Reducing risk to secure UK advanced materials innovation
The UK Centre for the Protection of National Infrastructure emphasises the importance of protecting your ideas, information and techniques as certain states target advanced materials innovation.
The UK currently faces an acute threat from a range of state actors. These state threats take many forms, some of which are more obvious than others, such as theft of intellectual property. For many businesses and academics, the implications and relevance of these threats can be difficult to perceive. Why, after all, would a state be interested in your company or the exciting, but perhaps niche, research that you are undertaking? Surely, states spying on other states is just the business of governments? Increasingly, that is far from the truth. We are now seeing some states mobilise every aspect of society over which they have influence in support of their aims and objectives.
The UK advanced materials and manufacturing sector is a UK success story and a critical driver of innovation and new technology. It offers considerable benefit to the defence and security of the UK, particularly within the areas of aerospace and maritime. It is also well placed to meet the Department of Business, Energy & Industrial Strategy’s (BEIS) enterprise, business, net-zero and innovation (ENZI) goals. While that is of significant benefit to the UK and its economic growth, what might it mean to a state with differing motives and agendas?
Certain states are attempting to steal cutting-edge research and innovation to fast-track their own technology capability for economic, political, or military gain. They target companies of all sizes and at every Technology Readiness Level to achieve their aims.
You may not consider your technology to be valuable to another state, but a hostile actor may see things differently and will try to target you and your company if it helps them get ahead. States will use not only cyber, but also human and technical capabilities to steal your ideas, information and techniques.
Organisations or individuals backed by these states, such as investors, advanced materials companies or research institutes, may be compelled by state legislation or other pressures to subvert legitimate business collaborations and transactions to obtain confidential business information. This could include intellectual property, research data, financial information, and information on your customers or suppliers.
Writing in MI5’s 2021 annual threat update, Director General Ken McCallum warned that such a situation was very possible. “We see the UK’s brilliant universities and researchers having their discoveries stolen or copied; we see businesses hollowed out by the loss of advantage they’ve worked painstakingly to build. Given half a chance, hostile actors will short-circuit years of patient British research or investment. This is happening at scale – and it affects us all. UK jobs, UK public services, UK futures.”
The importance of research and innovation
In a challenging landscape, the UK Government recognises the importance of emerging technology to the UK’s prosperity and security. In early 2021, the government launched the Advanced Research and Innovation Agency, backed by £800mln of government funding. The Integrated Review of Security, Defence, Development and Foreign Policy put research and innovation firmly at the core of the government’s agenda.
Then, in June 2021, the Prime Minister announced the creation of a new National Science and Technology Council to provide strategic direction on the use of science and technology for public good and cement the UK’s place as a global science superpower. The Office for Science and Technology Strategy has been created to inform and deliver the vision of the Council, including to drive strategic direction-making on the technologies the UK needs to own, collaborate on and access.
Off the back of these developments, in January 2022, the National Security and Investment Act came into force to give businesses and investors the certainty and transparency they need to do business in the UK while protecting the country’s national security.
Advanced materials is one of the 17 sensitive areas of the economy where investors are legally required to notify the government of investments in some circumstances. Specific guidance on the Act is available at gov.uk and the Investment Security Unit (part of BEIS) can answer questions or discuss specific transactions with you.
Protecting your business and UK security
Further help is at hand. The Centre for the Protection of National Infrastructure (CPNI) and the National Cyber Security Centre (NCSC) have created two campaigns aimed at supporting UK research and innovation. ‘Trusted Research’ is for academia and ‘Secure Innovation’ is aimed at the start-ups and spin-outs that come from universities.
The guidance below will help you protect your valuable assets and the steps you can take are an extension of good business practice and are not costly.
Where to start? Know your assets
Our starting point for businesses is to identify and protect their most valuable assets early on. What are your trade secrets? Which of your advanced materials ideas, information and techniques would you not want to get into the hands of your competitor? Could your technology be misused if it got into the wrong hands?
Once this has been established, put measures in place to ensure this information remains secret. Build security into your business’s environment. We recommend the same for academia – identify what is sensitive and could be open to misuse and protect it.
Know your partners
To get the most out of your collaboration with partners, we strongly recommend you look into the source of their funds and whether they are acting on behalf of anyone else. Your due diligence does not have to be expensive or time-consuming. A search on the internet could tell you if they are sponsored by another state or linked to a foreign military. Is your partner subject to any export controls or sanctions, or the sanctions of export control regimes or other countries, especially those with whom you are doing business? If they are, this could leave you at risk. Are you aware of how partnering with particular investors may affect your global business and long-term intentions?
