An important component of the terms of reference was to consider the sector’s awareness of the national security risks, and the sector’s capacity to identify and respond to these risks. Awareness in this context means foundational awareness of these issues, common understanding of key concepts and specific localised awareness of these issues as they relate to a particular institution.
It is important after Chapter 2 which discussed the risks themselves to consider the sector’s ability to identify and address these risks before considering in Chapter 4 the adequacy of government policies and legislation. If it were the case the sector was adequately mitigating and identifying the risks, then there would be expectedly less emphasis on changes to government policies and legislation. However if the sector was unable to identify and mitigate these risks, a stronger policy response would be required.
In measuring the awareness of the sector, the Committee considered the depth and breadth of the responses and the evidence given to the Committee. The first part of this chapter addresses strategic and tactical awareness by the sector as to the national security risks and the second part addresses awareness by virtue of institutional improvements made within the sector to address the national security risks.
General awareness of national security risks
Several universities demonstrated their awareness of national security risks, though this awareness seemingly originated from several different reasons. To a certain extent several of these reasons overlapped with each other as the sector generally commented that their awareness had increased substantially in recent years, and was heavily dependent on the sector’s engagement with the government and security agencies like ASIO.
Awareness and acknowledgement of national security issues
Several submissions noted the importance and relevance of national security risks in general terms. The University of Melbourne said:
The University of Melbourne recognises the importance of ensuring it manages its international relationships in a way that minimises the potential risks inherent in such engagement. The University is continually strengthening its support systems and governance of international research and engagement to ensure risks are appropriately identified, reported and managed, while simultaneously seeking to protect academic values.
Western Sydney University (WSU) discussed the importance of ongoing risk assessment by the sector and said:
The sector cannot become complacent in this matter and therefore have stringent policies, processes and procedures in place to identify even minor unsuspecting threats of foreign interference.
Edith Cowan University (ECU) said it appreciated Australian universities were of interest to sophisticated foreign actors. La Trobe University acknowledged the issue and said:
We also acknowledge the serious threat that foreign interference and undisclosed foreign influence poses to Australia.
Innovative Research Universities (IRU) accepted the premise that the risks existed within the sector and said:
There is a real risk of undue foreign influence, foreign interference, data theft and espionage.
The University of New South Wales (UNSW) agreed with these arguments but provided more nuance, noting in the current operating environment the threat of foreign interference was a significant threat to Australia more broadly, encompassing all sectors (including this one).
The Australian Research Council (ARC) discussed the inherent vulnerabilities present in international engagement and said:
Two-way knowledge transfer is an inherent element of collaborative research and can be highly beneficial to all parties. The ARC recognises, however, that it is critical that the work of Australian researchers is not compromised by foreign interference that may put universities’ people, information, intellectual property and data, or national security at risk. It is also important that the benefits of Australian funded research accrue to Australia and that intellectual property or technology arising from research is appropriately managed and safeguarded.
Innovative Research Universities described the challenge that universities faced and said:
The challenge is clear for universities. We are organisations committed to openness and sharing of information to advance knowledge. If foreign players seek to use that knowledge to harm or otherwise undermine effective university functioning, our response must both resist interference and retain universities’ capability to achieve our fundamental goals.
Mr Alex Joske observed the sector had significantly improved its awareness in the past few years and agreed with the general observations from the sector, saying:
Things have improved over the past two years. We moved from a position of real naivety in the university sector where the UFIT guidelines have come in. More universities are signed to implement them. That, in itself, is a reflection of a greater appreciation of the problem. But, of course, it’s not uniform across the sector.
ASIO said the level of awareness of universities about the risk had changed for the positive since 2016. The ANU said their engagement with ASIO was occurring in 2016 but had increased dramatically since that period. ANU said of this engagement:
The relationship, starting in 2018 ramped up dramatically. It expanded to other agencies, like ASIO, ASD, ONI, Home Affairs and the Department of Foreign Affairs and Trade. The relationship went from a baseline, ‘this is the environment and here are specific issues’, to, ‘we need to think strategically about how to deal with foreign interference and the issues around that’.
The University of Sydney said conversations around foreign interference began to intensify towards the end of 2018 but engagement with the agencies went back to 2010 on the topic of defence export controls and autonomous sanctions. The University of Melbourne noted a roundtable at ANU around 2017 convened by the ANU for all Group of Eight vice-chancellors which had a very detailed briefing from ASIO, DFAT and the Office of National Intelligence (ONI). They said it had a big effect on the vice-chancellors present. The University of Technology Sydney (UTS) discussed the shift in topics discussed between the sector and government and said:
It would have been around 2016-17 that the nature of the conversation changed from focusing mainly on areas of research related to defence trade controls to the broader questions of foreign interference.
The sector broadly acknowledged national security risks existed within Australia (therefore including the sector) and it was reasonable for government to want to manage these risks. Submissions varied substantially at this point in the sophistication of their responses and the degree to which they acknowledged manifestation of risk in the sector.
Griffith University said they believed the vast majority of foreign engagements did not present national security implications. Australian Catholic University (ACU) agreed and said the risk of foreign interference in higher education or research could exist, but it was important for efforts to be concentrated on areas of genuine risk. ACU did not however provide any illumination as to what those areas were.
University of Canberra said it had a ‘strong understanding of the security risks that international connectivity brings and the potential fail points that exist across the spectrum of university activities’.
Awareness of risks as a result of a changing geopolitical context
Several submissions cited the changing geopolitical global environment as the genesis for their awareness of national security concerns. These submissions discussed the uncertainty and complexity now found in international relations which impacted the sector. Submissions tended to agree that the risks materialised within the sector, but noted these risks were not unique to one sector of Australian society. The University of Melbourne said of this:
As the global environment becomes increasingly uncertain and some of Australia’s key relationships in Asia more complex, universities, like other sectors, are working to navigate those challenges in a way that preserves the benefits of our international connections while safeguarding the national interest.
Adelaide University broadly concurred with this argument and said awareness of the risks had shifted substantially in recent times:
The environment in which international engagement can and does occur has fundamentally changed in very recent times.
In discussing universities engagement in a global context Universities Australia (UA) said international exposure brought with it benefits but also risks, saying:
The success of our universities is predicated on their ability to engage, and to collaborate with our international partners. In managing their collaboration, universities are conscious that our connected world presents not only opportunities but risks.
Generally it was apparent the national security risks had risen in prominence for the sector in the last several years. The University of Canberra (UC) agreed with this argument and indicated this was due to both changing geopolitical realities and engagement with government, saying:
These matters have been at the forefront of Government to Sector dialogue in recent years… The rapidly changing geo-political environment is bringing these risks into sharp focus and with it an increasing awareness of the need for personal and institutional risk mitigation and practice.
