II.
Policies for Openness and Information Control

Openness and communication are foundations of modern science. The generation of new ideas arises from having access to the work of others; thus, the newest discoveries must be published or presented. However, the sharing and publication of research results, while advancing the aggregate knowledge of researchers working in a given field of science, also can provide access to those who would use such information to harm others. Policies aimed at limiting access by malicious parties, if not well conceived, can constrain the efforts of those desiring to put such information to good use. Thus, developing and implementing measures to control access to sensitive information must balance the overall costs of such controls to the research community and the public against the anticipated effectiveness of such measures to enhance security.

There are several principal mechanisms currently aimed at restricting the conduct and dissemination of research: 1) classification; 2) export control (including so-called deemed exports—i.e., access by non-U.S. citizens to information and equipment while in the United States); 3) provisions in federal contracts that curtail openness in fundamental research (such as sensitive but unclassified [SBU]);4) statutes controlling the conduct of certain types of research (e.g., biological research with select agents); and 5) self-governance by the scientific community.10 During the regional meetings convened by the committee, various aspects of these control mechanisms were raised by participants who expressed concerns widely held in the scientific community that some controls were being inappropriately applied. These sentiments reflect those of others who have noted that “Rational and well-conceived restrictions do remain necessary, but they can and must be applied to substantially fewer areas of scientific inquiry and technology development than in Cold War days. No rationale remains for a large, overreaching list of controlled items and subject areas.”11

10

Center for Strategic and International Studies (CSIS). 2005. Security Controls on Scientific Information and the Conduct of Scientific Research. Washington, D.C.

11

Mitchel B. Wallerstein. 2003. “After the Cold War: A New Calculus for Science and Security.” Academe. 89(5):10-15.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities II. Policies for Openness and Information Control Openness and communication are foundations of modern science. The generation of new ideas arises from having access to the work of others; thus, the newest discoveries must be published or presented. However, the sharing and publication of research results, while advancing the aggregate knowledge of researchers working in a given field of science, also can provide access to those who would use such information to harm others. Policies aimed at limiting access by malicious parties, if not well conceived, can constrain the efforts of those desiring to put such information to good use. Thus, developing and implementing measures to control access to sensitive information must balance the overall costs of such controls to the research community and the public against the anticipated effectiveness of such measures to enhance security. There are several principal mechanisms currently aimed at restricting the conduct and dissemination of research: 1) classification; 2) export control (including so-called deemed exports—i.e., access by non-U.S. citizens to information and equipment while in the United States); 3) provisions in federal contracts that curtail openness in fundamental research (such as sensitive but unclassified [SBU]);4) statutes controlling the conduct of certain types of research (e.g., biological research with select agents); and 5) self-governance by the scientific community.10 During the regional meetings convened by the committee, various aspects of these control mechanisms were raised by participants who expressed concerns widely held in the scientific community that some controls were being inappropriately applied. These sentiments reflect those of others who have noted that “Rational and well-conceived restrictions do remain necessary, but they can and must be applied to substantially fewer areas of scientific inquiry and technology development than in Cold War days. No rationale remains for a large, overreaching list of controlled items and subject areas.”11 10 Center for Strategic and International Studies (CSIS). 2005. Security Controls on Scientific Information and the Conduct of Scientific Research. Washington, D.C. 11 Mitchel B. Wallerstein. 2003. “After the Cold War: A New Calculus for Science and Security.” Academe. 89(5):10-15.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities National Security Decision Directive 189 (NSDD-189) During the 1980s, the acquisition of advanced technology from U.S. universities and federal laboratories by Eastern Bloc nations for enhancing their military capabilities was perceived as a significant threat to national security. In 1982, the Department of Defense and the National Science Foundation asked the National Academy of Sciences to assess the need for controls on scientific information. The resulting report, Scientific Communication and National Security, also known as the “Corson Report” after its chair, Dale Corson, President Emeritus of Cornell University, concluded that, while there “has been a significant transfer of U.S. technology to the Soviet Union, the transfer has occurred through many routes with universities and open scientific communication of fundamental research being a minor contributor.”12 In response to the Corson Report and other concerns about the effect of government restrictions on the free flow of scientific information, NSDD-189 was issued by President Ronald Reagan to set forth official national security policy for the guidance of the defense, intelligence, and foreign policy establishments of the U.S. government. (See Box 2A.) In developing this directive, administration officials were cognizant that the U.S. leadership position in science and technology was essential to economic and physical security, requiring “a research environment conducive to creativity, an environment in which the free exchange of ideas is a vital component.”13 Today, many believe that if it were determined that the greater threat is more economic than physical, it would not change the need for or the currency of the directive. 12 National Academy of Sciences, National Academy of Engineering, and Institute of Medicine. 1982. Panel on Scientific Communication and National Security. Scientific Communication and National Security. Washington, D.C.: National Academy Press. 13 Ibid.