New DOD Research Security Memo Highlights Growing University Compliance Challenges, Panelists Say
A new Defense Department policy memo and guidance on foreign influence within American research institutions could exacerbate already complex export control due diligence challenges at universities, said Jackson Wood, director for industry strategy at Descartes. It also could lead to larger compliance risks for universities pursuing DOD-funded research, said Kit Conklin of compliance risk advisory firm Kharon.
“For those universities that have a significant amount of funding coming in from DOD,” Conklin said, there’s “real risk here for failure to comply.”
DOD in June outlined its new processes to review university proposals for research funding, warning that schools with certain connections to export control or sanctions risks, including from China, Russia, Iran and North Korea, could be denied future funding (see 2307110044). The agency also released a new list of Chinese, Russian and Iranian institutions that have elevated risks for universities, which it published as the Commerce Department expands its university outreach program, launched last year, to help certain schools improve their export control compliance programs (see 2206290019 and 2303100021).
Wood, speaking during a recent webinar hosted by Kharon, said “appropriate due diligence” for universities has been an “ongoing challenge,” and the DOD guidance and memo may make those efforts even more complicated. Although the agency’s new list includes dozens of entities that may pose research risks, Wood noted the list is not exhaustive and provides only a starting point of parties that universities should be screening against.
“As the government becomes more prescriptive around what the regulatory guidelines entail,” he said, “they've become less prescriptive in terms of providing lists of entities that explicitly cover the due diligence work that you need to do.”
Wood pointed to Commerce’s Oct. 7 semiconductor export controls (see 2307260071 and 2210070049) as another example of regulations that he said lack sufficient guidance, adding that they are “just adding to the due diligence challenge that research institutions are facing.” He said universities are “not getting help from regulators saying, ‘Here is the exhaustive list of individuals or entities that we don't want you partnering with or engaging in any type of financial or intellectual property relationship.’"
"More and more, organizations are being left to their own devices to interpret this guidance and then develop programs and develop operational procedures that enable them to do the appropriate level of due diligence,” Wood said.
A former Commerce official earlier this year suggested the agency publish a regularly updated, noncomprehensive list of facilities subject to the China chip controls, similar to its military end-user list (see 2301260052). Conklin, vice president of global client engagement at Kharon, said there has “always” been demand from industry or academia for a complete "list of the bad guys” who are off-limits but said that’s unlikely forthcoming.
“The government will never be able to publicly identify every company, every research institute, every foreign university, every foreign laboratory that poses foreign influence risk,” he said. “It will always be a bit behind the curve in terms of publicly listing these parties.”
Not only should universities be screening against the entities on the new DOD list, but they also should be conducting due diligence “into parties that aren't listed,” Conklin said. He pointed to an August report from Kharon that showed Zhejiang Qingji Ind. Co., a sanctioned Chinese supplier of centrifuges to Iran, has partnered with several Chinese academic institutions to conduct research on centrifuges (see 2308250023). One of those institutions is Zhejiang University of Technology, which is not sanctioned or listed on Commerce’s Entity List but has partnerships with more than 50 institutions across the world, including universities in the U.S., the U.K., Japan, South Korea and Germany.
Universities need to “understand the structure of the research partner” that they are working with, Conklin said, including their “subsidiary units” or affiliates that may not be on any government denied-party list. “Just because a company or a university or a research institute or a laboratory isn't on some sort of government list,” he said, “It doesn't mean that they're free from risk itself.”
Conklin said automated compliance solutions can help universities with those due diligence efforts, especially because many schools may only have one person responsible for export compliance. Wood agreed, adding that in “many instances, it's one or two people who are running the export control office inside of an institution that may have thousands of faculty, thousands of programs.”
But even with an automated solution to identify risks, “it's hard to get 100% clarity,” Wood said. “It really is a bit of a heads-down due-diligence effort,” he said. “I really think it's about being able to narrow the field a little bit, but recognizing that there's still likely to be some questions that need to be answered further.”