Adelaide University made the following observation on the recent shift and said:
The ground has shifted: international activities previously encourage, and seen as a mark of success, are now seen through a quite different lens.
Awareness as a result of participation in the Defence Industry Security Program
Submissions noted their participation in Defence Industry Security Programs (DISP) as evidence of their awareness of the national security risks. These submissions noted the set standards and requirements issued by Defence as part of membership within the program. UWA said they had reviewed and strengthened security in governance, personnel, and physical and cyber security as part of the registration with DISP. Monash University said their high rating within the DISP had required a high degree of cyber security which was underpinned by the Monash ‘Cyber Security Strategic Plan’. The Go8 noted all Go8 universities either had, or were in the process of obtaining, DISP membership.
Awareness as a result of legislation and ongoing engagement with Government
Several universities listed the various government legislative regimes they participated in as evidence of their awareness of the national security issues. These arguments tended to show that by being subjected to national security legislation, and existing within regulatory regimes, the sector would demonstrate its awareness of these risks by virtue of implementing government schemes. Several submissions drew attention to the fact that there was already a range of mechanisms that purport to address national security concerns as they relate to the sector. To demonstrate the breadth and depth of these requirements, the University of Sydney listed several laws that Australian universities must comply with:
Charter of the United Nations Act 1945
Weapons of Mass Destruction (Protection of Proliferation) Act 1995
Autonomous Sanctions Act 2011
Defence Trade Controls Act 2012
Foreign Influence Transparency Scheme Act
National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018
Australia’s Foreign Relations (State and Territory Arrangements) Act.
As well as discussing the legislative framework many submissions discussed the engagement between government and the sector on these issues and argued the engagement proved sectoral awareness of the risks. Science and Technology Australia said the sector’s awareness of the national security risks was high in part due to detailed engagement with the government for several years.
Several submissions noted their participation in UFIT as evidence of their awareness of the national security risks. Queensland University of Technology said following the development of the UFIT guidelines there was a much greater mutual understanding of the risks. This argument was one of both engagement, education and co-design of responses, with all three being reasons for increased sectoral awareness.
The University of Melbourne noted the nuance required by both the sector and government, and highlighted the broad agreement between the two on these issues saying:
The University recognises that the Australian Government is not suggesting that valuable global engagement should cease; but rather, is proposing that the known and emerging risks should be effectively managed. The University concurs and stands ready to collaborate in a two-way, respectful working relationship between universities and government.
La Trobe University said due to the numerous requests to comply with foreign interference guidelines and legislation over the past two years, their awareness had never been more acute. This notion of awareness by virtue of government advice was common amongst submissions. This reflected the sector’s strategic awareness of national security risks rather than tactical or specific awareness of their manifestation in the particular institutions.
The University of Sydney said due to Australian Government intelligence advice, they were aware the security threats Australia faces were ‘real and increasingly sophisticated’.
Balancing national security and international collaboration
Universities repeatedly pointed out their commitment to both countering foreign interference and fostering an international education and research environment that aligned with government objectives. A common recommendation was for the Committee to both acknowledge the importance of universities’ international cooperation and provide recommendations to the Australian Government on how to ‘strike the balance’ between safeguarding national security and international cooperation. Charles Darwin University put it simply and said:
We would like to emphasise the critical importance of maintaining the correct balance between research collaboration and security concerns.
Australian Catholic University discussed the challenge faced by the sector in avoiding regulatory burden while protecting it against national security risks, saying:
It is important that regulations designed to detect and combat foreign interference do not unduly stifle, or place excessive regulatory burden on, the important work universities do with international partners, especially for research and via international outreach and collaborative programs. Such relationships have been a pivotal component in enabling Australian universities to achieve excellence and build the capacity and reputation of Australia’s university sector, features often celebrated by government. Such relationships will be all the more important as Australian universities, and the nation more broadly, seek to recover from the impacts of the coronavirus pandemic and navigate a challenging and competitive post COVID-19 international environment.
Some responses took this argument further, noting not only there existed a balance, but that actions in favour of national security could come at the direct expense of the sector. Commenting on the financial impact of oversight reporting , Science and Technology Australia said:
Every dollar spent complying with oversight reporting obligations is a dollar not spent on investment in new science and technological breakthroughs. There is always a careful balance to be struck here.
The Group of Eight (Go8) noted the requirement for nuance in dealing with national security issues and cited statements from ASIO in this respect. They noted the balance to be struck between placidity and over reaction. ASIO said of the importance of balance:
It is clearly important to have effective mechanisms in place to be able to respond to threats of espionage and foreign interference. However, these responses need to be carefully balanced with the need to enable Australia’s higher education and research sector to perform their core role – to educate students and generate innovative research.
ASIO put bluntly what many other submissions had alluded to, saying:
Having effective mechanisms in place to counter foreign interference and espionage does not need to come at the expense of the openness and international collaboration that is a hallmark of the higher education and research sector.
Specific awareness of particular national security risks
After broader discussions around awareness of the national security risks, several submissions then provided more localised and specific examples related to particular institutions. This section will discuss more specific awareness of these issues before turning to mechanisms employed by the sector to counter the national security risks at their institutions.
Specific awareness of foreign interference
ANU said their thinking on foreign interference was framed most substantially through their own experience with two related data breaches. Several other institutions referenced the ANU cyber compromise in their submissions as relevant to the development of their own processes. ANU said they were aware of foreign interference at their institution before 2018.
ANU described their own understanding of foreign interference as a risk and said:
We looked at three very key vectors for foreign interference, one being cyber security, one being narrative control on campus and the other being foreign interference in research. Because they all had different risk owners across campus…we wanted one capability that would be able to link the information flows between them to make assessments in a coherent and consistent fashion.
Australian Catholic University said they would be an unlikely target of foreign interference in part due to their international collaboration areas not being sensitive areas. Western Sydney University concurred and said they had not identified any instances of foreign interference with their international partnerships and they said:
To date, Western Sydney University has not experienced any foreign interference or threats of foreign interference from any of our international collaborations and we believe our security practices and oversights will ensure this continues to be the case.
Innovative Research Universities discussed the focus of foreign interference on ‘low-level’ incidents that they argued had no impact for national security which was a contrary point to most other submissions with IRU saying:
Political and public debate around these issues too often centres around occasional, low-level incidents about course material, classroom interactions, and activism on university campuses that have little to no implications for national security. Universities are places where views should be exchanged freely and frankly among students and with teaching staff, some of which will challenge deeply held assumptions of students, whether Australian or international. This free and frank debate should be considered a positive think and keeping with Australia’s standing as a free and democratic nation.
