CASRAI Dictionary

Tag: dual-use research

  • Trusted research and international collaboration: managing risk without barriers

    International collaboration is not a luxury of modern research; it is largely how the best of it gets done. The hardest problems — in health, climate, energy, fundamental science — are addressed by teams that cross borders, pool data and combine expertise that no single country holds. At the same time, a minority of partnerships carry real risks: the loss of sensitive technology, undisclosed competing obligations, the misuse of dual-use research, or arrangements that conflict with a researcher’s legal duties. The challenge that ‘research security’ tries to meet is to manage those genuine risks without throwing up barriers that would damage the open, collaborative culture on which research depends. This article sets out a proportionate approach, drawing on the framework defined in the research security domain of the CASRAI Dictionary.

    Two policy reference points

    Two reference points dominate the conversation. In the United States, NSPM-33 — the National Security Presidential Memorandum on protecting the integrity of government-supported research — directs funding agencies to strengthen disclosure requirements and asks institutions receiving substantial federal funding to maintain research-security programmes. Its emphasis is on transparency: knowing who is funding what, and what other obligations a researcher carries, so that conflicts of interest and conflicts of commitment can be seen and managed rather than hidden.

    In the United Kingdom, the Trusted Research guidance, developed with the national protective-security and cyber-security bodies, takes a similar but distinctly proportionate line. Its framing is that the overwhelming majority of international collaboration is benign and beneficial, and that the goal is to help researchers and institutions identify the small number of cases where caution is warranted — and to do so without discouraging legitimate partnership. Both frameworks share a premise worth stating plainly: the aim is risk management, not risk elimination, because eliminating risk would mean eliminating collaboration.

    Where the risks actually sit

    It helps to name the categories of risk concretely, because vague anxiety is the enemy of proportionate action. Conflicts of interest and commitment arise when a researcher has financial interests or outside appointments — including foreign talent-programme affiliations — that are not disclosed and could bias their work or divide their loyalties. Export controls and sanctions govern the transfer of certain technologies, data and know-how across borders, and can apply even to a conversation or a shared dataset, not only to physical goods. Dual-use research of concern covers work that, though conducted for legitimate purposes, could be repurposed to cause harm. And there are data-protection and confidentiality obligations that follow data across jurisdictions with different legal regimes.

    Naming these categories matters because the appropriate response differs for each. An export-control question is a legal compliance matter; a conflict-of-commitment question is a disclosure matter; a dual-use question is an ethical-review matter. Treating them as one undifferentiated ‘security’ problem leads either to overreaction or to missing the specific control that actually applies.

    Due diligence that is proportionate

    The practical heart of trusted research is proportionate due diligence: doing more checking where the stakes are higher, and not burdening low-risk collaboration with high-risk procedures. A sensible due-diligence process asks a graded set of questions. What is the nature of the work — is it fundamental and openly publishable, or does it touch sensitive technology? Who is the partner, who ultimately funds and controls them, and are there links that raise concern? What will be shared — data, materials, know-how — and does any of it fall under export controls? What are the terms — who owns the results, who can publish, are there clauses that would compromise academic freedom or open dissemination?

    The point of grading is that a routine collaboration on openly published basic science should pass through quickly, while a project involving controlled technology and an opaque funding structure warrants real scrutiny and, often, expert advice. A process that treats every partnership as a threat will be ignored or resented; a process that treats none as a risk fails its purpose.

    Disclosure as the connective tissue

    Across both frameworks, disclosure is the mechanism that makes everything else work. Most research-security failures are not espionage; they are undisclosed relationships and obligations that, once visible, could have been managed straightforwardly. Accurate, complete and current-and-pending disclosures — of funding, appointments, in-kind support and outside activities — let an institution and a funder see the whole picture. The move toward machine-readable disclosure formats is making this less of a paperwork burden and more of a maintainable record, and recording these obligations in structured form complements the recognition of legitimate contributions through the CRediT taxonomy: the same record can show both what someone did and what other commitments they hold.

    Keeping the lab door open

    The risk that gets least attention is the risk of overreaction — of institutions retreating from international partnership, or of researchers from particular backgrounds being treated with suspicion on the basis of nationality rather than conduct. Both the UK and US frameworks are explicit that security measures must not become a pretext for discrimination, and that openness is itself a value worth protecting. A trusted-research programme that makes researchers feel surveilled or unwelcome will cost more in lost collaboration and damaged trust than it saves in averted risk.

    The balance, then, is genuinely a balance: assess risk honestly and proportionately, manage it with the specific control that fits, insist on transparent disclosure, and keep the default disposition open. The shared vocabulary for describing these obligations consistently across systems and partners is maintained in the CASRAI Dictionary, which is part of what makes a risk-management conversation possible across institutional and national lines.

