Upload
addo
View
40
Download
1
Embed Size (px)
DESCRIPTION
The Evolving Security Paradigm -- The Challenge for Research Universities. Richard A. Johnson EDUCAUSE [email protected] May 2004. “Openness v. Security” -- Review 10 Key Reasons for the Changing Security Framework Affecting Universities, Non-Profit Research Institutes and IT - PowerPoint PPT Presentation
Citation preview
Page 1Page 1
The Evolving Security Paradigm -- The Challenge for Research Universities
The Evolving Security Paradigm -- The Challenge for Research Universities
Richard A. JohnsonEDUCAUSE
May 2004
Page 2Page 2
“Openness v. Security” -- Review 10 Key Reasons for the
Changing Security Framework Affecting Universities, Non-
Profit Research Institutes and IT
Dealing with a Web of Interrelated but Distinct Federal
Regulatory and Policy Frameworks for Security that
are Broadening and Deepening
Export controls as an “A” list priority -- ITAR and EAR
OFAC and transborder information flows
Information controls ( “in the formative stage”)
Federal funding and “regulation by contract”
Visas -- MANTIS and the Technology Alert List
Federal R&D agenda
Economic and high-tech espionage measures
Page 3Page 3
Reasons for the Changing Security Framework for Universities 1. More complex world: 9/11 and the anthrax attacks changed
everything National security now has multiple forms -- WMD; cybersecurity
and IT systemic damage; critical infrastructure; economic crises; and terrorism
States, non-state actors and threat diffusion -- who’s the enemy? The growth of “dual use” research -- increasing threat it can
used for harm (ex. Mousepox paper, advanced IT) New national research agenda driven by the perceived
imperatives of the “new” security “No one size fits all”
Page 4Page 4
Reasons for the Changing Security Framework for Universities 2. The public trust -- competing concerns
refocuses attention on the university as both an institution of public trust and a source of societal solutions
role of independent creators and arbiters of knowledge; impartial scholarship and take research wherever it leads
implications of becoming viewed as “unpatriotic” threatens public support for the research mission of academic
institutions and taxpayer support for funding fundamental research
3. The growing intersection of cutting-edge science, technology and engineering research with national security, foreign policy and homeland security
Page 5Page 5
Reasons for the Changing Security Framework for Universities 4. The evolving role of the research university in the 21st C.
Increasing globalization of universities and research in a security paradigm that remains rooted in nation-state defense
Increasing breadth and depth of multidisciplinary research with many of the most interesting intellectual challenges at the interfaces
Changing innovation and economic development roles Shifting approaches to fulfilling its core missions Emerging new legal status -- Madey v. Duke reasoning
Page 6Page 6
Reasons for the Changing Security Framework for Universities 5. Increasing intersection of non-traditional disciplines with
post-9/11 regulatory framework (and growing disconnects) Ex. -- Life sciences as a major security pressure point --
biological agents, toxins and chemical precursors Greatest increased threat; most unpredictable No culture of security; least govt. security experience Material transfers Controlling underlying information and data Regulatory uncertainty -- Select Agents (export controls,
state regs, Patriot Act, Biopreparedness Act)
Page 7Page 7
Reasons for the Changing Security Framework for Universities 6. Government security unease with university
“exceptionalism” and divergent world views Growing perception that universities “are not serious” about
compliance reinforced by a “we-them” divide Corporate complaints that universities “aren’t playing by the
same rules” with competitive implications University openness on the defensive -- GAO Report (2002);
OIG Reports (2004); Congressional oversight “Enhanced” compliance and enforcement focus Fall 2003 -- Federal interagency export control
investigation/audit of 14 research universities
Page 8Page 8
Reasons for the Changing Security Framework for Universities 7. A growing shift from “the right to know” to “the need to
know” as an operating principle of government 8. Tensions within the security community about the role
of research universities How do you define national security? Over what time? Will the research community initiate and accept tough new
self-governance and self-regulatory measures, or must they be imposed?
Will national security policy tilt toward advancement at the frontiers of knowledge or protection of current technology?
Page 9Page 9
Reasons for the Changing Security Framework for Universities 9. The changing allocation of federal R&D
Defining new areas of security-related research responsibilities
cybersecurity (ex. NSF) homeland security S&T (ex: DHSARPA) bioterrorism and public health (ex. NIH/NIAID and CDC) Fund translational tasks: research to useful applications fast Short-term security applications v. long-term security
solutions: who gets funded for what?