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities BOX 2A: NSDD-189 September 21, 1985 NATIONAL POLICY ON THE TRANSFER OF SCIENTIFIC, TECHNICAL AND ENGINEERING INFORMATION I. PURPOSE This directive establishes national policy for controlling the flow of science, technology, and engineering information produced in federally-funded fundamental research at colleges, universities, and laboratories. Fundamental research is defined as follows: "'Fundamental research' means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons." II. BACKGROUND The acquisition of advanced technology from the United States by Eastern Bloc nations for the purpose of enhancing their military capabilities poses a significant threat to our national security. Intelligence studies indicate a small but significant target of the Eastern Bloc intelligence gathering effort is science and engineering research performed at universities and federal laboratories. At the same time, our leadership position in science and technology is an essential element in our economic and physical security. The strength of American science requires a research environment conducive to creativity, an environment in which the free exchange of ideas is a vital component. In 1982, the Department of Defense and National Science Foundation sponsored a National Academy of Sciences study of the need for controls on scientific information. This study was chaired by Dr. Dale Corson, President Emeritus of Cornell University. It concluded that, while there has been a significant transfer of U.S. technology to the Soviet Union, the transfer has occurred through many routes with universities and open scientific communication of fundamental research being a minor contributor. Yet as the emerging government-university-industry partnership in research activities continues to grow, a more significant problem may well develop. III. POLICY It is the policy of this Administration that, to the maximum extent possible, the products of fundamental research remain unrestricted. It is also the policy of this Administration that, where the national security requires control, the mechanism for control of information generated during federally-funded fundamental research in science, technology and engineering at colleges, universities and laboratories is classification. Each federal government agency is responsible for: a) determining whether classification is appropriate prior to the award of a research grant, contract, or cooperative agreement and, if so, controlling the research results through standard classification procedures; b) periodically reviewing all research grants, contracts, or cooperative agreements for potential classification. No restrictions may be placed upon the conduct or reporting of federally-funded fundamental research that has not received national security classification, except as provided in applicable U.S. Statutes. [stamped:] UNCLASSIFIED According to the directive, fundamental research is defined as “basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from industrial development,

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons.”14 NSDD-189 is still in effect more than 20 years later. However, since September 11, 2001, there has been increased concern in the academic community that its spirit and intent could, and perhaps have begun to erode as security concerns increase. At the committee’s first regional meeting in May 2006, Professor Richard K. Lester, Professor and Director of Industrial Performance Center, the Massachusetts Institute of Technology (MIT), summarized the tensions between openness and security: The fact that universities and businesses need the free flow of ideas and knowledge while government needs to keep its citizens safe and to prevent weapons or knowledge of how to make weapons from falling into the hands of the wrong people, these differences and the tensions that are implicit in these differences are likely to grow more rather than less pronounced as time goes on. We must assume that the security imperatives of the government will become more challenging rather than less over the coming years and decades, and at the same time it seems likely that the importance of the university's role as a public space in an increasingly globalized innovation process will also grow.15 In the months following the September 11 attacks, the Bush administration reaffirmed the intent of NSDD-189. The then Assistant to the President for National Security Affairs, Condoleezza Rice, confirmed that “the policy on the transfer of scientific, technical, and engineering information set forth in NSDD-189 shall remain in effect, and we will ensure that this policy is followed.”16 14 National Policy on the Transfer of Scientific, Technical and Engineering Information, September 21, 1985. Available at www.fas.org/irp/offdocs/nsdd/nsdd-189.htm. Accessed December 28, 2006. 15 Richard K. Lester. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at Massachusetts Institute of Technology. May 16. Available at www7.nationalacademies.org/stl/032895.pdf. Accessed February 14, 2007. 16 Letter from Condoleezza Rice to Harold Brown, Center for Strategic and International Studies, November 1, 2001. Available at www.fas.org/sgp/bush/cr110101.html. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities NSDD-189’s application to fundamental research conducted in U.S. universities cannot be overemphasized. Both the Export Administration Regulations (EAR) of the Department of Commerce and the Department of State’s International Traffic in Arms Regulations (ITAR) acknowledge that NSDD-189 language provides an exclusion for certain research activities at colleges and universities in the United States from the application of the export regulations, provided that the institution does not accept restrictions (publication or access dissemination) that nullify the exclusion itself. Nonetheless, concerned about an erosion of the protections to fundamental research offered by NSDD-189, in 2002 the presidents of the National Academies issued a statement calling upon the government to affirm and maintain the general principle of NSDD-189: A successful balance between these two needs—security and openness—demands clarity in the distinctions between classified and unclassified research. We believe it to be essential that these distinctions not include poorly defined categories of ‘sensitive but unclassified’ information that do not provide precise guidance on what information should be restricted from public access. Experience shows that vague criteria of this kind generate deep uncertainties among both scientists and officials responsible for enforcing regulations. The inevitable effect is to stifle scientific creativity and to weaken national security.17 The directive does not assert that the open dissemination of unclassified research is without risk. Rather, it asserts that openness in research is so important to security and other key national objectives that it warrants the risk that our adversaries may benefit from scientific openness as well. In June 2005, the Center for Strategic and International Studies (CSIS) issued a report stating that NSDD-189 remains “the central principle 17 The National Academies. 