ANU made the following observation of foreign interference and the correct response to it:
ANU views foreign interference as a human-centric challenge. One, which like all aspects of information security, forms at the nexus of people, process and technology. It requires us to understand the motivations, behaviours and decision-making norms of our community; as well as the shifting threat landscape in which we find ourselves operating. In our experience, foreign threat actors will use a range and mix of overt and covert approaches to achieve the intelligence and national aims of their respective countries. Consequently, for ANU foreign interference is a set of interconnected vectors designed to access people and information, necessitating the need for a unified and centrally managed security capability. While there is a range of risk owners depending, on the nature of the threat, there is one coherent supporting set of countermeasures and safeguards.
ANU noted three possible vectors for foreign interference and the countermeasures they would undertake against these vectors. The first was cyber operations which included: unauthorised access, supply chain interdiction and data theft. The second was interference in research which included: grant programs; gifts, donations and investment; appointments and awards; talent programs and recruitment; agreements on sensitive research; and the use of front or shell companies. The third was human intelligence operations and policy which included: economic or social coercion; narrative control; physical access operations; surveillance; cultivation; and the use of student associations. ANU said for the cyber category they had developed a cyber security program, for the interference in research category they had created the Foreign Interference Advisory Committee (FIAC) and supporting intelligence and outreach functions, and for the human intelligence category they had developed a social cohesion plan as well as outreach activities, reporting and analysis.
Specific awareness of undisclosed foreign influence
In response to sectoral awareness of foreign influence and foreign interference ASIO said:
I would suggest that the understanding of that at the executive level in universities has improved considerably over the last number of years because of the collaboration between government and the sector. But there’s more understand to be had there, as is the case equally, if not more so, I would suggest, across society.
No submissions specifically addressed known examples of undisclosed foreign influence.
Specific awareness of espionage (including data theft)
The Committee considered foreign talent-recruitment programs as part of the inquiry given the substantial number of submissions which discussed these programs as possible avenues of technology transfer and espionage. Generally, these are schemes run by foreign governments to identify and recruit academic ‘talent’ to part-time quasi-commercial and academic roles in the foreign country. The University of Melbourne discussed talent programs in their submission, noting talent programs themselves were advantageous but there could be misuse of these programs to serve foreign state objectives. Many submissions from the sector did not address talent programs, though several non-sectoral submissions did. The UoM said of these programs:
University sector peak bodies have conveyed the Australian Government’s affirmation that talent programs can potentially encompass both legitimate and illicit research activity.
Mr Alex Joske said talent recruitment programs raised serious national security issues but also noted:
They break down and take advantage of the fundamental trust and integrity that science relies on.
Mr Joske said talent recruitment was not just about technology transfer but related to the national security risks of interference and influence. ASIO said the existence of the thousand talents program was not of itself concerning but said:
It’s a natural extension of China’s strategic plan to be a world leader in technology and to secure their economic and military advantage. China has been open about their ambitions in this space and how it serves their national interest.
The Go8 additionally quoted ASIO Director General Mike Burgess in their submission relating to talent programs:
I should point out that, being a member of the Thousand Talents Program of itself is no problem – and, for those who are, generally that is fine. Obviously, declaring that and being open about what associations you have is always good policy. But being a member of the Thousand Talents Program is not in itself a problem for me or Australia in general.
The Committee accepts and agrees with this evidence and, in setting out the below evidence, makes no judgement on individual academics.
The University of Melbourne noted recent analysis of Chinese talent programs which suggested some of these aimed to expand China’s strategic interests and generate access to valuable research and technologies. The University of Melbourne noted concerns had been raised these talent programs could increase risks of both foreign interference and the theft of information (which would be considered as both espionage and foreign interference, discussed above).
The University of Melbourne discussed their approach to foreign talent recruitment programs and said:
Participation by staff will generally not be supported unless faculty can demonstrate that, firstly, the benefit to the university outweighs the risk and the cost; secondly, the award does not pose unacceptable foreign interference risks.
In relation to awareness of staff participation in talent-recruitment programs ANU said:
We do not have 100 per cent coverage, in my opinion, but we are ramping up. As described at Adelaide [University], academics are being asked and will be required to make a submission. That process is ongoing. It’s a new process, given the environment. I think that, once that is completed, we will have a high level of compliance. It will never be 100 per cent, as you know, but it will be a very, very high level. I think that, from a national security point of view, the overall residual risk to the nation will be very small.
Melbourne University said they required all staff disclose all paid outside work and commitments under their annual performance review process. They said they were now developing a centralised platform for being able to aggregate this information and to search this information. UQ said they had instigated investigations of current staff who have been involved in foreign talent programs.
Mr Joske provided a specific example of membership in a talent program that could be a security risk in UTS Professor Mao Guoqiang who Mr Joske said had entered the thousand talents program after the program itself became more covert in 2019. Mr Joske said Professor Mao had previously worked on Australian and American defence projects and joined a Chinese institution with strong links to the PLA. UTS said they had processes before but had upgraded those processes now. They said cultural change was required to mitigate this risk and it was their evidence that Professor Wang was not in the thousand talents plan as they understood it.
In relation to talent-program participation and international engagement more broadly UTS said:
I absolutely agree that transparency is not sufficient. I agree with the proposition from the senator and my colleagues that we have to ring-fence certain areas. I will also say quite simply – I can go to chapter and verse – that our risk management processes are not just in the areas of research but very much in who you are partnering with.
ANU discussed the evolution of their thinking on talent recruitment programs, noting the recent evolution and said:
I think it is fair enough to say that that way of thinking about things has evolved over the last three of four years, thinking before that time transparency was sufficient.
Mr Alex Joske provided a specific submission which was detailed on Chinese Communist Party (CCP) talent-recruitment programs, and their ability to facilitate technology transfer to China – often for military and security applications. Mr Joske said the Chinese Government had recruited 60,000 individuals globally for these purposes between 2008 and 2016 in an effort to reduce China’s reliance on foreign technology. Mr Joske described the programs as diverse and flexible, offering benefits to the recipient in exchange for them working for Chinese institutions while maintaining their existing employment. Mr Joske said provincial Chinese governments recruited roughly seven times more people than the national government through the Thousand Talents Plan. Additionally Mr Joske said talent plan membership itself was not illegal. Mr Joske said:
These programs are a conduit for technology transfer and have been used to incentivise misconduct and theft.
Mr Joske said there were 325 participants in CCP talent-recruitment programs from Australian research institutions. Mr Joske said identified recruitment in these programs appears to have peaked in 2017 and said around 40 per cent of participants were no longer in Australia. Mr Joske said approximately 300 Chinese scientists had been sent to Australia from China since 2007 where they worked on ‘military-use technologies’ such as radar, supercomputers, cryptography and drone swarms. Mr Joske said there were at least 57 ‘recruitment workstations’ established in Australia to spot and recruit individuals for these talent programs. Mr Joske said a key issue was the lack of disclosure by participants in these programs. Mr Joske in his submission listed the top ten Australian universities by talent recruitment program participants.