Page 10Page 10
Reasons for the Changing Security Framework for Universities 10. Universities as “critical infrastructure” and “vulnerable”
targets universities are one of the most porous gateways to cutting-edge
knowledge and technology -- including vast amounts of useful information on networks/databases
Ex: Cybersecurity prevent attacks from universities (hijack computer power) prevent attacks within universities (high levels of security) access to networks and info flows; information-sharing internal controls and security processes as source of key, innovative research in IT
Page 11Page 11
U.S. Export Controls and Trade Sanctions
Purposes U.S. export controls have multiple goals that sometimes
conflict
Advance Foreign Policy Goals Restrict Exports of Goods and Technology That Could
Contribute to the Military Potential of Adversaries
Prevent Proliferation of Weapons of Mass Destruction (nuclear, biological, chemical)
Prevent Terrorism
Fulfill International Obligations
Page 12Page 12
Export Controls
Covers all U.S.-origin goods, technology or information (jurisdiction follows the item worldwide) not in the public domain ex. “deemed exports” to foreign nationals in U.S. ex. int’l scientific collaborations and conferences ex. technology and information related to tangible goods and
prototypes, plus encrypted software ITAR v. EAR Fundamental research and public domain exemptions -- “yes,
but”
Page 13Page 13
Export Controls
Post 9/11 exacerbates existing export control issues uncertainty, complexity, limited transparency, lack of flexibility,
and few procedural protections Exports of most high-technology and military items, and associated
technology and information, are subject to U.S. export controls (require either a license or an applicable exemption) -- an increasing amount of university research is covered
increasing compliance risks and administrative burden for the institution, for individual faculty members and for international collaborations and “openness” of campus
Criminal and civil penalties taken seriously Increasing number of government investigations/audits Imperil federal funding
Page 14Page 14
International Traffic in Arms Regulations (“ITAR”) -- State
Dept. Regulates goods and technology designed to kill people or defend against death in a military setting (“munitions” or “defense articles”
Includes space-related technology and research; increasing applicability to other university research areas such as nanotechnology/new materials, sensors, life sciences and advanced IT components
Covers “defense articles” (includes tech data which encompasses software unlike EAR) and “defense services” (certain information to be exported may be controlled as a “defense service” even if in the public domain)
— Includes technical data related to defense articles and defense services (furnishing assistance including design, engineering, and use of defense articles)
Page 15Page 15
Export Administration Regulations (“EAR”)
Commerce Department
Covers dual-use items: 10 CCL categories of different technologies covering equipment, tests, materials, software and technology
Regulates items designed for commercial purpose but that can have military or security applications (e.g., computers, pathogens, civilian aircraft
Covers goods, test equipment, materials, technology (tech data and technical assistance) and software
Also covers “re-export” of “U.S.-origin” items outside the United States
Page 16Page 16
U.S. Export Controls and Trade Sanctions
“Deemed” Exports U.S. export controls cover transfers of goods and technology within the U.S. (the transfer outside the U.S. is deemed to apply when a foreign national receives the information in the U.S.)
— Applies to technology transfers under the EAR and the provision of ITAR technical data and defense services
— Unless the fundamental research exemption applies, a university’s transfer of controlled technology to a non-permanent resident foreign national who is not a full-time university employee in the U.S. may be controlled and/or prohibited
— Visa status important: permanent resident (“green card holder”) has same right to controlled information as U.S. citizen
Page 17Page 17
Export Controls - Fundamental Research (FR) Exemption
FR exemption: applies to basic or applied scientific or engineering research at an accredited university in the United States; ITAR FR excludes research abroad
no FR exemption if accept restrictions on publication or any “access and dissemination” controls
no FR exemption if research results are proprietary expansion of technologies ineligible for FR
(encryption, biotech, composite materials)
Page 18Page 18
Export Controls -- Public Domain Exemption Exemption for published information through one or more of
the following: libraries open to the public unrestricted subscriptions for a cost not exceeding
reproduction/distribution (including reasonable profit) published patents conferences, seminars in the United States accessible to public
for a reasonable fee and where notes can be taken (ITAR) --or also abroad only if EAR
Generally accessible free websites w/o knowledge General science/math principles taught at universities
Page 19Page 19
U.S. Export Controls and Trade Sanctions
Application to University Research Export of research products— Certain oceanography or marine biology equipment may be
controlled by ITAR
— Specially designed electronic components could be controlled
Temporary transfer of research equipment abroad— Carrying scientific equipment to certain destinations for
research may require authorization (e.g., Iran, Syria, China, etc.)
Software Software that is provided to the public for free may not require
licenses, but proprietary software of controlled technology could require licensing
— Encryption technology could require licenses or could be prohibited for transfers to certain foreign nationals/countries
— Source code licenses as “dissemination controls”
Page 20Page 20
U.S. Export Controls and Trade Sanctions
Application to University Research (cont’d) Corporate grants may limit access by foreign nationals
— Proprietary restrictions or restrictions on publication by corporate grants may invalidate fundamental research
— Could trigger licensing requirements for certain foreign nationals
Conferences— Potential restrictions on participants or information flows
— Inability to co-sponsor with certain countries or groups (e.g., restrictions on co-sponsoring conference with Iranian government)
Transfer of defense services— Potential license requirements for work with foreign nationals
to launch research satellite or development of advanced cyberinfrastructure
Page 21Page 21
U.S. Export Controls -- the breadth of export control issues
Software license terms -- especially source code; software license terms as “access and dissemination controls” that invalidate the fundamental research exemption
Server access: a demanding compliance challenge because you must be able to prove the negative
Can you show that non-US persons do not have access to export-controlled technical data?
