Rafael Reif, president of the Massachusetts Institute of Technology in Cambridge, fears government efforts to combat foreign influence have created a “toxic atmosphere of unfounded suspicion” on many U.S. campuses.

iStock.com/SeanPavonePhoto

U.S. universities battle a security storm in Congress

The threat from China is real, U.S. academic leaders say. But so, too, is the possibility that federal efforts to combat that threat could inhibit the U.S. research enterprise.

That’s why university officials are scrambling to shape legislation moving rapidly through Congress. It’s aimed at thwarting attempts by foreign entities, notably the Chinese government and affiliated institutions, to take unfair advantage of the traditionally open U.S. research system.

The House of Representatives has already adopted language that universities like. And on 12 July it was tucked into a larger piece of legislation almost certain to become law in some form. But this month also saw a bipartisan group of senators introduce a similar bill that added provisions universities find hard to swallow.

Congress is expected to resume work on those bills—and potentially others dealing with beefing up protections on academic research—after returning from its August recess. In the meantime, academic leaders are making the case that the best way to combat China’s growing research prowess is by going on the offensive, that is, by boosting spending on domestic research and training.

“I don’t think we can maintain U.S. leadership in science by only playing defense,” said Maria Zuber, vice president of research at the Massachusetts Institute of Technology (MIT) in Cambridge, during a meeting this month of the National Science Board, a presidentially appointed body that oversees the National Science Foundation (NSF). During the meeting, which discussed ways to deal with the security challenge, physicist Arthur Bienenstock of Stanford University in Palo Alto, California, cited a recent NSF analysis showing that when U.S. scientists publish with a colleague from another country, Chinese scientists are the most likely partners, claiming 23% of all such collaborations. U.K. scientists are second, participating in 14% of such collaborations, followed by Germany with 11%.

“Will a new policy drive more Chinese scientists to collaborate with Europe rather than the U.S.?” Bienenstock wondered. “And will fewer international collaborations make U.S. scientists less competitive in the fields that are most important to our economy?”

Talking it out

Those arguments are part of a long-term strategy to strengthen a research system that academic leaders say has fueled U.S. prosperity since the end of World War II. But in the short term, their focus is on the pending legislation.

Two key bills—the Securing American Science and Technology Act (H.R. 3038) in the House and the Secure American Research Act (S. 2133) in the Senate—would create a White House–led working group to coordinate federal activities. Representatives from 19 federal agencies would have the job of hammering out a common definition of the scope of the threat and drawing up a list of best practices for universities and government laboratories to follow.

The legislation would also establish a National Science, Technology, and Security Roundtable, hosted by the National Academies of Sciences, Engineering, and Medicine, that would give the academic community a much-desired seat at the table in ongoing discussions among government officials, university administrators, and the captains of industrial research.

Science lobbyists hope the final product will look more like the House bill, which is co-sponsored by representatives Mikie Sherrill (D–NJ) and Jim Langevin (D–RI). Its goal, Sherrill says, is “a unified approach to protect research without creating overlapping or contradictory federal requirements.”

That legislation, introduced in late May, was folded into a much broader bill approved this month by the House along straight party lines to reauthorize programs at the Department of Defense. That strategy means the issue will come up for debate this fall when House and Senate conferees negotiate the final terms of the defense reauthorization bill, one of the few annual pieces of business that Congress traditionally considers to be essential.

“Soft targets”

In contrast, the Senate bill has bipartisan support, as three Democrats joined Senator John Cornyn (TX) and four other Republicans as initial co-sponsors. But it takes a darker view of the current threat. A 17 July press release from Cornyn, the lead sponsor of the bill and chair of a Senate panel on global competitiveness, calls universities “soft targets … for Chinese human espionage and cyberattacks” and asserts that academics “are often not aware” of the threat.

One way to get their attention, according to the bill, would be to require any institution receiving federal research dollars to certify that it is following tough cybersecurity procedures issued in 2016 for a far more limited purpose. Those rules apply to controlled unclassified information (CUI), a new category of federally funded activities that represents a tiny subset of all research projects. The CUI label differs from classified research, which at universities is often conducted at a separate, off-campus facility and subject to even more stringent oversight.

A second provision of the Cornyn bill would create a registry of researchers who have failed to disclose foreign affiliations to their granting agency. The list would be shared among agencies but not made publicly available.

“We hope to provide an incentive for universities to increase cybersecurity standards when competing for federal grants,” Cornyn staffers say, in response to questions from ScienceInsider. “It should be among the factors that affect their application,” they add. Staffers say the registry of researchers could help agencies decide which grants to fund by flagging proposals from institutions where breaches had occurred.

A question of walls

Science lobbyists feel those provisions go too far, and their organizations have so far withheld support for the bill. “We’ve had a huge challenge with Congress,” says Tobin Smith of the Association of American Universities, a Washington, D.C.–based organization of top research institutions that has been very active in monitoring developments. “They don’t know all the steps we have already taken” to address the threat, he says. “But we also have to remind them that a core piece of what universities do is sharing information, not walling it off.”

The 2016 cybersecurity rules referenced in the Senate bill kick in when a funding agency imposes additional restrictions on how the research can be disseminated or who can participate. (Universities can request an exemption if they feel the research is so fundamental that no such restrictions should apply.) Institutions that agree to sponsor CUI research must follow more than 100 security-related requirements that do not apply to the rest of their federally funded research portfolio. The rules cover everything from multifactor log-on authentication and more stringent auditing procedures to additional training and heightened physical security.

It’s that extra level of scrutiny that concerns university administrators like Mary Millsaps, director of research information assurance for Purdue University in West Lafayette, Indiana.

“We already have firewalls,” she says, referring to cybersecurity provisions that are standard for most projects. “They generally involve what I call passive monitoring, that is, systems to ensure that we’re following the rules. But controlled [unclassified information] research imposes an additional layer of institutional oversight that requires active monitoring by somebody at all times,” she says. “And I would be concerned if they want to put those additional levels of control on everything.” Her office manages roughly 50 research projects that require special handling, she notes, and fewer than a dozen fall into the CUI category.

The CUI designation can also affect how the research itself is carried out. For one group of Purdue scientists, Millsaps says, it meant they couldn’t use the university’s own supercomputer network for their project. Instead, they had to rely on the Amazon government cloud, which is less powerful, but meets the stricter guidelines. “We understand why, and we’re not complaining,” says Millsaps about the restrictions. “But it definitely slowed them down.”

Going too far

All parties in the debate agree that any new policy should strike a balance between protecting federal research assets and preserving open scientific engagement with the rest of the world. But there’s no consensus on where to draw the line. Kelvin Droegemeier, director of the White House Office of Science and Technology Policy, believes the key is an approach that preserves what he calls “American values.”

“Science is an international endeavor, and we benefit greatly from having scientists from other countries come here,” Droegemeier told a House spending panel on 24 July that asked what the government should be doing to protect its research investments. “But you need to come here legally—through the front door. And you need to act with integrity and uphold our values.”

But many university officials worry that an overly aggressive attempt to protect U.S. research could jeopardize the types of international collaborations that have helped the country become a scientific superpower. Last month, for example, MIT President Rafael Reif warned the government “not to create a toxic atmosphere of unfounded suspicion and fear” against foreign-born scientists as it tries to reduce the risks of academic espionage on U.S. campuses.

The current U.S. trade war with China could spur Congress to take a tough stance on academic research as well. If so, university officials just hope that it’s a measured response.

“Universities will be in compliance because we are regulatory animals,” Millsaps says. “But I hope they keep in mind that this research will eventually be published and shared with the world. So what exactly are we protecting it from?”