  • Dual-use research and export controls: managing sensitive science alongside open science

    Most research is unambiguously for the good: it cures disease, feeds people, advances understanding. But a portion sits in a more difficult place, where the same knowledge that brings benefit could also cause serious harm if misused. A study of how a pathogen spreads can guide vaccines or, in the wrong hands, inform a weapon; an advance in a sensitive technology can serve civilian and military ends alike. This is the territory of dual-use research, and it forces a genuine tension with the dominant movement of contemporary science, which is towards greater openness. How institutions manage research that is both valuable and potentially dangerous — without betraying the openness that makes science work or ignoring real risks — is the subject of this article, which draws on the research-security domain of the CASRAI Dictionary.

    Dual-use research of concern

    The phrase dual-use research of concern, or DURC, refers specifically to life-sciences research that could be reasonably anticipated to provide knowledge, products or technologies that could be directly misused to threaten public health, agriculture, the environment or national security. The concept narrows a vast and unhelpful category — almost any knowledge could in principle be misused — to a manageable set of research with a credible and serious potential for harm. In the United States, oversight of such work has been organised through DURC policy and the related potential pandemic pathogen care and oversight (P3CO) process, which requires particularly risky research — for instance, work that could enhance a pathogen’s transmissibility or virulence — to undergo additional review before it proceeds. The aim is not to stop the research but to ensure its risks are deliberately weighed against its benefits by people equipped to judge.

    Export controls: a different lever

    Alongside biosecurity oversight sits a quite different and often less familiar set of obligations: export controls. These are legal regimes that restrict the transfer of certain sensitive goods, technologies and technical knowledge across borders — and crucially, in many regimes, a transfer to a foreign national can occur even without anything leaving the country, simply by sharing controlled knowledge. For researchers, this means that international collaboration, hosting visiting scholars, or sharing technical data can fall within the scope of export law. Several regimes matter here. The Wassenaar Arrangement is a multilateral export-control regime through which participating states coordinate controls on conventional arms and dual-use goods and technologies. In the United States, the Export Administration Regulations (EAR) govern most dual-use items, while the International Traffic in Arms Regulations (ITAR) govern defence-related articles and services. In the United Kingdom, the Export Control Joint Unit administers strategic export controls, and the European Union’s dual-use regulation provides a common framework across member states. The details differ, but the principle is shared: some knowledge cannot be transferred freely.

    Screening and the fundamental-research exclusion

    To meet these obligations, institutions increasingly carry out screening — checking collaborators, partners and destinations against sanctions and restricted-party lists, and assessing whether a project involves controlled technology. Properly done, this is not suspicion towards international colleagues; it is due diligence to ensure legitimate collaboration does not inadvertently breach the law or aid a hostile actor. Importantly, most export-control regimes include an exclusion for fundamental research — basic and applied research ordinarily published and shared broadly with the scientific community. This exclusion allows the vast majority of open academic research to proceed without entanglement in export law. The controls bite mainly where research is genuinely sensitive, restricted from publication, or involves specifically listed technologies.

    The tension with open science

    The difficulty is plain: the default and the aspiration of modern research is openness — open access, open data, open methods, free international collaboration — while DURC oversight and export controls are, by nature, mechanisms of restriction. The two genuinely pull against each other, and pretending otherwise helps no one. The mature response is not to abandon openness, the engine of scientific progress, nor to ignore risk, which would be reckless. It is to recognise that the vast majority of research should be as open as possible, while a small, identifiable subset requires careful handling. The skill lies in identifying that subset accurately — neither over-restricting, which chills legitimate science, nor under-restricting, which courts real harm. This is the same calibrated thinking that governs sensitive data: as open as possible, as closed as necessary.

    Security without closing the door

    Getting this balance right is partly a matter of culture and partly of process. A trusted-research approach asks institutions to build awareness of these issues into the research lifecycle — at the point of forming partnerships, applying for funding, hosting visitors and preparing to publish — so that risks are spotted early and handled proportionately, rather than discovered late or missed entirely. Embedding this within ordinary research administration, rather than treating it as an exceptional intervention, is what allows security and openness to coexist. The goal is a research environment that is both open and secure: confident enough in its openness to collaborate widely, and alert enough to handle the genuinely sensitive cases with care.

    A shared vocabulary for sensitive research

    For research-security obligations to be managed consistently across institutions, funders and national systems, the concepts involved must be described in compatible ways — what counts as controlled technology, what a screening determination records, how a dual-use assessment is captured. That consistency is what the CASRAI Dictionary works towards: a shared vocabulary so that the information about sensitive research and its handling means the same thing wherever it is recorded. And because the work of conducting research responsibly — including the oversight and stewardship that sensitive work requires — is part of the research record, it can be described alongside the contributions captured in the CRediT taxonomy and its full set of contribution roles. Open science and research security are not enemies; managed well, they are two aspects of doing research responsibly in a connected and sometimes dangerous world.