2002. Statement on science and security in an age of terrorism from Bruce Alberts, William A. Wulf, and Harvey Fineberg, Presidents of the National Academies. October 18. Available at www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=s10182002b. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities governing security controls over fundamental research.”18 It also cited growing concerns about the effects of classification trends on fundamental research and the growing requirements for “deemed exports” (see discussion below). CSIS warned that the creeping nature of these controls creates ambiguity, results in discrimination, and creates delays and inflexibility that can hinder discoveries and scare away talent. The CSIS report noted that the security benefits of such policies are modest when weighed against the risks of such policies to U.S. technological leadership. Many university officials who spoke to the committee during its regional meetings shared the same sentiments. They reported that their previous reliance on NSDD-189 to exempt unclassified research from controls is being eroded due to a growing tendency to label research as “sensitive but unclassified (SBU)” and thereby to require restrictions on publication and sharing. In addition, they cited concerns about moves to increase the scope of “deemed export controls,” in the context of research conducted by foreign nationals in the United States (see further discussion below). It is not only that labeling research as “sensitive” can imply restrictions on publication and sharing, but there also is the converse problem that restrictions on sharing, for example, the requirement that a publication be reviewed by a sponsor prior to sharing with others, can cause the research to lose its status as “fundamental research.” It may then be ineligible for the fundamental research exclusion in export control regulations and thus de facto require an export license. In the regional meeting, some participants pointed out that universities are among a few limited institutions where one can openly conduct fundamental research that has potential implications for national security and that also has great potential for societal benefits. (See Box 2B.) In addition, the increasingly blurred distinction between fundamental and more applied research (particularly in the field of biology) makes for uncertainty in trying to draw a bright line between research that is subject to controls and that which is not. Stanford University President John L. Hennessy warned the committee that “Restricting access to projects or access to information is fundamentally antithetical to how we work. Although there are cases where limited access to sensitive information is needed and that information can be encapsulated without further damaging the nature of the 18 Center for Strategic and International Studies (CSIS). 2005. Security Controls on Scientific Information and the Conduct of Scientific Research. Washington, D.C.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities research, such situations are not the norm and cannot become commonplace.”19 BOX 2B Wireless Sensor Networks for Military and Homeland Security Applications Advances in integrated circuit technology make it possible to combine sensors, signal processing and wireless communications in compact devices, and network them together to perform a wide variety of tasks. Traditionally, raw sensor data would be communicated to one central site. This approach is not scalable from either the point of view of energy consumption or bandwidth; by allowing two-way communication to re-task nodes and on-node signal processing, the volume of data traffic and thus the energy to send it can be greatly reduced. This new approach was funded by DARPA [Defense Advanced Research Projects Agency] in the mid-1990’s and spawned a robust academic research community. Field tests were conducted during military exercises. In recent years DARPA has moved to classify or otherwise restrict the technology, while also proceeding with contracting styles inconsistent with how universities operate. The result is a deadening of academic research in security applications (borders, situational awareness, detection of underground facilities, etc.) when it is apparent that there are both current and future needs. Recently, NSF stepped in and funded many new and exciting projects with scientific applications. These demonstrated some limitations with the original concept of sensor networks for military applications. The basic information management concerns are essentially the same in commercial, scientific or military systems, and so classifying or restricting the research may be counter-productive. Several who participated in the committee’s regional meetings called for a reaffirmation of the intent of NSDD-189, so that all fundamental research at U.S. universities can be free from any publication restrictions. Such a reaffirmation would provide a clear recognition that academic freedom strengthens the nation’s security and also advances its competitiveness and economic well-being. The committee heard that in recent years some universities have been able to work with contracting personnel at federal agencies to recognize the difference in a research contract between basic and applied (in export terms “fundamental”) research conducted at a university versus the proprietary work done by an industrial partner (which is not able to rely on NSDD-189). Occasionally, sponsors have structured awards to recognize that difference. Often these contracts are delayed or complicated by restrictions that are inappropriate for university research. Through terms and conditions of unclassified research awards, 19 John L. Hennessy, 2006. Remarks made to the Committee on a New Government-University Partnership for Science and Security Western Regional Meeting at Stanford University. September 27. Available at www7.nationalacademies.org/stl/202006.pdf. