Weekly cyber news update

This weeks news comes from the Centre For The Protection of National Infrastructure, we have compiled their guidance into a five minute read, access the full guidance here.

 

Introduction

Trusted Research aims to support the integrity of the system of international research collaboration, which is vital to the continued success of the UK’s research and innovation sector. It is particularly relevant to researchers in STEM subjects, dual-use technologies, emerging technologies and commercially sensitive research areas. The advice has been produced in consultation with the research and university community and is designed to help the UK’s world-leading research and innovation sector get the most out of international scientific collaboration whilst protecting intellectual property, sensitive research and personal information.

Trusted Research:

  • Outlines the potential risks to UK research and innovation
  • Helps researchers, UK universities and industry partners to have confidence in international collaboration and make informed decisions around those potential risks
  • Explains how to protect research and staff from potential theft, misuse or exploitation

 

Research income

A picture containing vector graphics</p>
<p>Description automatically generated

 

Why protect your research?

Whether you hold sensitive medical data for genetic research or commercially sensitive information on behalf of a research sponsor or business, protecting your research is important to you, your institution and your partners.

All research can be at risk, but areas around applied research are particularly vulnerable, especially where there is a specific problem that you are seeking to solve, or where you are trying to develop a commercial application. In these cases, the consequence of research outcomes being exploited could be far greater and could result in the loss of intellectual property and misuse of your research.

For individual researchers, interference with (or loss of) research is likely to limit your ability to publish first or take credit for the resulting intellectual property. This could negatively affect your reputation and ability to demonstrate the impact of your research.

 

Who are you at risk from?

A hostile state is one whose democratic and ethical values are different from our own and whose strategic intent is hostile to the UK.

A hostile state may:

  • seek opportunities to increase its own economic advantage, in particular to develop a research and innovation base to increase military and technological advantage over other countries 
  • prioritise the stability of its regime and focus on preventing internal dissent or political opposition
  • seek to deploy its technological and military advantages against its own people in order to maintain the stability of the regime

 

How might you be targeted?

Hostile state actors are targeting UK universities to steal personal data, research data and intellectual property and this could be used to help their own military, commercial and authoritarian interests.

 

International collaboration offers hostile state actors the opportunity to benefit from research without the need to undertake traditional espionage or cyber compromise. Collaboration can provide those with hostile intent access to people, IT networks, and participation in research which may be sensitive or have sensitive applications.

Individual researchers may be targeted by a hostile state actor, but equally you may also be targeted by an academic institution to undertake research which is of strategic benefit to that country.

Traditional academic engagement provides an easy route for a hostile foreign intelligence service to gain access to you, for example at a conference or research placement.

You might also be targeted through a cyber attack, such as a phishing email, which might try to trick you into revealing sensitive information or contain links to a malicious website or infected attachment.

 

What are the risks to your research?

Academic competition and plagiarism will be familiar concerns to many working in the field of research and innovation. If your research is obtained by a hostile state actor, whether through legitimate means or not, you and your research could be affected in a number of other ways:

Trust

Conducting research in a way that maintains the trust of the public and private industry is vital to the continued success of the sector. Researchers need to demonstrate that you can meet the expectations of that trust in order to access sensitive data and funding. If the data on which your research depends is stolen, inappropriately protected or misused, this may mean that your institution is not trusted with such data in the future.


Integrity

The integrity of your research methodology is as important as the integrity of the research data and outcomes. In addition to the ethical framework surrounding research, consideration should also be given to compliance with legislation and regulation such as General Data Protection Regulation (GDPR), export control and the Academic Technology Approval Scheme (ATAS). Each of these has its own conditions, and complying with one will not satisfy the conditions of the other two. Failure to comply with legislation may expose you to criminal charges or litigation.


Cumulative Risk

At an institutional and even a departmental level there is a significant risk of over-dependence on a single source of funding, whether that is from a single organisation or from a single nation. Such over-dependence creates the opportunity for funders to exercise inappropriate leverage across a range of areas, for example, pressurising an organisation where it seeks to protect freedom of speech or even academic freedom. 


Financial Loss

You and your institution may find it difficult to attract future funding if it were to be discovered that your research had been stolen by a foreign state who may not impose the same sort of controls and protections around the privacy of that data, or might seek to misuse it for unethical purposes. You could face financial loss if a competitor were to access research data or information owned by your sponsor.


Reputation

Your reputation and the reputation of your institution is critical to your future individual and institutional success. Your reputation could be damaged if it were to become apparent that your research had been exploited by the military of another country.

 

How much of a target are you?

The first step is to have an awareness of the potential threat and this needs to be combined with an understanding of what you want to protect. This should involve identifying what you value the most - the ‘crown jewels’ of your work.

Things to consider are:

  • Are there any potential ethical or moral concerns for the application of your research?
  • Could your research be used to support activities in other countries with ethical standards different from our own, such as internal surveillance and repression?
  • Could your research be of benefit to a hostile state military or be supplied to other hostile state actors?
  • Are there any dual-use (both military and non-military) applications to your research?
  • Is any of the research likely to be subject to UK or other countries’ export licence controls?
  • Do you need to protect sensitive data or personally identifiable information? This may include genetic or medical information, population datasets, details of individuals or commercial test data.
  • Is your research likely to have a future commercial or patentable outcome which you or your organisation would want to benefit from?

 

What to do if you are concerned

Every university will have different oversight arrangements for research activities. Many aspects of research and academic activity are devolved to a local level, for example, to a Head of Faculty or to an individual principal investigator (PI). There is a delicate balance for universities in protecting academic freedoms whilst trying to improve visibility of issues such as cumulative risk of investment (where the institution becomes overly dependent on single sources of funding).

If you have any concerns then please contact the Information Security team at grc@infosec.ox.ac.uk