Timing matters. The mitigations that you decide on will be most effective if they are put in place prior to any in-depth engagement with your partners, and almost certainly before any transactions are finalised.
Working with academia
International collaboration plays a vital role in UK research and innovation progress in advanced materials. If you are working with UK academia, there are steps you can take jointly to protect your commercially sensitive information, research data and people. The most suitable strategy for your research portfolio will depend on the nature of your business and the sensitivity of your research.
Talk to research partners about the most appropriate way to protect the research on specific projects. You may seek to mitigate any risks by using robust pre-planned framework agreements with a small number of strategically selected partners, for example. An alternative approach could be to work with a range of research partners, ensuring that none of them has full access to the entirety of the data or research.
You may also want to think about who else your research partners are working with. It can be helpful to outline what constitutes a conflict of interest through your contract or agreement with the university, for example. You may also wish to consider whether individual researchers working on your projects should notify you or seek agreement, especially when undertaking external work within the same or a related field of research.
How might this look in practice?
Critical to the success of a university with long-established research relationships was having regular interactions with their partners, usually on a quarterly basis. To mitigate security risks, they ensured that security was a standing item for discussion at these meetings.
As the research sponsors were engaged in a long-term funding relationship, there were opportunities to consult early and often on new areas of research. These discussions gave confidence to the research partners that the research was safe from theft or misuse. When it came to publishing, the university had an agreement with sponsors that they would be consulted on the content of the papers and have a set process for arbitrating conflicts around sensitive material.
The open and transparent relationship included talking about who was working on a project, changes to personnel, and any visiting research fellows working on closely related topics. This ongoing dialogue extended to IT/network security and data protection and was an opportunity to discuss how the sponsor’s data and information was protected and held.
If you are working with overseas partners, know their data laws and national security laws, particularly if you are sharing data or travelling overseas. The parties that you choose to do business with may not follow the same rules of law. Some countries require domestic businesses to cooperate with their security services, and this could include sharing data from your company. This should not always be a barrier to you doing business. However, any decision you make should be well-informed with an awareness of the security risks.
In the venture capital industry, the term ‘unicorn’ is used to describe a start-up company with a value over $1bln. The UK is third in the world for technology unicorns with 77 companies, behind only the US and China.
Source: The 2020 Tech Nation Report, UK Tech for a Changing World
How might this look in practice?
A large, advanced materials company was in talks with a foreign company to invest in the manufacturing of its goods.
The investing company’s country of origin could be considered a hostile environment, with strong state intervention and a publicly stated intention to develop its capabilities in the company’s specialist area. With the company beholden to the state’s laws, there was a chance it could be placed in a compromising situation.
To protect its long-term competitive advantage while minimising short-term operating costs, the company ring-fenced all sensitive knowledge, research and development in its home state, while only procuring investment in parts of its manufacturing business.
Good governance is key to helping you gain an awareness of the risks to your business and to put in place measures to deal with those risks. We recommend leadership from the top by identifying a security lead at board level to ensure that security is embedded at key decision points. This lead can set the tone for a positive security culture throughout the business.
Protect your people
If you are a start-up, you will bring in new people and talent into your business as you grow. You need to trust and protect your workforce, to protect your valuable assets and information and to report potential security incidents. Create an environment in which people are confident they can speak openly. Fostering a healthy security culture will make your organisation even stronger. You may consider conducting a role-based security risk assessment to keep your security measures proportionate and effective.
We also recommend you screen potential employees who will have access to your critical assets. Providing ongoing security training for all employees will also help to maintain your security culture.
Prepare your staff to detect and report suspected phishing
Competition to succeed in advanced materials can be intense. Following these measures will have wider commercial benefits. They will help you to protect your technology, your competitive advantage, and your reputation. State threats pose a terminal risk to advanced material companies. Protect your value. For more information, visit www.cpni.gov.uk.
This article has been prepared by CPNI and is intended as general guidance only and you should not rely on it. This document is provided on an information basis only, and while CPNI has used all reasonable care in producing it, CPNI provides no warranty as to its accuracy or completeness.
To the fullest extent permitted by law, CPNI accepts no liability whatsoever for any expense, liability, loss, damage, claim or proceedings incurred or arising as a result of any error or omission in the report or arising from any person acting, refraining from acting, relying upon or otherwise using the report. You should make your own judgment with regard to the use of this document and seek independent professional advice on your particular circumstances.