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities particularly subawards from for-profit entities, universities are being asked by some federal funding agencies to accept restrictions on fundamental research. Although there have been instances of the inclusion of publication and access restrictions in assistance awards (grants and cooperative agreements), the committee heard that the far greater problem for universities is in the procurement (contracts) area. Contracting officers and universities sometimes do not recognize that the fundamental principles, as well as much of the wording of NSDD-189, are incorporated into the Federal Acquisition Regulations (FAR). The problem for universities is that federal agencies sometimes impose restrictions on publications or foreign nationals in their research contracts with universities when the research complies with the requirements of NSDD-189. More difficult for universities is the fact that federal agencies award research contracts to industrial firms without the fundamental research exclusion (which is appropriate) but do not consider that the subrecipient who will help perform the work may be a university for which the restrictions are not appropriate. The industrial prime may be reluctant (or unable) to secure sponsor approval to remove the requirement from their subcontracts to universities. One speaker informed the committee of a basic research contract in the aerospace domain that was refused when a small company attempted to challenge the flow-down of restrictive contract language appropriate for its portion of the work but not for the open research to be conducted at the university. The government agency responsible refused to make the changes despite persistent efforts by the prime contractor.20 Furthermore, in addition to recognizing that NSDD-189 is incorporated into the FAR, it is important that federal regulations such as the EAR and the ITAR be made consistent with NSDD-189. The recent recommendation of the Department of Commerce’s Inspector General’s (IG’s) office concerning a distinction between the conduct and results of research illustrates the inconsistency. Given these concerns, the committee offered the following recommendations: Recommendation 1: Federal research funding agencies should ensure that grants and contracts for fundamental research awarded to institutions of higher learning in the United States 20 Memorandum from Gregory J. Pottie, 10/2/2006, on file with study staff.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities abide by the principles of NSDD-189. Instructions and guidance for how to express these principles should be incorporated into each agency’s contracting and granting procedures in a more uniform manner. In addition, the requirement for adherence to the principles of NSDD-189 as stated in FAR 27.404(g)(2) should be incorporated into all research contracts to universities for basic and applied research in science and engineering. Recommendation 2: Federal funding agencies should make clear to industrial awardees that the restrictive publication and foreign national clauses placed in government awards that would not apply to universities should not be passed down to university subawardees conducting fundamental research. In cases where the content of the subaward is known in advance, government contracting officers should include the appropriate provision in the original award. When the content of the university subaward is not known in advance, agencies should state that industrial prime contractors do not need agency permission to remove the restrictive clauses from subawards to universities. In addition, federal contracting officers should incorporate the provisions of FAR 27.404(g)(2) in all research contracts to universities where applicable and instruct industrial awardees that this clause is the appropriate clause to include in subawards to universities. Classification and Sensitive But Unclassified Classification of information is one means by which the government controls access to information. “With rare exceptions, only information that is owned by, produced by or for, or is under the control of the U.S. government is eligible to be classified.”21 In 1997, the “Moynihan Commission” found that roughly 3 million people in the United States had the ability to classify information.22 During this committee’s meetings, university officials reported that they had significant concerns about not only the increase in the types of research considered classified but also in the 21 Center for Strategic and International Studies (CSIS). 2005. Security Controls on Scientific Information and the Conduct of Scientific Research. Washington, D.C, p. 5. 22 Named after its Chair, Senator Daniel Patrick Moynihan, “Report of the Commission on Protecting and Reducing Government Secrecy.” 1997. Senate Document 105-2 Pursuant To Public Law 236, 103rd Congress. Washington, D.C.: U.S. Government Printing Office.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities variability within and among agencies in classification policies and practices. A participant at the May 2006 regional meeting noted the tendency for over reaching on classifications: I used to do declassifications as a GS-9 in the Pentagon, and no one ever got promoted for giving away information. The only safe thing to do as a junior person in the bureaucracy is to make sure you never let anything out of the bag you shouldn't. So you are always going to say no and err on the side of caution. There needs to be a higher level place where … supervision can kick in and free up the information.23 Most universities do not pursue classified research on campus because of concerns that restrictions placed upon facilities, access, and participation are counter to the free flow of individuals and information that is typical of the university setting.24 As more research is considered classified, the disadvantages of excluded or exclusive research becomes greater. Stanford President John L. Hennessy noted: … our ability within the university to monitor access and information flow is limited. We could find ourselves either rejecting outright potential research grants or research directions that required such restrictions or placing them in separate wholly contained units that essentially segregate them from the rest of the university. This would, of course, end up in a situation where we segregate the participants and create what is essentially a different unit.25 Nonetheless, a small number of universities have been willing to accept classified research on campus. The committee heard that “at Georgia Tech we have no policies that prohibit faculty members or students from 23 Lincoln P. Bloomfield, Jr. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at Massachusetts Institute of Technology. May 15. Available at www7.nationalacademies.org/stl/032895.pdf. Accessed February 14, 2007. 24 Comments of Rachel Claus and Michael Nacht, September 27, 2006, regional meeting. 25 John L. Hennessy. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Western Regional Meeting at Stanford University, September 27.