Safeguarding Academia

Observations on the NCSC bulletin

Just this week a new bulletin was released by the National Counterintelligence and Security Center (NCSC) on Safeguarding Academia, developed in partnership with a host of Federal Agencies, including the National Science Foundation (which is why it caught my eye). Surely, I thought, with the combined expertise of organizations like NSF, NIST, and the intelligence community we would finally start to see some serious guidance for academia pertaining to research security. Perusing the ToC, I see three pages on “cyber intrusions”: be still my beating heart.

There are two sorts of disappointment in life. One, the “opening the refrigerator believing there is leftover pizza, and being wrong”, and the other, “falling in love only to have the object of your affection not even notice your existence”. Safeguarding Academia falls into the former category. You stand, staring into the refrigerator, only to be met by a jar of pickled beets: so much promise, but you’re left with only the cool breeze wafting from the open door, asking, “where did I go so wrong in my life?”

---

Safeguarding Academia: Protecting Fundamental Research, Intellectual Property, Critical Technologies, and the U.S. Research Ecosystem (or simply SA from here on in) “provides guidance for the U.S. academic community to promote a research ecosystem that balances openness, collaboration, integrity, fairness, responsibility, and security.¹” The preamble states that it recognizes that international collaboration is critical to the US scientific ecosystem. It strives to provide guidance that acknowledges the essential nature of international collaborations for modern science, all while pointing out many of the threats these collaborations bring.

I do like the structure of the bulletin, the table of contents is,

• An overview of the challenge

• The risk environment

• The impact of threats

• Indicators to watch for

• Mitigations

• Reporting on activity

Though this could be the ToC for any organization’s security strategic plan.

Maybe I’m just too jaded, having worked in this space for so long, but the entire document simply feels performative: here’s something we can point to that shows we’re doing something about the problem. The content, while perfectly accurate offers nothing new, nor helpful. For example, it calls out,

• Foreign actors, particularly the Chinese

• They’re after any research, not just classified programs

• They poach talent, students and faculty, and the term Elicitation is used to describe chatting people up to glean information.

Shocking and surprising, I know. But there is a section on mitigations, chock full of helpful specifics, for example, the Secure Your Research section recommends,

• Protect the people, places, technology, and data…

• “Consider” encrypting data and using MFA

• Segregate research…

• Establish reporting procedures and educate faculty…

• Use appropriate legal frameworks…with explicit language.

While a school new to the challenges and rationale for research security may find this engaging, that engagement will surely soon turn to frustration; the more mature institution will probably start with frustration. Though the outline of the document is fine, it neither references other relevant work done for each topic, nor do the recommendations go beyond broad generalizations: “Build and foster a strong security culture by creating an environment that enables, encourages, and educates faculty, administrators, staff, and students towards security-savvy behaviors.” Nowhere in the document do the words ‘budget’ or ‘investment’ appear. It’s like your doctor saying “eat better” or “get some exercise”. OK, that’s not worked for the past 45 years, I guess it’ll work now.

---

I want to pivot to two related questions, one on the nature of what constitutes ‘guidance’ and the other, how documents like this may best be understood as diversionary.

The etymology of the word ‘guide’ appears to have developed out of the notion of ‘to show the way’ - with some flavor of ‘to look after’ depending on where and when you start looking². That is, there’s an active component to the idea of guidance. I don’t hire a guide who simply says “follow this path you’ll end up on the peak.” Nor do I want a guide that adds mere warnings as details: “oh, and there’s an ice crevasse that’s quite dangerous, bring rope.” This is all very nice to know, but a guide in the sense we usually think of it may not be hand holding, but close. Notice how a good navigation app will say, “ok, turn left in 600 feet” or “rerouting, you missed the turn…”. Now that’s a guide. It leads you to where you’re going and nudges you at critical points. What it certainly doesn’t do is say “oh, if you don’t listen to me, you’ll end up driving off a cliff.”

If we look at the guidance in the SA bulletin, we see plenty of warnings, (what I like to call security porn): “In April 2024, a student from China studying at a music college in Boston was sentenced to nine months in prison for stalking and threatening a fellow Chinese student who posted campus fliers supporting democracy in China. The perpetrator threatened to chop off the victim’s hands for posting the fliers and alert China’s security services so they could target her family in China.” Or “In December 2024, a U.S. university paid the Department of Justice a fine of more than $700,000 for failing to disclose that one of its researchers was being funded by a foreign government, while also seeking and receiving taxpayer research funds from NASA.” These are both instructive (and horrific) but they’re not presented as “an event we can learn from”, rather they’re provided more as evidence of “bad things can happen.”

I’m picturing my navigation app showing me pictures of bodies in the mountains of climbers that went off the path.

If we examine the actual guidance the SA bulletin provides, as I mentioned above, it feels less like guidance and more like life coaching. I’m told to eat more healthily, but not given meal planning advice. You’re asked to consider, “Are there any potential ethical or moral concerns related to the application of your research? Could your research be used to support activities in other countries with ethical standards incompatible with our own, such as internal surveillance and repression?³” Perfectly reasonable questions for any form of research. Yet guidance shouldn’t be fodder for an undergraduate introduction to philosophy class, rather, it should help you with the decision tree for that analysis specific to scientific research. That’s actually quite nuanced and difficult. I know several Federal agencies are working on their own decision trees to help triage and identify grant proposals that could engender research with a national security dimension. So the expertise already exists, but it’s missing from the bulletin.

But it’s the second of my two question that’s giving me cognitive dissonance. This is the delta between perfectly reasonable set of concerns and the behavior of the Federal Government with regards to cybersecurity and data protections.

• Trump offers to double the number of Chinese students.

• Trump slashes the staff in half at the Office of the Director of National Intelligence.

• Trump potentially exposes all of our social security information to foreign adversaries.

• Trump concedes cyberspace to Russians.

• Trump decimates CISA.

On one hand, we have re-invigorated attention to the issue of research security. On the other (and much more consequentially) we have a nearly complete surrender in the cyberwar with Russia, and possibly all adversarial countries to further personal political aims. Which forces us to ask not only what the purpose of the SA bulletin is, and more critically, what forces are at work that engender it?

This is not to suggest it plays a role in some fringe conspiracy theory⁴. Bulletins like SA do take on a life of their own, sprung from the innocent and isolated work of a person, a workgroup, an office, or an agency. It’s more how it functions that is troubling. Does it move the needle on galvanizing academia on research security? Does it provide actionable guidance an institution can follow and implement? Is it a compendium of extant guidance, or deeply explain what is being developed? The answer to all these questions is clearly “no”. But it does create the illusion of activity, it points out a problem we’ve been discussing since at least NSPM-33 was released almost 5 years ago. And thus my labeling it a kind of diversion. Not be design, but by giving the illusion of activity, it serves to divert from the broader anti-american leadership efforts stemming from the administration.

My hope is that we begin to see improved guidance (or dare I say actual regulations) that advance the cause of research security. I would argue that the added burden of the attack on national defense wrought by the Trump administration makes enhancing research security not merely more difficult, but far more important.

1

Page 1.

2

https://www.etymonline.com/word/guidance.

3

Page 3.

4

A thing is not a theory when the conspiracy is neither hidden nor disavowed. Take the accusation that Trump is a russian asset. He’s not hiding it, he’s acting it out on the world stage. Whether he’s an asset or a useful idiot is irrelevant. He’s openly doing Putin’s bidding.