Mr Joske said there had been some improvement in institutions abilities to respond to talent-recruitment programs but said:
Research institutions’ responses to talent recruitment sit on a broad spectrum, and many of those worst affected do not appear to have confronted the problem yet.
Often the issue Mr Joske identified with talent program membership was that the disclosure was insufficient rather than non-existent. This was closely related to the argument given by several submissions that talent recruitment programs themselves weren’t illegal, but could be used for illegal purposes. In several instances the individual had some aspect of their talent recruitment membership on their Australian profile, but on their foreign (generally Chinese) profile there was significantly more information that detailed the arrangement. While some of these instances could surmount to espionage, primarily this is an issue for universities to resolve through risk management, due diligence and staff management policies.
Mr Joske said the agencies that oversee China’s talent recruitment efforts had themselves been implicated in espionage. Mr Joske said:
There have been cases of the Ministry of State Security, which is the Chinese government’s foreign intelligence agency, recruiting people through the Thousand Talents Plan and taking them with stealing technology. That happened in a case in the US, where an engineer was tasked with stealing gas-turbine jet-engine trade secrets from a US defence contractor.
Mr Joske provided another detailed example and said a former UQ professor joined the Thousand Talents Plan while employed by UQ and receiving ARC funding. Joske said this professor set up an artificial intelligence company in China which supplied surveillance technology to authorities in Xinjiang. The ARC said they were aware of that particular case and were following up with the employing institution. The ARC said they received an anonymous complaint about an alleged breach of the ARC grant agreement involving Professor Heng Tao Shen in 2016.
Mr Joske provided another detailed example and said UNSW professor Xue Jingling received $1.794 million in ARC grants while affiliated with the People’s Liberation Army (PLA) National University of Defence Technology. Mr Joske said Xue was an expert in supercomputers and supervised nine Chinese military scientists at UNSW. Mr Joske said Xue’s research partners included two PLA generals in charge of the PLA supercomputer program.
Box 3.1: UQ Professor uses Australian funding for Chinese benefit
Mr Alex Joske said University of Queensland Professor George Zhao received conditional Australian Research Council funding for battery technology research whilst commercialising said technology in China and not disclosing this in Australia.
Mr Joske provided another detailed example and said UQ Professor George Zhao participated in two CCP talent-recruitment programs and led a research institute and company in China. Mr Joske said Professor Zhao received the ARC Future Fellowship between 2011 and 2017, and the Australian Laureate Fellowship between 2017 and 2022 for a total of $3.9 million in funding for research on energy storage technology. Mr Joske noted Professor Zhao took up several positions in China while receiving ARC funding including establishing a company selling batteries in China. Mr Joske noted 39 patents listed in China since 2015 had listed Professor Zhao as their inventor, with none being associated with the University of Queensland. Mr Joske noted the discrepancy between Professor Zhao’s profile with UQ, and what was available via open source media.
The ARC said they were aware of this particular allegation and were working with the university to further understand it.
Box 3.2: ANU Professor teaches drone swarm technology to Australian and Chinese militaries
Mr Alex Joske said Australian National University Professor Brad Yu Changbin concurrently developed drone technology for the Australian and Chinese militaries, as well as training the PLA chief drone technician, and received ARC funding
Mr Joske provided another detailed example and said ANU professor Brad Yu Changbin simultaneously belonged to defence-funded drone swarm projects in Australia and CCP talent-recruitment programs. Mr Joske said Yu trained a PLA scientist who was now chief technician of the PLA military drone swarm program. Mr Joske said Yu was working on United States and Australian defence-related drone projects while training the PLA chief drone technician. Mr Joske noted Yu had also received ARC funding. Mr Joske said of this incident:
A lot of these issues were known to ANU, clearly, or at least they had the ability to know that these kind of things were being undertaken, that he had brought in a Chinese military scientist as a PhD student while working on drone swarm projects for DST and that this scientist is now chief technician of the Chinese military’s fixed-wing drone swarm program. So, there’s a question of why these issues weren’t identified when he was at ANU and also whether these issues were identified when he was at Curtin University and whether ANU helped with that, for example. It clearly shows that transparency isn’t enough. Certainly transparency isn’t enough when there isn’t an understanding of the problem and how to respond to it and why these things might be problematic.
The ANU said in response to this incident:
Associate Professor Yu left us in 2018. The reason for that was that we did point out to him that he had a conflict of commitment between the work he was doing in China and the work he was doing at ANU. We asked him to make a decision about his future and that decision resulted in him leaving ANU.
ANU said after this incident they reviewed and refined their processes. Of note ANU said the issue was the competing obligations rather than anything substantively wrong with the conduct itself. ANU said they employed Professor Yu from late July 2008 until mid-December 2018. ANU said Professor Yu was employed at Westlake University in 2017 and presented at a Youth Conference in China in June 2017 as a Westlake Lab Leader. ANU said once they were aware of this apparent conflict of commitment they approached Professor Yu to resolve the matter which resulted in his departure from ANU.
After discussing talent recruitment programs in universities Mr Joske detailed several instances of CSIRO employees participating in CCP talent-recruitment programs. Mr Joske said at least 24 CSIRO employees were believed to have joined talent-recruitment programs, although most appeared to have left CSIRO to join these programs. Mr Joske noted six cases where CSIRO employees maintained their employment while participating in talent programs.
Mr Joske said CSIRO Senior Principal Scientist Lu Liming was recruited to the University of Science and Technology Liaoning (USTL) via the Liaoning province ‘Pandeng Scholars’ program’. Mr Joske said the Liaoning Provincial Government indicated participation required working for USTL for at least nine months, would be hired for three years and receive $300,000. Mr Joske noted Lu’s CSIRO profile described him as an adjunct professor only. CSIRO said of this incident:
We are very confident that none of our employees are part of the Thousand Talents program.
CSIRO additionally said to the best of their knowledge that was historically the case for all Chinese government talent recruitment programs. In response to Mr Joske’s findings CSIRO said:
I believe that Mr Joske arrived at a conclusion through an open-source assessment process…As far as participation by employees on projects goes, we’re confident that we don’t have any members that are participating in talent programs.
CSIRO said they had an ‘outside work policy’ which would require checking and approval by CSIRO. CSIRO said they were running an ‘active and intense program’ in relation to conflicts of interest.
In a broader discussion around the costs to talent recruitment programs to the national interest Mr Joske said CCP talent recruitment activity in Australia could have been associated with $280 million in grant fraud in the past two decades. Mr Joske noted at least 59 individuals received fellowships from the Australian Research Council while concurrently working in China on related technologies. Mr Joske noted ARC grants come with disclosure requirements and in some instances prohibit both external employment and not residing in Australia. The ARC said they had spoken to Mr Joske about the 59 names and said:
With respect to Mr Joske’s specific number, we don’t know whether the dataset that he has identified is the same as the one we have, because we don’t have that specific information.