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities engaging in any kind of research they want to pursue,”26 and Georgia Tech has established a program whereby classified research can be carried out on campus. In particular, however, concerns were expressed that inconsistent and arbitrary use of the “sensitive but unclassified,” designation may be eroding some of the freedoms spelled out in NSDD-189. Research administrators attending the committee’s regional meetings described the difficulty of anticipating and implementing the requirements for SBU information and recommended that SBU should be largely (if not fully) eliminated. Many commented that if something affects national security it should be classified. Stanford University President John L. Hennessy asserted, “From the university’s perspective, restrictions on access to information are best delineated by clear boundaries such as the one created by classification or by outright restrictions on entry to the United States for individuals that pose a threat to our country.” Many speakers presented the view that the U.S. should do an effective review of an individual at the point of determining whether to issue a visa. Once a visa has been granted, individuals should be accorded the same opportunities for study and research as U.S.-born students. Universities and their faculty and staff must be vigilant about reporting unusual behavior of any student, foreign or U.S.-born. Other meeting participants expressed concern about the disparate and at times seemingly liberal use of the SBU designation across agencies noting that DHS is considering developing a policy definition of SBU research conducted at DHS-funded university-based centers of excellence that is contrary to the principles of NSDD-189. At the June 2006 regional meeting, Wayne Clough, President of the Georgia Institute of Technology, summarized the dilemma: What it boils down to is that we have no consistent policy. This is one of the problems that we have; we don't know which answer is the one we should use. What the Department of Energy finds acceptable today, the Department of Homeland Security may reject tomorrow. 26 Stephen E. Cross. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Southeast Regional Meeting at Georgia Institute of Technology. June 5. Available at www7.nationalacademies.org/stl/Partnership-6-6-06.pdf. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities What NSF considers legitimate may be unacceptable to the Department of Defense.27 The use of SBU is particularly troubling because it has no single definition. Indeed, a 2006 GAO report found that federal agencies use 56 different designations for information that has been determined to be SBU.28 Further, the report found that there are no government-wide policies or procedures detailing how an agency should designate and handle SBU research. Consequently, inconsistent and contradictory policies can be found throughout the government. The arbritrariness of this designation means that research universities must contend with unclear definitions and variability in policy from agency to agency. In an attempt to improve the government’s sharing of information, in December 2005, the President issued “Guidelines and Requirements in Support of the Information Sharing Environment," which included a Guideline entitled “Standard Procedures for SBU.” The President’s memo called on agencies to develop standard procedures for handling SBU information. "To promote and enhance the effective and efficient acquisition, access, retention, production, use, management, and sharing of Sensitive But Unclassified (SBU) information, including homeland security information, law enforcement information, and terrorism information, procedures and standards for designating, marking, and handling SBU information must be standardized across the Federal Government."29 At the committee’s Georgia Tech meeting, a DHS official informed the committee of the difficulty in trying to work through the various definitions, categories, and policies for designating, marking, and handling SBU. An ongoing government review of the use of SBU will be reported to the Director of National Intelligence, who is expected to present recommendations on standardized SBU procedures for the President's approval in 2007. 27 G. Wayne Clough. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Southeast Regional Meeting at Georgia Institute of Technology. June 5. Available at www7.nationalacademies.org/stl/Partnership-6-6-06.pdf. Accessed February 15, 2007. 28 U.S. Government Accountability Office. 2006. “Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information,” Washington, D.C.: GAO. 29 Memorandum from the President for the Heads of Executive Departments and Agencies, Subject: Guidelines and Requirements in Support of the Information Sharing Environment, December 16, 2005.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities At the MIT regional meeting, Judith Reppy, Cornell University, said: “In many cases, these new regulations have been implemented with very little regard for the core values [or benefits] of the university, namely, the free and open exchange of information.” 30 Others noted that classification policies have become more complex, farther reaching, and in the view of some, inconsistent and illogical. Judith Reppy went on to note: …in practice, the regulations in this area are so complex that they can only be understood by specialists, which is why we have these new bureaucracies. The rules as they are written … are really arcane for any normal person. I think the real problem here though is one of consistency.31 A survey of 20 institutions in 2003-2004 conducted under the auspices of the Association of American Universities and the Council on Governmental Relations found 138 instances of attempts by the government to restrict publication of data or foreign national participation in research. Most of these restrictions showed up with the inclusion of the Defense Federal Acquisition Regulation Supplement (DFARS) 7000 clause, which relates to access or the generation of unclassified information that may be sensitive.32 Anecdotal information presented at the regional meetings indicates that restrictions are continuing to be placed in research awards; however, it is not known whether the number and frequency of restrictions is increasing. Recommendation 3: The data collected in the 2004 Association of American Universities and Council on Governmental 30 Judith Reppy. 2006. Remarks made to the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at Massachusetts Institute of Technology. May 16. Available at www7.nationalacademies.org/stl/032896.pdf. Accessed February 14, 2007. 31 Ibid. 32 Association of American Universities/Council on Governmental Relations 2004. Restrictions on Research Awards: Troublesome Clauses, A Report of the AAU/COGR Task Force. DFAR 252.204-7000, Disclosure of Information, reads: “When the Contractor will have access to or generate unclassified information that may be sensitive and inappropriate, include the clause DFARS 252.204-7000.” The clause addresses release of information without prior approval.