information flows • Inability to co-sponsor with certain countries or groups (e.g., restrictions on co-sponsoring conference with Iranian government) • Transfer of defense services • Potential license requirements for work with foreign nationals to launch research satellite or development of advanced cyberinfrastructure
U.S. Export Controls -- the breadth of export control issues • Software license terms -- especially source code; software license terms as “access and dissemination controls” that invalidate the fundamental research exemption • Server access: a demanding compliance challenge because you must be able to prove the negative • Can you show that non-US persons do not have access to export-controlled technical data? • Can you demonstrate that nothing on the open server is export-controlled? • Do you know the export classifications of the technology and software on the university’s servers?
OFAC and U.S. Trade Sanctions • U.S. economic sanctions focus on the end-user or country rather than the technology • Embargoes administered by Office of Foreign Assets Control, U.S. Department of Treasury (“OFAC”) • Prohibitions on trade with countries such as Iran, Cuba • Restrictions on travel • Limitations on activities in certain areas of countries or with certain non-state actors • OFAC prohibits payments or providing “value” to nationals of sanctioned countries and to specified entities even if the country is not subject to sanctions (ex. sponsorship of an academic conference in Iran) • Separate prohibitions under the ITAR and EAR • ITAR proscribed list/sanctions (e.g., Syria or requirement for presidential waiver for China) • EAR restricts exchanges with some entities and universities in India, Israel, Russia, etc. because of proliferation concerns
OFAC and Transborder Information Flows • Berman amendment -- transactions in “information and informational materials” exempt from OFAC trade sanctions • OFAC policy -- (1) info not fully created on date of transaction or substantive/artistic alteration of info is not exempt; and (2) can’t provide anything of “value” without prior U.S. government approval • Peer reviewed journals and the editing Iranian manuscripts controversy
Information Controls -- “fumbling like newlyweds in an arranged marriage” • Pressure from federal funding sponsors to control access to and limit dissemination of certain research • Proposed designations between classified and unclassified (NSDD-189) • “Sensitive but unclassified” information • “Critical research technology” • Withdrawal or limitations on public domain information • Pre-publication reviews • Problems with sponsors’ documents -- “sensitive”; “no foreign nationals”, “special access conditions”
Information dissemination -- “sensitive” and other restrictive designations • NSDD-189: Reagan Cold War decision (1985) • Fundamental research generally should be unrestricted • Use classification only if national security requires control • Card memo to federal agencies (3/19/02) • withhold “sensitive but unclassified” information; OMB review • no “inappropriate” disclosure of govt.info or data; denying researcher access to even unclassified govt. information • DoD proposal for “critical research technology” (2002) • OHS/NSC: “sensitive homeland security information”
Sensitive and other restrictive designations for university information • DoD “Critical research technologies” (March 2002) • Publication control over all DoD-funded research, including fundamental research; criminal penalties • New restrictions on foreign nationals if CRT • Travel reporting and restrictions • New DoD Draft Directive (Nov. 2002) • “Controlled Unclassified Information” • Largely focused on research within DoD • Recognizes NSDD-189 • DoD reviews of certain unclassified research deemed “critical” to national security still alive
Emerging Problems with Information Controls for IT/Research Offices • Problems in defining what is “sensitive” • Reasons unrelated to national security • Short-circuiting public debate • State FOIAs for land-grant universities • What is the presumption for or against publication? How to overcome whatever presumption is set? • Who decides what is dangerous? Process? Appeals? • Can you develop rules to restrict WMD information without “overbreadth” effect on other S&T research? • Risk-based security model: no one size fits all
Emerging Problems with Information Controls for Research Administrators • Other pragmatic, administrative burden issues confronting research community related to information • Defining categories of information and materials • Setting levels of access/restriction • Deciding on appropriate body to regulate and oversee -- in government and on campus • Establishing and implementing international norms • Applicability of other non-classified models to post-9/11 (ex. proprietary data, patient confidentiality)
Information Controls -- New National Science Advisory Board for Biosecurity (NSABB) • Guidance for all “dual use” biological research and criteria for “acceptable” dual use research • Not mandatory but “stick” will be “conditionality” of federal funding • Development of new “security” culture programs • NSABB’s role will extend to publication and communication of research results and methods • “New level of sensitivity” for information flows
Sensitive and other restrictive designations for university information • National Academies “action points” for scientific, engineering and health community • Are there unclassified areas of research that should be classified? • How can universities monitor this issue as science and potential threats change over time? • Need for new security procedures for research materials? • How to detect new potential threats, and opportunities to counter them, and, then, convey them to government agencies in a timely manner?
Sensitive and other restrictive designations for university information • National Academies “action points” for policymakers - • How to apply principle of “high fences around narrow areas” in new security environment to achieve proper balance? • How can these decisions be made at outset of research project to avoid disruptions? • How to avoid vague and unpredictable categories such as “sensitive but unclassified” information? • How best to enlist universities for both unclassified and classified research needed for counterterrorism?
Federal Funding and “Regulation by Contract” • Contracts and funding are becoming the new lever of power rather than new regulations -- federal $$$ increasingly linked to new contractual restrictions and compliance with government information policies • AAU/COGR “Troublesome Clauses” Report (2004) - sample reported 180 instances in last 6 months • restrictions on publication • new types of access and dissemination reviews • limitations on the use of foreign nationals • both a government and a corporate subcontract problem