When asked as to whether the ARC was aware of the conduct when it was occurring the ARC said:
No. We’re aware of some allegations against named researchers, including those that Mr Joske has raised, but certainly we are not fully aware of 59 individuals who’ve held laureate fellowships et cetera who have these specific allegations against them.
Mr Joske said universities themselves were legally responsible for managing grants received by their employees and wrote they had an ‘obligation to improve their responses to CCP talent-recruitment activity’. Mr Joske recommended centralised staff travel databases and staff briefings on foreign talent recruitment programs and university policies. Mr Joske said:
Effectively addressing CCP talent recruitment would help restore confidence in the research sector’s ability to meet standards of integrity, ethics and security when engaging with China.
Specific awareness of national security related cyber risks
Several universities discussed their increasing awareness of cyber-related risks. Western Sydney University (WSU) discussed the increasing awareness within the sector of national security risks, as highlighted by the ANU cyber compromise, saying:
In recent years, the university sector is becoming increasingly aware of the risks of foreign interference, data theft and espionage, particularly following the cyber attack on a major Australian university in 2018.
It is likely the ANU compromise identified has prompted greater introspection and then development within the sector. The CSCRC said of this:
Australian universities are no stranger to malicious cyber activity, with the most high-profile example being the hacking of ANU in November 2018.
ANU said the two breaches they had reported were their only data breaches.
The University of Technology Sydney (UTS) said they had created a joint Chief Information Security Officer (CISO) capability between UTS and the University of Newcastle. UTS noted that cyber security required strong cultural change in addition to technical improvements.
CSCRC said the ANU intrusion was only detected during a baseline threat hunting exercise and the malicious actor had remained on the ANU network for approximately six weeks up to December 2018. Innovative Research Universities suggested the major cyber risk to be interference with university operating systems. This incident clearly demonstrates that cyber security incidents are eminently possible within the sector.
The Council of Australasian University Directors of Information Technology (CAUDIT) said all universities were different and the risk profiles differed between universities which meant a ‘one size fits all’ approach was not effective. CAUDIT noted achieving university wide adherence was onerous and cost prohibitive and an ‘enclave’ model was instead favoured per the Defence Industry Security Program in protecting the defence research parts of a university. CAUDIT noted the impact on university budgets from COVID-19 was impacting universities’ ability to invest in cyber security.
The Sector’s capacity to identify and respond to national security risks
The Committee considered the existing abilities of the sector to identify national security risks. Primarily this was through analysis of the improvements made within the sector based on their understanding of the risks, itself informed by engagement with government. In doing so, it analysed the submissions of the sector as well as hearings with the sector and relevant agencies. Some submissions did not provide any detail on their capacity to identify national security risks beyond acknowledging these risks existed. Other submissions provided exhaustive and comprehensive outlines of actions taken and risk management frameworks.
Changes over time, maturity gained
In a broader discussion around changes over time to the sector’s ability to respond to these risks DESE said universities had developed ‘far greater’ awareness of national security risks through initiatives such as the UFIT guidelines, though ongoing engagement was critical due to the evolving nature of the particular threats. The University of Queensland concurred and said a significant amount of sector-wide activity was being undertaken on these topics, most notably through UFIT and then involving Go8 and UA. UQ noted the significance of the sector engaging on this topic as a sector, as well as individual engagements.
CSCRC made the following observation of the sector, indicating awareness within the sector in the past was poor:
There is no doubt over the past several decades, Australia’s higher education and research sector has been in a state of complacency.
CSCRC said there were no ‘silver bullet solutions’ to national security risks in the sector, but a combination of risk management and risk mitigation strategies could assist the sector in responding to these risks.
CSCRC said the sector’s reliance on international funding through international students had led it into a precarious position. It would be possible therefore this exposure had made these institutions vulnerable to international pressure and interference. The CSCRC noted:
The higher education and research sectors are not immune – they are targets. And for many years, they have been soft targets.
Submissions discussed international student populations with UQ contextualising this issue and saying:
I think universities were always very conscious that they needed to diversify the source countries of their international students and that an overdependence on one country was exposing them to a level of risk. Whether that risk was geopolitical or whether it was more narrowly economic would just depend on the circumstances at the time.
The sector and relevant government agencies broadly agreed the sector was capable of identifying and responding to the national security risks. Or at least, the sector had matured its ability to do so.
Process improvements: Risk identification tools, due diligence, policies and processes
Submissions discussed several process improvements they had made to respond to these risks which included the development of analytical capabilities, due diligence and internal policies to identify and respond to risks,. ASIO provided context to this point and said risk management for these threats was a continuous exercise as the threats changed and evolved. Several universities provided overviews of various risk management tools, policies and processes they had implemented, or were in the process of implementing. The genesis for many of these measures, based on the evidence received, appeared to have been the UFIT guidelines and to a smaller degree the cyber compromise ANU suffered.
La Trobe provided an example of this and said they had developed a foreign influence, interference and sanctions risk management tool. In their submission they said all their employees had access to this tool which the use of was mandatory before international agreements were made. La Trobe said:
The tool helps to identify potential risks with the agreement and if the agreement is flagged as higher risk, users are guided to the Risk Management Office for independent risk assessment and further due diligence. In addition, the tool assesses compliance against current sanctions regimes being implemented by Australia and specific foreign interference-related legislation such as the Foreign Influence Transparency Scheme.
Macquarie University said they had been actively collaborating with Universities Australia to share best practices to learn and share with other universities. WSU said several universities had established foreign interference taskforces and working groups who were working proactively with other actors to share knowledge and best-practice guides on countering foreign interference. Griffith said in response to the UFIT guidelines they had been ‘actively engaged in managing and monitoring risk areas relating to potential undue foreign influence and interference’. Griffith said:
[Griffith] was focussed on incorporating countering foreign interference risk management into our existing relevant frameworks. The goal is to ensure a robust approach to reduce vulnerabilities and mitigating foreign interference threats to the University’s people, information and assets; this also serves to protect the reputations of individuals and the institution and to maintain strong partnerships.
The observation from Griffith was integration of risks into existing processes would avoid unnecessary duplication and promote a strong security culture. University of Western Australia said they had conducted a review of national security and foreign interference risks at the university.
La Trobe discussed changes they had made to contracts and said they were altering the standard contracts used by the university in direct response to foreign interference-related legislation. They provided the example of varying IP clauses to ensure parties were unable to exploit any IP rights were in any way connected with defence or military applications, racial profiling or security surveillance.