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities Relations report, Restrictions on Research Grants and Contracts, should be updated annually. The report should be expanded to include review of other restrictive clauses and should specifically review the use of the “sensitive but unclassified” category. The results of this report should be provided to the U.S. Office of Science and Technology Policy and the proposed new Science and Security Commission (Recommendation 12) and released to the broader academic community. Export Controls and Deemed Exports The federal government also attempts to control the flow of information and materials through export control and arms trafficking regulations. Specifically, the Department of Commerce implements the EAR that bars the export of items, technology, and technological information found on the Commerce Control List33 to foreign countries without appropriate export licenses. The EAR covers the transfer of dual-use commercial goods. In addition, the Department of State implements the ITAR, which regulates the export of items, technology, and technological information maintained on the U.S. Munitions List.34 The ITAR focuses on armaments and military technologies. Both the EAR and the ITAR contain exclusions for fundamental research. However, some research can be subject to both sets of regulations. Participants at the committee’s regional meetings noted that these lists are out of date, in part because other countries’ technologies have surpassed those of the United States in some areas. Several meeting participants noted that many of the items on the Commerce Control List and the U.S. Munitions List are outdated technologically and broadly available and not controlled in other countries. Yet companies and universities are required to comply with the lists. In addition to these export controls, “deemed exports” refer to the transfer of controlled information to a foreign national within the United States, such as a foreign scientist working in a university laboratory.35 33 The Commerce Control List can be found at www.access.gpo.gov/bis/index.html. 34 The Munitions Control List can be found at www.access.gpo.gov/nara/cfr/waisidx_01/22cfr121_o1.html. 35 The USA PATRIOT Act (P.L. 107-56) also has provision to control access to information by foreign nationals. In particular, access to select agents (biological and toxin agents on a

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities “Universities generally rely on the fundamental research exclusion to exempt the research performed there from export control.”36 Otherwise, for foreign nationals working in U.S. laboratories to have access to this controlled information, the institution must apply for a license. According to Sue Eckert, Senior Fellow at the Watson Institute for International Affairs at Brown University and former Assistant Secretary of Commerce for Export Administration, approximately one thousand deemed export licenses are requested every year and only one percent are denied.37 Under the National Defense Authorization Act (NDAA) for Fiscal Year 2000, the IGs of the Departments of Commerce, Defense, Energy, and State, in consultation with the Directors of the CIA and FBI, are required to conduct an eight-year assessment of the adequacy of current export controls and counterintelligence measures to prevent the acquisition of sensitive U.S. technology and technical information by countries and entities. In April 2004, these offices issued seven reports focused on deemed exports regulations, including an interagency review that summarizes the findings and recommendations of the six individual agency reports. The reports of the Department of State, DHS, and CIA remain either classified or publicly unavailable. The publicly available agency reports were particularly troubling for research universities because they called for a re-examination of several federal export license rules from which universities have historically believed they were exempt. Given that the primary mission of the university system is the dissemination of knowledge, the potential for conflict was considered substantial. The Department of Commerce IG report was the first to attract the attention of the university community for two reasons: 1) it contained a surprising change in the interpretation of existing regulations, and 2) a large number of items would be affected by the changes suggested in the report, including common laboratory tools such as furnaces, portable electric generators, gas leak detectors, centrifuges, and fermenters. select list) or information about those agents is barred to students and researchers originating from countries that support terrorism. 36 G. J. Knezo. 2006. “Sensitive but Unclassified” information and other controls: policy options for scientific and technical information. CRS Report for Congress, February 15. 37 Sue E. Eckert. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at Massachusetts Institute of Technology. May 16. Available at www7.nationalacademies.org/stl/032895.pdf. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities With regard to the first issue, universities long assumed that fundamental research was excluded from deemed export regulations. The Commerce IG report, however, concluded that only the outputs of research (e.g., publications) were excluded; the inputs (e.g., access to controlled equipment used in the conduct of research) were not. The rationale for this interpretation was that the fundamental research exclusion, NSDD-189, exempts that which “arises from or during” fundamental research. As the CSIS White Paper on Security Controls on Scientific Information and the Conduct of Scientific Research points out, that rationale is clearly wrong: Inconsistency with NSDD-189. The Inspector General’s report contains only a passing reference to NSDD-189, and that discussion deals only with the results of fundamental research; it makes no mention of the Directive’s parallel discussion of the conduct of such research. Perhaps for this reason, the IG report does not address the apparent inconsistency between its recommendation to expand deemed export controls and NSDD-189’s direction that “no restrictions may be placed upon the conduct … of [unclassified] federally-funded fundamental research”… Admittedly, the same inconsistency can be found in the position of the Commerce Department’s Bureau of Industry and Security, which according to the IG report asserts that “technology relating to controlled equipment … is subject to the deemed export provisions even if the research being conducted with that equipment is fundamental”… Nevertheless, the Bush Administration’s reaffirmation of NSDD-189 can be interpreted to mean that deemed export controls should not be applied at all to fundamental research, much less expanded. Nonetheless, the Department of Commerce continues to distinguish research results and conduct. Some have argued that the first error is “the assertion that not only is the deemed export rule consistent with NSDD-189, but that NSDD-189 clarifies that the product that results from fundamental research is distinct from the conduct involved in the research.”38 Although NSDD-189 may clarify that the two are distinct, the directive categorically 38 See www.fas.org/blog/secrecy/2006/05/deemed_exports_commerce_depart.html#comment-2914, p. 9.