Improving cybersecurity measures in academic institutions to reduce the risk of foreign influence

Many academic institutions are under obligation to have in place risk management systems or systems that are in compliance with national regulations or international standards such as ISO 31000:2018 risk management standards or ISO 27000 cybersecurity series. The main challenges are related to the risk register (risk appetite1) and to integrating risk assessment at all organisational levels. Institutions seek to limit their risk appetite to those risks that are mandated by regulation.

At the same time, there is a growing understanding of the need for all-hazards preparedness, as any one of these risks (whether it be natural disaster hazards, hybrid warfare challenges, terrorism, armed conflict or anything in between) could have a disruptive effect on the institution’s operations. As threats to the security of information systems can come from various sources, cybersecurity risk management measures should be based on an all-hazards approach, aiming to protect network and information systems and their physical environment from events such as theft, fire, flood, telecommunications or power outages or unauthorised physical access and damage (Directive (EU) 2022/2555, 2022). This is an evolving concept, for example, the European Union’s NIS 2 Directive states that risk management measures should be based on an all-hazards approach through the implementation of appropriate and proportionate technical, operational and organisational measures to manage risks to the security of network and information systems. This does not only mean technical measures related to cyber security, but also general operational and organisational measures (Directive (EU) 2022/2555, 2022).

Cybersecurity risk-management measures also should address the various domains like physical and environmental security of information systems by including measures to protect such systems against system failures, human error, malicious acts or natural phenomena, address human resources security and have in place appropriate access control policies (Directive (EU) 2022/2555, 2022, Preamble 79 paragraph). Given the cybersecurity risks of foreign influence, academic institutions should not only adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management, or user awareness, but also enable broader compliance process and strategic dependency mapping of any partnership with third countries. Hostile foreign interference poses a challenge because it can manifest itself with clear intent, such as economic espionage or intellectual property theft (University Foreign Interference Taskforce, 2021). But it can also subtly undermine the scientific potential and capabilities of Western nations as part of grey zone or hybrid warfare (Braw, 2022).

In summary, the implementation of the all-hazards risk approach is beyond the scope of those responsible for specific risks and requires systematic oversight and systematic centralised coordination of compliance processes.

Second challenge is the integration of risk assessment on all organizational levels, for the academic personnel, administrative staff, students and visitors. As defined in the NIS 2 Directive, a culture of risk management should be promoted and developed, including assessing risks and implementing cybersecurity risk management measures appropriate to the risks faced (Directive (EU) 2022/2555, 2022, Preamble 77 paragraph). The evolving concept is also individual risk responsibility and even the individual responsibility of management for implementing an appropriate risk management system (Directive (EU) 2022/2555, Article 20, 2022). In summary, institutions should have risk-informed decision-making systems in place at all levels. This calls for education and training of academic and administrative staff, as well as students. This training should be comprehensive, covering broader risk management and cyber hygiene, understanding compliance requirements, etc. (Henry Jackson Society, 2023).

Foreign interference poses a significant risk to academic and research institutions through the disruption of their operations and supply chains. Ensuring business continuity planning and resilience is an important part of the protection of these institutions against such threats (International Organization for Standardization, 2019).

The concept of business continuity in this research is broader than just ensuring the backup and recovery of operations, but focuses on the continuity of the institution’s essential functions, even in a contentious environment and during crisis. By developing business continuity system, academia can continue to access to essential services, data and resources even if foreign interference occurs.

One of the key elements of business continuity is the resilience of the supply chain. In the digital domain, supply chain security includes supplier or service provider resilience, taking into account the overall quality and resilience of products and services, their embedded cybersecurity risk management measures and their suppliers’ and service providers’ cybersecurity practices (Directive (EU) 2022/2555, 2022, Preamble 85 paragraph). In particular, academia and research organisations should be encouraged to incorporate cybersecurity risk management measures into the procurement and contractual arrangements they have with their direct suppliers and service providers (Directive (EU) 2022/2555, 2022, Preamble 85 paragraph).

The EU is protecting the supply chains of essential service providers by setting up non-tax barriers, such as the requirement for the EU certification system or an EU-accredited product (Directive (EU) 2022/2555, Article 2, 2022). For example, the NIS 2 Directive emphasises the obligation to use ICT products, ICT services and ICT processes that are certified according to European certification schemes for cyber security.

Other potential non-technical risk factors include undue influence by a third country on suppliers, particularly in the case of alternative governance models, hidden vulnerabilities or backdoors and potential systemic supply disruptions, particularly in the case of technological lock-in or supplier dependency (Directive (EU) 2022/2555, 2022, Preamble 90 paragraph).

Noble example is the EU’s 5G Toolbox, a comprehensive set of guidelines for the security of 5G networks, which addresses both technical (cyber) and strategic risks in relation to cyber security and foreign interference in critical infrastructure (EU toolbox on 5G Cybersecurity 2020). For instance, the UK Government reviewed Huawei’s role due to national security concerns on research partnerships with several universities to develop and explore 5G technology (Department for Digital, Culture, Media & Sport et al., 2020). Several countries, including the United States and certain European nations, have prohibited the use of equipment from Chinese companies like Huawei and ZTE due to concerns regarding potential foreign influence (The Clean Network. U.S. Department of State, 2021). This case underscores the significance of countries and scientific institutions carefully evaluating and managing their reliance on foreign actors and technologies to safeguard autonomy, competitiveness and resilience.

To protect academic freedom and research integrity, the universities should reduce dependence on foreign equipment, software, technologies, intellectual property and skills through the development of national scientific capabilities. To enhance supply chain security, institutions should institutionalise and establish a system to identify Tier 1 suppliers and their geographical distribution in order to anticipate vulnerabilities and alternatives, avoid single-source dependencies (discourage high-risk suppliers) and avoid suppliers with questionable reputations in the areas of privacy, human rights and national security (Henry Jackson Society, 2023).

Contributions in kind, such as donating equipment and technologies, or granting access to foreign data analytical capabilities for research purposes, carry inherent risks. While these contributions can provide valuable resources and expertise, they pose concerns regarding data security. For instance, the donation of equipment by Molecular Genetics Instrumentation (MGI) has sparked concerns regarding data security, intellectual property protection and the potential for foreign influence or access to sensitive research findings (Sharma and Black, 2021).

Indirect strategic dependencies on foreign technologies may not be immediately apparent but can have significant implications for scientific institutions and national security. For example, reliance on cloud computing services hosted by foreign companies or utilising software frameworks developed by foreign entities can create vulnerabilities and potential risks. There are several risks associated with storing research and academic data in third-party data clouds. These include the potential for data breaches, unauthorised access and a loss of control over the data. In addition, the availability and integrity of critical scientific information can be at risk in the event of service disruption or provider failure. There is also a growing risk of research’s data poisoning (the deliberate manipulation of data that is used for research and machine learning purposes), leading to incorrect or misleading results. This risk makes it critical for institutions to implement robust data verification and security measures, as it can compromise the integrity of academic work (Rakstiņš et al., 2024).