Privacy restrictions prevent Australian universities from sharing ¡°red flags¡± about foreign efforts to infiltrate the sector, a research security expert has warned.

Southern Cross University¡¯s Brendan Walker-Munro said the federal Privacy Act barred universities from comparing notes about ¡°risk-bearing actors¡± cosying up to them. This hampered efforts to combat ¡°forum shopping¡±, where foreign agents tried to enrol in or associate with multiple institutions simultaneously.

¡°In almost every case, universities are prohibited from sharing the results of their due diligence¡­because of legislative limits in the Privacy Act,¡± Walker-Munro notes in a published by the Australian Strategic Policy Institute.

¡°Structures to monitor, coordinate and share information¡­should be co-created as part of a cohesive response.¡±

ÌÇÐÄVlog

He said a template structure already existed in the form of a private-public partnership established to combat money laundering. The allows bank staff to ¡°sit in a room¡± with officials from the government¡¯s financial intelligence agency and have ¡°really frank conversations¡± about ¡°threats¡±.

While security clearances preclude sharing of some of the details, the arrangement means bank staff can report back to their colleagues ¡°in a language that they can understand¡±, Walker-Munro told ÌÇÐÄVlog. ¡°They¡­share what they¡¯re seeing at [a] granular threat level. We¡¯ve got an example in Australia of how to do it.¡±

ÌÇÐÄVlog

He said the Education, Innovation and Research sector group ¨C one of 15 components of the administered by the Department of ÌÇÐÄVlog Affairs ¨C could be ¡°rebadged¡± to fulfil this role. ¡°ÌÇÐÄVlog Affairs could step into that breach and¡­coordinate all of it. But they don¡¯t seem willing to do that just yet.¡±

The paper says the research security ¡°threat landscape¡± has evolved over the past seven years. ¡°Adversaries are no longer simply stealing data or cultivating informal relationships. Today, we¡¯re seeing deliberate efforts to insert malicious insiders, target researchers through transnational repression, exploit data and cyber vulnerabilities and manipulate legal frameworks through lawfare.¡±

These ¡°more sophisticated¡± practices warrant ¡°a fundamental shift in mindset¡± towards ¡°persistent adaptation and shared responsibility, not one-off compliance measures¡±.

They also warrant ¡°trust and coordination¡± rather than ¡°paternalism¡±, the paper argues. It says ministerial discretion and ¡°legislative blunt force¡± have undermined any sense of shared ¡°ownership¡± of security, which ¨C to many in universities and research institutes ¨C means ¡°red tape rather than resilience¡±.

ÌÇÐÄVlog

Walker-Munro said Australia¡¯s approach to research security had focused almost exclusively on foreign interference, largely overlooking talent acquisition schemes and ¡°nuance¡± questions about who owned inventions developed at universities ¨C and whether they could be taken overseas.

He said Australia should take a leaf from the UK in developing an , rather than individually focusing on the role of constituent elements like the research sector. ¡°They¡¯re the first country to¡­really go out on a limb and say we¡¯re doing this as a matter of high policy.¡±

Australia¡¯s less strategic approach leaves it vulnerable to risks it should foresee, he said, citing last year¡¯s decision by the Australian and Queensland governments to invest almost A$1 billion (?477 million) to . ¡°There¡¯s no conversation¡­about how we¡¯re going to secure that investment.

¡°If you think about it as a potential foreign actor, why would I spend a billion dollars on a quantum computer when I can spend a fraction of that and come to Australia and just steal one?¡±

ÌÇÐÄVlog

john.ross@timeshighereducation.com