What you need to know
Universities are important actors in trade and technology and must implement trade controls like any other actor. This is true even though the nature, purpose, and structure of universities differs from that of a typical business. Implementing trade and technology controls in universities and research institutes is often challenging, but universities should at minimum adopt a policy on this matter and train faculty, staff, and students on compliance.
Universities and research institutes differ from traditional businesses in many ways:
- Universities as technology holders: Universities tend to be more decentralized than companies, with individual departments and academics often bearing nearly total responsibility for specific projects and topics. Given this decentralized situation, responsibility for implementation of controls in universities often follows a hybrid approach where the central university administration has responsibility for the overall policy and centralized functions, whereas individual academics and departments have responsibility for implementing those policies.
- Universities as teaching institutes: Universities often provide housing for students, which may include international students. Increasingly, countries implement vetting schemes to screen international students to identify links with weapons of mass destruction or strategic programs of concern. However, universities must still take steps to identify and manage trade control risks associated with students.
- Universities and research institutes as centers of research: Universities and research institutes are perhaps the principal types of institutes where research is undertaken in the global economy. While universities were traditionally viewed as places in which basic scientific research was undertaken (as opposed to companies or government research institutes which might conduct applied research to create new products, for example), the reality is that this distinction no longer reflects reality in most countries. Universities often have commercialization teams which work to turn research into products, including by creating spinout companies. Universities also may partner with and be funded by companies or governments to undertake applied research. Given these factors, research conducted by universities is often within the scope of trade control regulations.
There are several general elements in universities and research institutes which are potentially within the scope of trade controls. Those elements include:
- Technology which includes know-how and technical information related to controlled items or technologies of concern.
- Physical items which are exported. This category tends to be less significant in universities and research institutes compared to companies, as universities generally do not ship products overseas. However, this is still an important category as universities can ship samples, research equipment, and other materials overseas.
- Technical assistance: Universities and research institutes contain expertise. When expertise is provided to external programs it can constitute technical assistance as defined in relevant export control regimes. Furthermore, technical assistance controls are not necessarily restricted solely to assistance provided to programs outside the country. Controls can also apply when the provision of the technical assistance occurs in the country if, for example, the assistance is provided to an individual who is known to be taking the technology or knowledge with them back to their country to use in a program of concern.
- Cyber intrusion and theft: as universities and research institutes often possess both large quantities of technology and emerging forms of technology, often in an electronic format, they can be a key target of nefarious cyber actors who seek to steal such technology.
In this context, universities and research institutes need to safeguard technology, including through the implementation of the following measures as described more fully in the “How” section below.
- Export controls
- Sanctions compliance
- Screening programs
The core reason that universities and research institutes must implement such measures is because they hold strategic technologies. As it is generally no longer the case that universities only conduct basic scientific research with all produced information available in the public domain, the main exemptions to export controls relating to these two categories often do not apply. Furthermore, nefarious actors actively target universities and research institutes as easier routes to acquire strategic technology than companies. As such, in the current context, it is vital that firm yet proportionate controls be implemented in universities and research institutes.
Given the decentralized nature of many universities, implementation of trade controls can be challenging. Even when central authorities are committed to compliance, it can be challenging to engage every department and academic. Implementation of controls must account for this dynamic.
At the institutional level, the institute should have a policy, tools, and training in place which accounts for the relevant range of trade control issues. This should cover export controls, sanctions compliance, vetting and cybersecurity controls. Increasingly, this toolset will be wrapped into a single internal compliance program (ICP) for the institute. In 2021, the EU published guidance on ICPs in such environments. A key element of any successful ICP is buy-in from the top level.
- Export controls: A key focus for universities and research institutes should be in identifying exports of technology that fall within the scope of export controls. This process may include building an overall picture of the work and technology which is held across university departments. It may also include reviewing research agreements which involve a foreign partner to identify technology transfer elements. When a transfer is likely to involve export controls, the university must have a system to seek relevant authorization and track the transfer such that the transfer can be audited.
- Sanctions: Universities must know if they are dealing with a sanctioned actor. This is true not only in relation to potential commercial partners from overseas, but also in relation to donors and students. If the university is dealing with a party on a sanctions list, regardless of the nature of the relationship, a systematic review should be undertaken to understand what risks—compliance and otherwise (i.e., reputational)—are involved in dealing with the sanctioned party.
- Vetting: Many countries now implement vetting controls on inbound students and staff from overseas. However, in addition to this process, universities should know whether a visitor to the campus is sanctioned or otherwise connected to programs of concern. This does not necessarily mean that the visit should not be allowed to proceed, but it may mean that steps are taken to ensure that technology transfer does not take place during the visit, for example.
- Cybersecurity: Universities should undertake cybersecurity risk assessments to identify technology that is at particular risk from nefarious cyber actors and should take additional steps to safeguard this technology. This can mean instituting a general approach to cybersecurity for all staff and students but also having silos within the university where additional safeguards are added. From a user’s perspective, this should include enabling two factor authentication and discouraging the use of third-party IT accounts and services (such as Dropbox). From a university infrastructure perspective, the university must provide secure storage and data transmission tools. Use of managed services such as Office 365 can be a robust alternative to on-premises infrastructure offerings, not least because Office 365 can meet relevant IT security standards such as NIST 800.
The key challenge for universities is engaging departments and individual academics in implementation of controls. Adoption of a policy on controls at the upper-administrative level alone is not enough. The goal should be to ensure that neither the university at large nor individual academics violate the policy. At minimum, universities should implement a training and awareness-raising program to ensure that individual academics are aware of the controls. This program should be documented. This documentation is necessary because in the case that a transgression should occur, the university should be able to demonstrate that the academic was aware of the controls but did not comply with them. In practice, central authorities should work hand in hand with individual departments and academics to ensure controls are adhered to by all parties involved. To this end, the university should leverage key touch points, such as research grant approval processes, to identify new international cooperation areas that could be affected by controls.
- Universities and research institutes are important holders of technology and providers of technical assistance. They must implement effective trade controls in a way that is both effective and that does not harm their overall mission as centers of education and research.
- It can be challenging to implement such controls in universities because of the decentralized nature of many institutions. At the institutional level, universities should, at minimum institute a police and training program. This program should cover export controls, sanctions screening, vetting, and cybersecurity.
EU Guidance on internal compliance programmes for dual-use trade controls under Council Regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019H1318&rid=8