The Australian National University said they had established an analysis capability within their newly created Information Security Office. ANU noted this capability used industry partners, data sources and linguistic support to form assessments on international parties. ANU said they would consider, among other things: links to foreign intelligence services; links to foreign military; activities which may represent illegal technology transfer or intellectual property theft; financial impropriety; activities which may affect Australia’s economic, security or social wellbeing; and activities which are contrary to ANU values. ANU said non-mitigable risks were those that, having considered available mitigation strategies, have a residual risk of foreign interference above that acceptable to the University in managing its obligations under the UFIT Guidelines. ANU said the primary source of risk they had identified in previous or ongoing engagements was a lack of institutional autonomy on the part of the foreign entity.
The University of Sydney said all their international engagements were subject to three ‘key principles’. These were: the engagement was consistent with the University’s objectives, the engagement complied with Australian laws and guidelines, and the engagement was conducted consistently with university policies.
CSIRO said they had undertaken a ‘wide-ranging security reform program’ across their organisation which included developing risk management mechanisms. CSIRO said this had included the development of a tool which would:
Integrate CSIRO’s risk and security assessment process and create a uniform approach across the organisation, providing a greater level of awareness, consideration and assurance of the risks and sensitivities.
CSIRO said this tool would assist decision-makers look at opportunities and risks associated with each new international proposal. CSIRO said this would be used to make assessments on dual-use technologies which CSIRO said was both country agnostic and military agnostic. They said it went beyond military application and took into account other considerations such as human rights.
The University of Tasmania said determining how to best manage international relationships required:
Clear-eyed assessment of how these relationships relate to our national interests and to be prepared not to enter them or to restructure them if they don’t serve our interests.
The University of Tasmania said they used strategic and operational controls; foreign influence/interference policy principles; risk appetite statements and operational decision-making tools to assist in this process.
The University of Tasmania said they introduced an ‘Adversary Test’ to protect knowledge assets. The University of Tasmania said if an adversary could not obtain certain information via cyber means then they would need to devote resources to obtaining the information – and it is this information the university should therefore be protecting. The University of Tasmania indicated the amount of information at this threshold would be quite limited, generally either relating to national security capabilities or commercially valuable intellectual property. The University of Tasmania wrote national security information is generally protected through existing government safeguards, but these did not exist for the commercially valuable information. The University of Tasmania said after rigorous analysis and identification and protection of these ‘crown jewels’, the remaining bulk of information can be kept freely available. The University of Tasmania argued a well-designed, layered, defence strategy was the most effective mechanism against these threats.
The University of Queensland said they had implemented several disclosure tools. UQ said these tools were designed to identify (on an ongoing basis) conflicts of interest, secondary employment, sensitive research and foreign influence. UQ said the benefit of these tools included raising awareness, educating staff, providing accountability and enable enterprise risk management. UQ said they had additionally established a Foreign Influence Task Force to identify and address risks around foreign influence.
CSIRO said they had implemented pre-employment checks for all their new employees alongside a ‘designated security assessed position list’ which specified requirements for particular roles. CSIRO said they had also developed physical and cyber security arrangements for staff travel.
The University of Melbourne said membership in talent programs was subject to several internal measures, including disclosure under existing policies, assessments and due diligence, and review by the ‘Research Due Diligence Advisory Group’. They noted participation in talent programs would not be captured under the Australia’s Foreign Relations Act and sometimes would not be covered under the FITS Scheme.
Mr Joske most institutions had policies in relation to these issues already and said:
Why aren’t those existing processes working? I think it’s partly those processes not being sufficient – universities not pursuing these problems fully, not having the investigative capacity to actually get to the bottom of things – and partly a problem of culture. People have been turning a blind eye to these practices.
Analytical improvements: Due diligence and intelligence sharing from government
Submissions discussed the sector’s capacity to conduct due diligence and the reliance of input intelligence from government to this end. Several universities submitted their ability to properly undertake risk analysis was hampered by the lack of access to contemporary and relevant risk information, most likely held by Australian government departments and intelligence agencies. University of Western Australia (UWA) said:
As a single institution with access only to open source intelligence, UWA is unable to provide either data or judgement on the prevalence, characteristics or significance of these risks, beyond noting the range of publicly available information and the seriousness of the issue.
UNSW noted an example whereby they engaged with ASIO, DFAT, DESE and the Department of Home Affairs before entering into a research partnership with the Qingdao International Academician Park in 2019. UNSW said this close liaison including counsel on best practice due diligence and aligning the program with the UFIT guidelines and Australia’s national interest.
The University of Sydney said their due diligence included consideration of: sanctions; technologies’ uses; potential impacts of technologies; terrorist and blacklisted companies’ checks; UFIT guidelines; advice from Australian government departments; and other means.
Mr Joske said conducting due diligence in relation to the national security risks was difficult research to do. Mr Joske said of this research:
This sort of research is very time intensive and it relies on people with skills that aren’t very common. It’s really not just Chinese-language skills, but also that background knowledge of tech-transfer issues, the Chinese Communist Party, political interference and the ability to actually do original, empirical research on these topics.
ASIO broadly concurred with this point and discussed the limitations of what universities could do on their own in this regard and said:
I’d acknowledge that there are limits to what private organisations, such as universities, or research sectors can do to background-check either individuals or organisations. Having said that, we encourage them to do what they can lawfully, and we’ve helped them by providing them with what we call a due diligence tool that allows them to ask questions and get answers in a structured way…I suggest there’s more that they could do to seek information and assure themselves the best they possibly lawfully could that they are making an informed decision.
The University of Melbourne said the national security expertise across government could not be replicated in the sector. They requested clarification from government as to the extent to which universities could leverage government assistance in various areas, and the clarification of roles and resources available. A similar point was raised by the ARC who said they were not national security specialists. UA recommended a mechanism be developed to provide individual universities with access to timely, tailored advice based on government information and expertise. The University of Tasmania said in some instances university activities could be time-sensitive such as funding applications and access to accurate, authoritative information in real time would be ‘critical’ to making timely assessments.
The University of Melbourne requested appropriate access to intelligence-based guidance from government to assist the university in risk decision-making. They suggested both support from security agencies on practical issues and higher level advice would be advantageous and result in more adaptive and confident risk assessments by the universities. The University of Sydney said clear advice and information about emerging risks was required as publically available information was not sufficient for proper risk analysis. The University of Sydney noted the value of ad hoc advice from ASIO, but requested a framework to ensure this process continues and deepens.
UWA said universities could receive greater assistance from the Australian Government with due diligence. UWA said the onus was on individual universities to make due diligence decisions based on open source information such as the United States Entity List and Unverified List, or the Australian Strategic Policy Institute’s tracker. UWA assessed this was a weaker system than a government-provided list or a process of ‘active assistance’ from government in due diligence assessments using government intelligence. The University of Tasmania suggested access to government intelligence and data would assist in decision-making processes. Monash University said they were engaging external advisory firms for due diligence purposes. The University of Tasmania said they had found their engagement of external law firms was not sufficient to inform robust decision-making.
