Economic Espionage Poses Real Risks and New Burdens for Universities
The recent arrests of Chinese nationals for alleged economic espionage are raising eyebrows across American industries, who are rightfully asking how they can protect themselves from becoming the next foreign target. U.S. universities have been key figures in these headlines. The risk of economic espionage is a serious one for higher education because universities are often in the position of balancing open and collaborative research goals with tight government restrictions on data use. But for those universities contracting with the U.S. government, compliance with its information security regulations is often not optional.
Universities frequently act as government contractors, performing research and development under federal grants, cooperative agreements, and traditional contracts. One of the most common agencies with which universities contract is the Department of Defense (DoD). Indeed, in the recent arrests of a university physics professor and a former graduate student from another university, the highly technical information at issue stemmed at least partially from DoD funding.
Government funding, however, comes with conditions. When a university contracts to perform technical research for the DoD, it likely triggers requirements under the Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding Rule. The DFARS Rule obligates these universities to implement a panoply of security controls on their information systems that house controlled, but unclassified, technical information. Examples of such information include source code, engineering drawings, and manuals. The controls cover technical, physical, and administrative safeguards, which seem simple in theory but are complicated and may come at a significant price to implement. What's more, the DFARS Rule requires universities to implement any additional measures that, based on known threats, are deemed necessary to provide "adequate security." Failure to implement these controls constitutes a violation of the underlying government contract and could spell costly consequences, including termination of the contract and a possible bar from future contracts.
The DFARS Rule is certainly at the vanguard of federal cybersecurity regulations, but broader regulations are waiting in the wings. Last month, the National Archives & Records Administration (NARA) proposed a long-awaited rule that would place security requirements similar to those provided in the DFARS Rule on all government contractors, not just those working with the DoD. The proposed rule would also apply to a broader set of information. While the DFARS Rule applies only to technical information, the proposed rule would apply to any form of unclassified information—technical or not—whose dissemination the government restricts. Several universities have already submitted comments on the proposed rule's security requirements, noting that they appear antithetical to the open platforms on which their research typically relies. The comments express particular concern regarding the rule's possible conflict with traditional federal policy that "fundamental research" at universities be unrestricted, despite federal funding.
Another pending issue for contractor universities hits closer to the recent headlines, relating specifically to "insider threats." Although the DFARS Rule and pending NARA rule apply only to unclassified information, many universities perform work under classified contracts as well. These contracts are generally regulated through the National Industrial Security Program Operating Manual (NISPOM). The NISPOM currently requires contractors handling classified information, including universities, to report any "adverse" information about their cleared employees, i.e., anything that negatively reflects on the integrity or character of a cleared employee, that suggests his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security. It is expected that, at some point this year, the NISPOM will be updated under what will be called "Conforming Change 2." This will require classified contractors to implement a formal insider threat program, to address governance, training, and monitoring, among other issues. As foreign entities become more aggressive in infiltrating student and faculty ranks, the NISPOM will no doubt present continued compliance challenges for universities.
The inconvenient truth is that the U.S. economy is under constant attack by those seeking to pilfer our nation's greatest assets: our knowledge, technology, and innovations. Recent events have highlighted that universities are by no means immune to that risk. Quite the opposite, they are becoming prime targets. Protecting against this reality is a tall order, and the looming threat of regulatory non-compliance makes the stakes even higher.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.