International collaboration is not a luxury of modern research; it is largely how the best of it gets done. The hardest problems — in health, climate, energy, fundamental science — are addressed by teams that cross borders, pool data and combine expertise that no single country holds. At the same time, a minority of partnerships carry real risks: the loss of sensitive technology, undisclosed competing obligations, the misuse of dual-use research, or arrangements that conflict with a researcher’s legal duties. The challenge that ‘research security’ tries to meet is to manage those genuine risks without throwing up barriers that would damage the open, collaborative culture on which research depends. This article sets out a proportionate approach, drawing on the framework defined in the research security domain of the CASRAI Dictionary.
Two policy reference points
Two reference points dominate the conversation. In the United States, NSPM-33 — the National Security Presidential Memorandum on protecting the integrity of government-supported research — directs funding agencies to strengthen disclosure requirements and asks institutions receiving substantial federal funding to maintain research-security programmes. Its emphasis is on transparency: knowing who is funding what, and what other obligations a researcher carries, so that conflicts of interest and conflicts of commitment can be seen and managed rather than hidden.
In the United Kingdom, the Trusted Research guidance, developed with the national protective-security and cyber-security bodies, takes a similar but distinctly proportionate line. Its framing is that the overwhelming majority of international collaboration is benign and beneficial, and that the goal is to help researchers and institutions identify the small number of cases where caution is warranted — and to do so without discouraging legitimate partnership. Both frameworks share a premise worth stating plainly: the aim is risk management, not risk elimination, because eliminating risk would mean eliminating collaboration.
Where the risks actually sit
It helps to name the categories of risk concretely, because vague anxiety is the enemy of proportionate action. Conflicts of interest and commitment arise when a researcher has financial interests or outside appointments — including foreign talent-programme affiliations — that are not disclosed and could bias their work or divide their loyalties. Export controls and sanctions govern the transfer of certain technologies, data and know-how across borders, and can apply even to a conversation or a shared dataset, not only to physical goods. Dual-use research of concern covers work that, though conducted for legitimate purposes, could be repurposed to cause harm. And there are data-protection and confidentiality obligations that follow data across jurisdictions with different legal regimes.
Naming these categories matters because the appropriate response differs for each. An export-control question is a legal compliance matter; a conflict-of-commitment question is a disclosure matter; a dual-use question is an ethical-review matter. Treating them as one undifferentiated ‘security’ problem leads either to overreaction or to missing the specific control that actually applies.
Due diligence that is proportionate
The practical heart of trusted research is proportionate due diligence: doing more checking where the stakes are higher, and not burdening low-risk collaboration with high-risk procedures. A sensible due-diligence process asks a graded set of questions. What is the nature of the work — is it fundamental and openly publishable, or does it touch sensitive technology? Who is the partner, who ultimately funds and controls them, and are there links that raise concern? What will be shared — data, materials, know-how — and does any of it fall under export controls? What are the terms — who owns the results, who can publish, are there clauses that would compromise academic freedom or open dissemination?
The point of grading is that a routine collaboration on openly published basic science should pass through quickly, while a project involving controlled technology and an opaque funding structure warrants real scrutiny and, often, expert advice. A process that treats every partnership as a threat will be ignored or resented; a process that treats none as a risk fails its purpose.
Disclosure as the connective tissue
Across both frameworks, disclosure is the mechanism that makes everything else work. Most research-security failures are not espionage; they are undisclosed relationships and obligations that, once visible, could have been managed straightforwardly. Accurate, complete and current-and-pending disclosures — of funding, appointments, in-kind support and outside activities — let an institution and a funder see the whole picture. The move toward machine-readable disclosure formats is making this less of a paperwork burden and more of a maintainable record, and recording these obligations in structured form complements the recognition of legitimate contributions through the CRediT taxonomy: the same record can show both what someone did and what other commitments they hold.
Keeping the lab door open
The risk that gets least attention is the risk of overreaction — of institutions retreating from international partnership, or of researchers from particular backgrounds being treated with suspicion on the basis of nationality rather than conduct. Both the UK and US frameworks are explicit that security measures must not become a pretext for discrimination, and that openness is itself a value worth protecting. A trusted-research programme that makes researchers feel surveilled or unwelcome will cost more in lost collaboration and damaged trust than it saves in averted risk.
The balance, then, is genuinely a balance: assess risk honestly and proportionately, manage it with the specific control that fits, insist on transparent disclosure, and keep the default disposition open. The shared vocabulary for describing these obligations consistently across systems and partners is maintained in the CASRAI Dictionary, which is part of what makes a risk-management conversation possible across institutional and national lines.
Leave a Reply