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities asserts that they are to be treated the same. Thus, regardless of whether or not the conduct of research is differentiated from the product of research, neither one should be subject to these controls. In addition to these new interpretations of existing regulations, the Commerce IG report was troubling to the research community because of the number and scope of research activities that would be affected if a blanket “fundamental research exclusion” no longer applied. The research community initially interpreted the IG’s proposal to mean that licenses would be required for foreigners to have access to all items on the extensive Commerce Control List, making the impact on research unimaginably large. Additionally, far-ranging discussions ensued over the surprisingly major implications of the Commerce IG’s proposal to change the word “and” to “or” in the list of disallowable knowledge transfer activities (e.g., operation, installation, maintenance, repair, overhaul, and refurbishing). The report also suggested that, while U.S. Green Card holders could be assumed to have a U.S. affiliation, the IG recommended that deemed export policies be determined by the country of origin of non-U.S. residents, in addition to or notwithstanding their country of most recent citizenship. For example, permanent residency in Canada should not automatically lead to the assignation of “Canada” as the country of affiliation for an individual born in China. This proposed change generated a tremendous controversy in industry and academia. In response to widespread concern in the academic community about the changes proposed in the IG report, the Department of Commerce Bureau of Industry and Security (BIS) officials engaged in public meetings and onsite campus visits.39 After many long discussions with the university community, site visits to a number of willing host institutions, and the National Science and Technology Council’s formation of a task force on deemed exports (co-chaired by DOD and DOE), the Department of Commerce published a request for comments in the Federal Register on the IG’s proposed changes. Because of the overwhelmingly critical responses to the proposed changes, in July 2006, BIS announced its withdrawal of the Advanced Notice of Proposed Rulemaking and the establishment of a Deemed Export Advisory Committee (DEAC) charged with evaluating policies and 39 A transcript from the National Academies workshop on deemed exports held on May 6, 2005, to discuss the Department of Commerce proposal can be found at www7.nationalacademies.org/stl/.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities recommending actions. While the announcement was generally welcomed by the university research community, one aspect remains a concern. In the announcement BIS distinguishes the information or product (i.e., a scientific paper) that results from fundamental research from the conduct that occurs within the context of the research.40 The product is not subject to the EAR, but a license still may be required if “during the conduct of the research controlled technology is released to a foreign national.” The announcement goes on to assert that this distinction between the research results and the conduct of fundamental research is consistent with NSDD-189. Under the BIS interpretation, licenses still may be required for access to controlled-use technology unless it meets the “publicly available” or other exclusion. So the research community remains concerned about the status of NSDD-189 and the fundamental research exclusion as evidenced in discussions at the Georgia regional meeting with then Commerce Undersecretary David McCormick. At that meeting the Undersecretary indicated that DEAC would take up the matter of the status of NSDD-189 if it identified it as an issue worthy of high-level attention. In 2005, DOD issued a proposed rule responding to the DOD IG’s March 25, 2004, report. The proposed rule would add an additional clause to DOD contracts that may involve export-controlled information or technologies and would mandate compliance plans that would include “unique badging requirements for foreign nationals and foreign persons and segregated work areas for export-controlled information and technology.”41 The university community objected to the proposal, with many noting that the proposed rule went beyond the current requirements in export control regulations and failed to acknowledge the fundamental research exclusion. Following much discussion with academic and industry groups, in 2006 DOD issued a new proposed rule. The 2006 proposed modifications would alter the intent and language of the agency’s 2005 proposed rule on export controls. The revised language acknowledges the “fundamental research exclusion” for academic research from export licensing requirements. It also no longer requires that universities and medical schools 40 NSDD-189 itself states that “[n]o restriction may be placed upon the conduct or reporting of federally funded research….” [emphasis added]. 41 Department of Defense. 48 CFR Parts 204, 235, and 252 (DFARS Case 2004-D010). Defense Federal Acquisition Regulation Supplement; Export-Controlled Information and Technology. Federal Register. 70(132):39976-39978. Available at www.fas.org/sgp/news/2005/07/fr071205.html. February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities with certain types of DOD contracts maintain unique identification badges and segregated work areas for foreign nationals where certain technology is involved. This second proposed rule includes: …less prescriptive contractor requirements, in recognition of existing related Department of Commerce and Department of State regulations; addresses the responsibilities of the requiring activity in identifying acquisitions involving export-controlled information and technology; and contains three separate contract clauses tailored for use in contracts for research and development, fundamental research only, and supplies or services.42 Even with the withdrawal of the proposed changes in the Commerce language and the revisions to the DOD language, academic institutions are still likely to encounter difficulties interpreting and implementing the deemed export requirements. A Congressional Research Service report summarized the problems: …members of the academic community cite problems administering use controls, including ambiguity about identifying which equipment or material in university laboratories is subject to export controls; discrimination on the basis of nationality; difficulty in controlling access of students and researchers in university laboratories; time required to obtain licenses and inflexibility in obtaining licenses; modest security benefits; slowing or preventing important discoveries due to licensing delays; loss of research talent if students and researchers study in other countries; and reduction in research at the leading edge of science.43 On the other hand, those in the intelligence and security communities are committed to identifying and controlling threats within our borders—thus, the tension. At the inaugural meeting of the committee, Michelle Van Cleave, Office of the National 42 See proposed modifications at www.acq.osd.mil/dpap/dars/dfars/changenotice/. 