Can you demonstrate that nothing on the open server is export-controlled?
Do you know the export classifications of the technology and software on the university’s servers?
Page 22Page 22
OFAC and U.S. Trade Sanctions
U.S. economic sanctions focus on the end-user or country rather than the technology
Embargoes administered by Office of Foreign Assets Control, U.S. Department of Treasury (“OFAC”)
— Prohibitions on trade with countries such as Iran, Cuba
— Restrictions on travel
— Limitations on activities in certain areas of countries or with certain non-state actors
OFAC prohibits payments or providing “value” to nationals of sanctioned countries and to specified entities even if the country is not subject to sanctions (ex. sponsorship of an academic conference in Iran)
Separate prohibitions under the ITAR and EAR — ITAR proscribed list/sanctions (e.g., Syria or requirement for
presidential waiver for China)
— EAR restricts exchanges with some entities and universities in India, Israel, Russia, etc. because of proliferation concerns
Page 23Page 23
OFAC and Transborder Information Flows
Berman amendment -- transactions in “information and informational materials” exempt from OFAC trade sanctions
OFAC policy -- (1) info not fully created on date of transaction or substantive/artistic alteration of info is not exempt; and (2) can’t provide anything of “value” without prior U.S. government approval
Peer reviewed journals and the editing Iranian manuscripts controversy
Page 24Page 24
Information Controls -- “fumbling like newlyweds in an arranged marriage” Pressure from federal funding sponsors to control access to
and limit dissemination of certain research Proposed designations between classified and unclassified
(NSDD-189) “Sensitive but unclassified” information “Critical research technology”
Withdrawal or limitations on public domain information Pre-publication reviews Problems with sponsors’ documents -- “sensitive”;
“no foreign nationals”, “special access conditions”
Page 25Page 25
Information dissemination -- “sensitive” and other restrictive designations
NSDD-189: Reagan Cold War decision (1985) Fundamental research generally should be unrestricted Use classification only if national security requires control
Card memo to federal agencies (3/19/02) withhold “sensitive but unclassified” information; OMB review no “inappropriate” disclosure of govt.info or data; denying
researcher access to even unclassified govt. information DoD proposal for “critical research technology” (2002) OHS/NSC: “sensitive homeland security information”
Page 26Page 26
Sensitive and other restrictive designations for university information
DoD “Critical research technologies” (March 2002) Publication control over all DoD-funded research, including
fundamental research; criminal penalties New restrictions on foreign nationals if CRT Travel reporting and restrictions
New DoD Draft Directive (Nov. 2002) “Controlled Unclassified Information” Largely focused on research within DoD Recognizes NSDD-189
DoD reviews of certain unclassified research deemed “critical” to national security still alive
Page 27Page 27
Emerging Problems with Information Controls for IT/Research Offices Problems in defining what is “sensitive”
Reasons unrelated to national security Short-circuiting public debate State FOIAs for land-grant universities
What is the presumption for or against publication? How to overcome whatever presumption is set?
Who decides what is dangerous? Process? Appeals? Can you develop rules to restrict WMD information without
“overbreadth” effect on other S&T research? Risk-based security model: no one size fits all
Page 28Page 28
Emerging Problems with Information Controls for Research Administrators
Other pragmatic, administrative burden issues confronting research community related to information Defining categories of information and materials Setting levels of access/restriction Deciding on appropriate body to regulate and oversee
-- in government and on campus Establishing and implementing international norms
Applicability of other non-classified models to post-9/11 (ex. proprietary data, patient confidentiality)
Page 29Page 29
Information Controls -- New National Science Advisory Board for Biosecurity (NSABB)
Guidance for all “dual use” biological research and criteria for “acceptable” dual use research
Not mandatory but “stick” will be “conditionality” of federal funding
Development of new “security” culture programs NSABB’s role will extend to publication and
communication of research results and methods “New level of sensitivity” for information flows
Page 30Page 30
Sensitive and other restrictive designations for university information
National Academies “action points” for scientific, engineering and health community
Are there unclassified areas of research that should be classified?
How can universities monitor this issue as science and potential threats change over time?
Need for new security procedures for research materials? How to detect new potential threats, and opportunities to
counter them, and, then, convey them to government agencies in a timely manner?
Page 31Page 31
Sensitive and other restrictive designations for university information
National Academies “action points” for policymakers - How to apply principle of “high fences around narrow
areas” in new security environment to achieve proper balance?
How can these decisions be made at outset of research project to avoid disruptions?
How to avoid vague and unpredictable categories such as “sensitive but unclassified” information?
How best to enlist universities for both unclassified and classified research needed for counterterrorism?
Page 32Page 32
Federal Funding and “Regulation by Contract”
Contracts and funding are becoming the new lever of power rather than new regulations -- federal $$$ increasingly linked to new contractual restrictions and compliance with government information policies
AAU/COGR “Troublesome Clauses” Report (2004) - sample reported 180 instances in last 6 months
restrictions on publication new types of access and dissemination reviews limitations on the use of foreign nationals both a government and a corporate subcontract problem