ASIO said there was scope to further assist the sector by providing them information on what areas of research would require protection, but noted the development of these government policies to the sufficient level of clarity would be a complex task. ASIO noted the benefits to this would include allowing ASIO and the sector to prioritise key areas.
UA noted on the topic of due diligence, universities could undertake the processes but could not do complex security vetting of individuals which would be the remit of Government agencies.
Policy and procedural improvements: Revising and creating
Submissions discussed the substantial changes made to university policies in recent years as a result of the national security risks. Monash University said they were reviewing several internal policies to ensure compliance with the national security risks. Monash said this included the ‘Due Diligence Risk Assessment guidance materials’. Monash said their university philanthropic gifts and intellectual property policies were in effect. Monash said all international arrangements were reviewed by the Monash University Global Engagement office, as well as the Monash Research Office or Deputy Vice-Chancellors’ offices as required.
This included broader discussions around transparency which would feature in policies and UNSW said they were seeking to achieve ‘active transparency’ which included things like mandatory disclosure processes for all staff. UWA said they had commenced work on an expanded register of staff members’ external links, affiliations and employment.
The Australian Technology Network of Universities said the University of South Australia had appointed a Defence and National Security Officer to be responsible for all security matters relating to defence research and education at the University of South Australia, including the implementation of governance and risk management practices.
Adelaide University said they had requested each staff member to make a personal declaration about foreign engagement. They said:
That’s a great tool for raising awareness, because suddenly all the staff are being confronted with a set of questions that highlight the new legislative framework that is around them in a national sense, and that promotes a series of conversations across the institution.
Queensland University of Technology (QUT) said they had strengthened due diligence reviews, embedded checks in human resources recruitment processes and updated policies and procedures. CQU said in direct response to UFIT they had implemented several measures including a governance and risk framework; due diligence, communication and education to staff and students on foreign interference; knowledge sharing with certain government agencies; and development of cyber security.
Western Sydney University discussed the broader efforts made by the sector to mitigate against these risks and said:
Increasingly, universities are prepared to counter foreign influence in the higher education sector by being more prepared, using rigorous due diligence processes for international collaborations, smarter use of information, being cyber protected, using new methods to secure voice and data communication, and ensuring the rapid recovery of critical systems. The design of critical infrastructure in universities is resilient to intentional or accidental damage.
La Trobe University said as a result of the government restrictions, it could lead academics to form informal relationships with foreign universities, particularly in research, and these relationships would therefore not be captured by formal existing processes. La Trobe said informal arrangements were more likely to be arranged without involvement from the university risk offices and more likely to expose the particular universities to interference and unacceptable levels of risk.
Human Rights Watch critiqued the implementation of new policies and suggested several new policies for the sector. HRW recommended universities define the act of reporting on your fellow students or academics as a serious violation of the student code of conduct and grounds for disciplinary action. More broadly HRW called for universities to utilise blunt and plain speech to discuss issues of foreign interference on campus and implement clear policies. HRW recommended universities introducing the ability for students to submit their work anonymously.
A related issue to policy changes identified by the sector became the demarcation of particular study areas. This meant identifying which areas within a university should receive greater protections as it related to national security risks. In its submission, Charles Darwin University said:
Our research strengths, and most of our international research collaborations, are in the fields of environmental science and livelihoods, tropical and Indigenous health and social and public policy – areas of public good research for which risks of foreign interference, data theft and espionage are not considered to be high.
Innovative Research Universities said membership in talent programs was being managed through internal university risk processes and they had no evidence to indicate membership of the program was against Australian interests.
A common response from the sector was their participation in UFIT was sufficient to address the national security risks. Some universities provided submission they were already implementing appropriate systems in accordance with the UFIT guidelines, but provided little meaningful detail on how this was occurring. ECU said universities had extensive risk assessment and management processes to identify and mitigate these threats which were informed by the UFIT guidelines. Other universities did not reference their implementation of UFIT guidelines.
A common response from the Sector was UFIT was sufficient to address the national security risks and additional legislation could confuse or denigrate UFIT’s effectiveness. La Trobe University said:
Some of the latest government initiatives, such as the recent Foreign Relations legislation, seemingly ignore the UFIT process. This is part of a pattern of proliferation of government-imposed legislative requirements that are uncoordinated with each other or with the UFIT guidelines. This undermines the likelihood that this now significant edifice of legislative regulation will achieve its objective.
The German Rectors’ Conference (HRK), in their submission, praised Universities Australia and considered the measures taken by UA were appropriate for the risk context.
Structural improvements: Governance, audit and committees
Submissions discussed changes made to university governance structures and high-level committees designed to monitor and respond to these risks. This section takes a cross-section of these changes as provided in evidence to the Committee, which are broadly similar but each localised to their particular institution and context. ANU said universities had siloed processes and needed to do something that worked across the whole university. When discussing whether awareness was permeating throughout universities UTS said the key challenge was cultural and organisational change.
The Committee heard evidence that highlighted the often federated structure of universities. Adelaide University described the complex nature of these institutions and said:
Universities are large, complicated organisations. Mechanisms for administering new and complex compliance requirements, and the training of a large and diverse cohort of employees and students, takes time, thoughtful design and significant investment in systems, people and technology.
The University of Melbourne discussed their own structural improvements and outlined these to the Committee, saying:
The University of Melbourne is quite well advanced in embedding culture change and risk management from the top to the bottom of the university. We’ve been working with all of our faculty deans and heads of schools and institutes to deepen and embed a risk-aware mindset amongst our entire community. We have refreshed our training programs, supported by communication campaigns, and these are being launched to ensure that all university members are aware and reminded of and encouraged to identify and disclose potential risks as part of their professional scholarly mindset and practice.
The University of Sydney described their establishment of a ‘Research Risk Advisory Committee’ in 2019 and the creation of a ‘Manager, National Security and Export Controls’ position to assist the university on these topics.
La Trobe University said since the introduction of FITS they had instituted a number of procedures to ensure compliance with FITS. La Trobe said in 2020 they assigned a member of the La Trobe senior executive to ensure La Trobe was compliant with all legislative and other regulatory requirements. La Trobe said the second method FITS compliance was managed through was a corporate governance, audit and risk committee.
Western Sydney University also described their internal compliance measures undertaken for international agreements. WSU said risk assessments and ‘stringent due diligence processes’ were undertaken prior to entering into agreements with foreign institutions and regular reviews were undertaken of existing agreements. WSU said these processes were assisted by university legal and audit areas.
