aamc.org does not support this web browser.
  • AAMCNews

    Foreign data theft: What academic institutions can do to protect themselves

    Academic research labs across the country are taking steps to protect their intellectual property after the NIH warned of data breaches and shadow labs. Here’s what you need to know.


    Editor's note: AAMC Chief Scientific Officer Ross McKinney, MD, discussed biomedical research espionage with the New York Times for the November 4, 2019,  article "Vast Dragnet Targets Theft of Biomedical Secrets for China."

    At the University of Texas MD Anderson Cancer Center in Houston, Texas, the USB ports on researchers’ computers have been disabled. Flash drives? They’re gone, too. MD Anderson is at the forefront of efforts to prevent the theft of U.S. research, and the steps have ranged from data security to dismissals. In April 2019, the institution ousted three scientists who violated U.S. National Institutes of Health (NIH) rules regarding peer review confidentiality and were dishonest about their links to foreign organizations. In May 2019, Science magazine reported that Emory University had also severed ties with two Chinese-American researchers. Additional investigations are occurring at more than 55 institutions, NIH Director Francis Collins, MD, PhD, told the Senate Appropriations Committee on April 11, 2019, fueled by concerns that the Chinese government is recruiting NIH-funded researchers, stealing intellectual property and grant information, and funding shadow labs that may perform research on the same themes the NIH has funded but without informing the NIH. (The New York Times recently reported that investigations are being conducted at approximately 200 institutions.)

    “This is a government effort to catch up scientifically by capturing ideas the U.S. government has paid for,” says Ross McKinney, MD, chief scientific officer at the AAMC, who has worked with MD Anderson officials. “And the Chinese government is doing this in a systematic way.”

    MD Anderson was the first institution to act following Collins’ statement and it has created a strong “culture of oversight,” says Michael Lauer, MD, the NIH’s deputy director for extramural research. “The leadership at MD Anderson decided to take this problem on aggressively, proactively, and collaboratively. They worked closely with law enforcement, primarily with the FBI. And they also worked closely with us.”

     So how can other institutions protect themselves? And just how big is the threat?

    The scope of the problem

    In August 2018, Collins sent a letter to more than 10,000 institutions that receive NIH grants. The letter addressed “threats to the integrity of U.S. biomedical research” and cited three areas of concern:

    • That researchers at NIH-funded institutions were not disclosing “substantial resources” from foreign governments and other organizations, “which threatens to distort decisions about the appropriate use of NIH funds”
    • That intellectual property produced by NIH-supported biomedical research (or in grant applications) was being diverted to other entities, including other countries
    • That peer reviewers were sharing confidential information or “otherwise attempting to influence funding decisions”

    Although Collins’ letter did not include the word “China,” the world’s most populous nation is the top source of the NIH’s concern. The Chinese government’s Thousand Talents Program recruits scientists to work at Chinese universities. In the problem cases, U.S. faculty were hired for part-time positions in China, where they received funding to create shadow labs where they conducted the same research as in their U.S. labs. While having a funded program elsewhere is not intrinsically a problem, almost all the identified scientists failed to disclose this information to the NIH or their U.S. employer. Disclosure of potential conflicts of interest and protection of confidential grant-related information “are pretty much sacrosanct” norms, McKinney says.

    The actions are not only unethical, but they had the potential to affect funding decisions. The NIH may not have funded research that was also being supported by other sources. Some scientists have also established startup companies — or own equity in foreign companies — that are engaged in work related to U.S.-funded research, creating potential financial conflicts of interest. A well-publicized example involves David Smith, PhD, a Duke University researcher who developed an “invisibility cloak” that makes objects invisible to microwave signals. The U.S. military had invested millions of dollars in Smith’s research. But Ruopeng Liu, a Chinese postdoc who worked with Smith, established a billion-dollar company that built, yes, an invisibility cloak, allegedly by stealing intellectual property (a story told in Daniel Golden’s 2017 book, Spy Schools: How the CIA, FBI, and Foreign Intelligence Secretly Exploit American Universities). The charges are hard to prove, and Duke maintains there’s no evidence that intellectual property was stolen. But Smith and federal officials are unconvinced.

    Peer review is also a problem — specifically, breaches of confidentiality. At MD Anderson, scientists shared NIH applications and PDFs of grants with scientists in China. “The whole process of peer review is based on confidentiality,” says McKinney. “When I apply for an NIH grant, I assume that nobody will steal my idea, that it will be evaluated, and that a determination will be made as to whether it’s funded. I do not expect that my ideas will be copied and sent to somebody I don’t even know.”

    China may be the most noteworthy threat, but federal officials are also concerned about countries such as Russia, North Korea, and Iran.

    “This isn’t just about China,” says Tobin Smith, vice president for policy with the Association of American Universities (AAU). “It's more about the United States and what do we do to preserve our leadership.”