43 G. J. Knezo. 2006, p.6.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities Counterintelligence Executive, reminded the committee of the intelligence community’s mission: It will sound familiar to many of us who have looked at the whole question of the prosecution of the global war on terrorism and what it means to be able to understand the presence of terrorist activities in the United States and how vital and important it is that we find ways to know where terrorists may be recruiting and training and planning operations within the United States, preparing for attacks, that kind of a compelling mission to deal with terrorist threats, to protect the American public, has been one that has animated the President's national security strategy in the global war on terrorism, where he has said that we are not going to sit back and wait for these threats to manifest themselves and harm us here.44 In December 2006, the U.S. Government Accountability Office reported that “The federal government is not doing enough to ensure that colleges are keeping sensitive technologies out of the hands of foreign spies and terrorists.”45 Participants at the Georgia Tech regional meeting expressed their belief that the current Control Lists trivialize the real issues for concern and that a serious effort must be made to reduce the number of items on the lists. Statements by law enforcement and federal officials that export controls are not an effective way to address national security threats reinforced this perception.46 As stated by DHS Assistant Secretary for Policy Stewart 44 Michelle Van Cleave. 2006. Remarks made at a meeting of the Committee on New Government-University Partnership for Science and Security. The National Academies. January 12-13. 45 Export Controls: Agencies Should Assess Vulnerabilities and Improve Guidance for Protecting Export-Controlled Information at Universities. Available at www.gao.gov/new.items/d0770.pdf. Accessed February 14, 2007. 46 Timothy Bereznay and Stewart Baker. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at MIT. May 16. Available at www7.nationalacademies.org/stl/032895.pdf. Accessed February 14, 2007.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities Baker, “I will posit that immigration policy, visa policy, export control policy is not the answer. I'm not convinced that we have the answer.”47 In October 2006, the Council on Governmental Relations sent a letter to DOD expressing its concerns about the evolving policy, including, “the conceptual framework for use of the three DFARS contract clauses set forth in the proposed rule, the characterization of the fundamental research exclusion from export controls, and the need to address what happens when there is disagreement between DOD and university contractors. …[We] remain concerned about assuring the necessary level of understanding of the export regulations on the part of DOD program and contracting staff.”48 COGR emphasized its concern “that it is inappropriate for DOD contracting officers to make determinations on the applicability of export controls,” adding that “contractors have the legal responsibility to comply with these requirements, and they are in a better position to determine whether the fundamental research or other exclusion or license exclusion applies to the performance of particular projects.”49 Although the committee applauded the willingness of the Departments of Commerce and Defense to consider the concerns of the university community, it expressed the belief that additional work needs to be done on export controls. Consequently, the committee makes the following recommendation: Recommendation 4: In view of the growing globalization of technology and science, the Departments of Commerce and State should conduct regular government-wide reviews of export control policy with special emphasis on streamlining, removal of outdated items, and updating the Commerce Control List and the U.S. Munitions List to reflect current status in technology and science and to identify truly unique and military critical technologies unavailable elsewhere. The proposed new Science and Security Commission (Recommendation 12) should work with the Departments of Commerce, Defense, and State in moving this review forward. 47 Stewart A. Baker. 2006. Remarks made at the Committee on a New Government-University Partnership for Science and Security Northeast Regional Meeting at MIT. May 16. Available at www7.nationalacademies.org/stl/032895.pdf. Accessed February 14, 2007. 48 Letter from Anthony DeCrappeo, President, COGR, to Ms. Debra Overstreet, OUSD (AT&L), DPAP (DARS), IMB 3C132, The Pentagon, October 13, 2006. 49 Ibid.

OCR for page 27
Science and Security in a Post 9/11 World: A Report Based on Regional Discussions Between the Science and Security Communities Summary Representatives of the research community told the committee that, in the interest of national security, the United States must be cautious about actions that unduly prevent the dissemination and exchange of information with other governments and research and academic institutions. Overly restrictive measures pose the danger that the United States could stultify its own efforts to achieve progress in scientific research by severing long-established ties with the global scientific community. This could undermine, rather than enhance, U.S. security. As Michelle Van Cleave, National Counterintelligence Executive, Office of National Counterintelligence, warned the committee, “…you can’t so lock down this country, our institutions, and our people to protect against all threats at all times. If we tried to do that, we would become a society that we wouldn’t want to be.”50 50 Michelle Van Cleave. 2006. Remarks made at a Committee on New Government-University Partnership for Science and Security meeting. The National Academies. January 12-13.