Griffith said their primary focus was ensuring they had fit-for-purpose governance, processes and capabilities to appropriate and proportionately manage any national security risks. Griffith said they had established a ‘cross institutional working group’ to undertake high-level assessments of international activities including research grants, commercial engagements, technology transfers, donations and other international partnerships. Griffith said governance processes and capabilities were appropriate, and proportionate, in addressing these issues.
University of Western Australia said they had established a committee of senior executive staff to oversee responses to foreign interference issues and priorities actions to strengthen UWA systems. UWA said they had then established a team from each major portfolio to implement the prioritised actions and created a single position to manage foreign interference risks.
UNSW said they had established a Division of Assurance and Planning as a result of the UFIT guidelines and the heightened national security environment. UNSW said they were strengthening risk management and due diligence policies. UNSW noted the value of increased engagement across the entire universities to consolidate and coordinate all policies, including topics like third-party engagements, gifts, cyber and sponsorship.
Monash University said they had established a Transparency and Integrity Committee to monitor Monash’s ability to counter foreign interference risks. Monash said this committee would recommend policy changes across the university. Monash also noted the existence of the Monash Research Office and University Council Audit and Risk subcommittee as additional bodies to assist in governance.
The University of Melbourne said their ‘Foreign Interference Working Group’ oversaw their efforts at developing university governance, risk management and mitigation measures. They said their ‘Research Due Diligence Advisory Group’ was used to review research due diligence processes and risks across the university.
ANU said the Foreign Interference Advisory Committee (FIAC) was the University’s decision-making body for all foreign interference matters. ANU said the FIAC had reviewed in excess of 300 engagements since September 2020 and rejected two new engagements due to concerns about a lack of institutional autonomy.
When asked about whether combined resources across institutional groupings could be beneficial, Monash University Vice-Chancellor (and Group of Eight Chair) Professor Margaret Gardner said:
I think trying to combine it in the Group of Eight might be beyond us, and we might not save money but actually spend more.
Education improvements: Awareness of national security risks
Submissions discussed general education and awareness within universities and the developing use of education campaigns for staff and students. WSU said they had mandatory training programs to enhance awareness of security risks from international partnerships. WSU said for researchers there was training and support offered to grow their capacity to identify and respond to foreign interference.
Several submissions argued in favour of increasing awareness of national security risks within the sector. The German Rectors’ Conference (HRK) wrote it was critical to raise awareness and build up knowledge within the sector. They recommended creating opportunities for exchange and cooperation on this topic.
UWA said they had conducted workshops on foreign interference risks to ‘deliver an accurate understanding of the foreign interference risks that impact most on UWA and how UWA is or is not controlling these risks currently’. UWA said they had commenced a program of foreign interference training appropriate to the needs of different parts of the university.
Monash University said they had developed mandatory online training for staff and students on topics such as: anti-fraud and corruption, cyber security, research integrity training, conflict of interest and export controls training.
The University of Melbourne said they were implementing training programs, including up-skilling staff to develop their ability to identify foreign interference risks. They said they were also launching a FITS Act online training module which would be compulsory to some staff.
Some submissions critiqued these education improvements in the sector with Mr Chen Yonglin recommending the introduction of a compulsory course on Australian values for international students from autocracies. Human Rights Watch recommended university lecturers ‘laying down the law’ at the beginning of classes with respect to threatening behaviour in classes.
Technical improvements: Cyber security policy and procedures
At a very technical level submissions discussed cyber security uplift programs they had implemented in recent years. Monash University said they had adopted the globally recognised industry cyber security framework, the ‘National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)’. Monash said they were ISO 27001 certified for research platforms and infrastructure for the past eight years. Monash said they also actively shared information with the Australian Cyber Security Centre.
The University of Tasmania said at the ‘core’ of their cyber defences was their ‘Cyber Security Framework’ and associated roadmap. The University of Tasmania noted the value of Australian Signals Directorate (ASD) advice and suggested this be deepened.
The Australian National University (ANU) said they had implemented a five-year information security program in 2020 to ‘develop and operationalize world-class capabilities in cyber security’. ANU outlined their strategic vision for information security, including topics such as leadership, safety, trust and resilience. ANU said they now had grown their security workforce and created the Information Security Office to counter foreign interference and promote cyber security.
The Australian Technology Network of Universities said to improve cyber security, the AARNet Security Operations Centre had been established to provide Australian universities with capabilities to manage cyber incidents, including real-time monitoring and analysis. ATNU also noted the establishment of the Australian Higher Education Cybersecurity Service between AARNet, Council of Australasian University Directors of Information Technology (CAUDIT) and AusCERT. ATNU also noted the establishment of the RMIT Centre for Cyber Security Research and Innovation (CCSRI) on behalf of the higher education sector using a $1.6 million government security grant. ATNU also noted the Deakin University Centre for Cyber Security Research and Innovation (CSRI) which was involved in developing best practice guides with the Department of Home Affairs on protection of critical infrastructure, including from cyber vectors.
The University of Melbourne discussed their five year uplift program for cyber security and the ‘unique and complex cyber security risk profile’. They noted the large number of threat actors that routinely attacked university systems and noted while no institution in the sector was impervious to cyber security risks, steps could be taken, including at minimum those outlined in the UFIT guidelines. UQ said they had developed a ‘comprehensive cyber-security strategy’.
CSCRC suggested topics such as cyber security, data protection and IP protection should be treated more seriously. On this topic DESE said they had established an ‘Enhancing Cyber Security in Higher Education’ project to strengthen cyber resilience in the sector.
CSIRO said they had invested in their cyber security program including striving towards implementation of the Australian Government Protective Security Policy Framework (PSPF).
QUT said the August 2020 Australian Government Cyber Security Strategy put in place a ‘stronger defensive capability to provide protection for Australians from strategic threats’.
Who is best placed to address the risks?
The German Rectors’ Conference said that whilst the risks exist, the universities themselves were best-placed to identify and respond to these national security risks.
Universities have a clear picture not only of the opportunities and possibilities international partnerships present, but also the challenges and risks international cooperation may pose to the integrity of national structures. Due to profound changes in the global environment, there is certainly a stronger need in the higher education system for critical evaluation and orientation.
This was complemented by CQU who suggested the government note universities had the capacity to manage foreign interference risks. However this view was not shared widely across the sector. UNSW noted the ‘optimal procedure’ for addressing national security concerns to be through genuinely collaborative engagement between the sector and government on evidence-based policy, regulation and legislative change. the Australian Technology Network of Universities (ATNU), in collaboration with the University of Newcastle, submitted:
National security now and always has been, within the purview of the Government to both protect and enforce. As these considerations have developed, Australia’s university sector has been in lock step with the Government in fulfilling Australia’s needs.
ATNU went on to say ‘national security is vitally important in the face of current and emerging sophisticated threats to Australia. It is the responsibility of the government to set the standard in these matters’.