    Prevention and protection

    Leaders in government and academia are taking the threat seriously. Numerous organizations and agencies have produced materials for protecting intellectual property, including the FBI and the Human Rights Watch, which released a March 2019 report, “Resisting Chinese Government Efforts to Undermine Academic Freedom Abroad,” that proposes a 12-point code of conduct for universities. Collins formed an NIH advisory committee of university presidents and other leaders to study the issue; it released a report on “foreign influences on research integrity” in December 2018 that offers recommendations for both the NIH and institutions that receive grants.

    Recommended steps for improving security include:

    • Assessing strengths and weaknesses. Some universities have convened a task force or working group to assess their policies, procedures, and activities and to develop strategies for future activities, the AAU and Association of Public and Land-Grant Universities (APLU) noted in an April 2019 memo to presidents and chancellors.
    • Adding new policies. Once an institution has assessed its current policies, it should consider whether additional steps are necessary. The AAU and APLU released a summary of best practices in April based on a 2018 survey of 40 universities. Ideas include developing a rapport with local law enforcement and regional federal security officials and using university conflict of interest and conflict of commitment policies to identify problematic foreign affiliations, relationships, and financial interests.
    • Communicating with faculty. Remind faculty of federal and university disclosure and export controls compliance requirements — and make sure they understand them. Many universities have sent letters to faculty, published newsletters, and created websites on procedures and security threats, says Smith. A Penn State website, for example, outlines the growing security concerns and shares best practices for disclosing foreign relationships and activities. Institutions also need mechanisms for faculty to communicate with administrators about potential conflicts, adds Lauer.
    • Monitoring employee travel. Institutions should not only implement programs for reviewing faculty travel plans, but they should review past travel to identify warning signs. Most 12-month contracts allow four weeks of vacation, but some faculty are gone for months without institutions knowing it, says McKinney. Institutions need to be clear about their expectations and know how faculty are spending their time, Lauer adds. “Some institutions have very strong cultures of oversight,” Lauer says. “Oversight is not the same thing as oppression. Oversight means that an institution knows what's going on.” Some institutions also provide one-on-one security briefings to faculty traveling to high-risk areas, the AAU/APLU survey found.
    • Preventing data breaches. At many institutions, USB ports can only be accessed by encrypted memory sticks. MD Anderson went a step further by eliminating flash drives and disabling USB ports. “Everything goes through a cloud provider,” says Lauer. “That does two things. One, it prevents the loss of information. But it also helps create a culture of data and knowledge security.” Establish protocols to oversee data, he adds. “You want to know whether unusually large amounts of data are leaving your networks.” The AAU/APLU summary suggests using cloud-based software screening tools. And when staff members travel, provide them with data-free computers that only have software for communicating and working. MD Anderson also makes clear that it can access and review staff emails, since email is a Chinese recruitment tool. Faculty are often invited to give a lecture in China, McKinney says, which is the first step in recruiting them to the Thousand Talents Program.


    The problem of profiling

    Stronger security measures may protect intellectual property, but how high is the cost? Aggressive actions could discourage top talent from coming to the United States. Tighter controls could disrupt collaboration and the free flow of information. But the most commonly cited fear is racial profiling. In its March 2019 issue, Science published a letter from three organizations, including the Society of Chinese Bioscientists in America, expressing concerns about polices that “single out students and scholars of Chinese descent … for scapegoating, stereotyping, and racial profiling.”

    Chinese American scientists have been wrongfully accused of spying in the past, the letter notes. Even supporters of measures to protect U.S. research worry about unfairly targeting scientists of Asian descent.

    “As a black male, I’m very sensitive to racial profiling,” says M. Roy Wilson, MD, MS, president of Wayne State University and co-chair of the NIH advisory committee that considered foreign influences. “The vast majority of foreign investigators in this country are contributing to the advancement of science and doing good work. It just so happens that a large proportion of people in this group are of Chinese descent. And we should not overly stigmatize an entire group of people, most of whom are great collaborators, great postdocs, and have no connection whatsoever with anything that could be considered even inadvertent subverting of process and policy.”

    NIH’s Lauer shares Wilson’s concerns, but that doesn't eliminate the need to follow the rules, he says. When scientists conceal a large foreign research operation, leak a confidential application for peer review, or don’t disclose a significant financial conflict of interest, they are violating longstanding norms. And not all the scientists identified for problematic behaviors are Asian, he adds. “We are dealing with objective problems,” he says. “We’re focusing on the behaviors and actions more so than the specific characteristics of the people.”

    American and international research is intertwined. Sixty percent of postdocs in the United States have temporary visas, McKinney says, and a high proportion are Chinese. Twenty-nine percent of researchers at MD Anderson are of Asian descent.

    “This is not about picking on Chinese scientists,” says McKinney. “This is about government-organized dishonesty. This is a large-scale attempt to acquire information through dishonest means.”

    This AAMCNews article originally published May 28, 2019, with the title "Combatting undue foreign influence at U.S. research institutions."