Critical Tech Supply Chain Risk Management: 'Know Your Researcher' Best Practices
Most intellectual property loss (i.e., "trade secret theft") in the United States is not caused by Nation-State espionage plots involving Ninja-cladded operatives repelling down from our lab ceilings and stealing America's critical technology and innovation. Instead, unwitting IP asset owners freely hand their secret sauces over to their competitors or sometimes even to foreign influence threat actors who deploy the "gifted knowledge" to military-civilian research programs that threaten national security.
What are the root causes of this high-risk phenomenon? A lack of risk awareness and due diligence practices spans critical technology sectors.
IP asset owners often only learn the risk of whom they are working with - or working for - once their proprietary assets are lost or stolen by an insider or outsider threat actor. Most innovators and inventors have not been trained to protect trade secrets from domestic competitors and have certainly not been trained to detect and respond to advanced Nation-State-sponsored competitive intelligence collection efforts. "Know Your Researcher" best practices involve conducting due diligence on employees, external partners, and other supply chain stakeholders to identify IP risks to inform the risk mitigation steps that will significantly reduce intellectual property loss risks.
Based on the scope of technologies identified in the Critical and Emerging Technologies Update List, published by the Office of Science and Technology Policy (OSTP) in the White House in February 2024, thousands of companies with critical intellectual property assets are exposed to unmitigated insider and outsider risks. Research-focused companies and universities in critical technology sectors should implement risk management initiatives, including due diligence practices, to safeguard their intellectual property assets from misuse, loss, theft, and misappropriation.
The following critical and emerging technology areas are of particular importance to the national security of the United States:
• Advanced Computing
• Advanced Engineering Materials
• Advanced Gas Turbine Engine Technologies
• Advanced and Networked Sensing and Signature Management
• Advanced Manufacturing
• Artificial Intelligence
• Biotechnologies
• Clean Energy Generation and Storage
• Data Privacy, Data Security, and Cybersecurity Technologies
• Directed Energy
• Highly Automated, Autonomous, and Uncrewed Systems (UxS), and Robotics
• Human-Machine Interfaces
• Hypersonics
• Integrated Communication and Networking Technologies
• Positioning, Navigation, and Timing (PNT) Technologies
• Quantum Information and Enabling Technologies
• Semiconductors and Microelectronics
• Space Technologies and Systems
Typical Risk Scenario
Imagine you are the CEO of a start-up company developing advanced analytics software to assist teams at NASA and the U.S. Air Force in solving technical problems. As part of your early research process, you supplement your staffing by teaming up with a computer science professor from a distinguished research university with the expertise and a graduate student pool to assist with the development project. Your company submits a research grant application and is awarded a Small Business Innovation Research (SBIR) grant to develop your software to meet the specific requirements of the U.S. Government. The Department of Defense (DoD) discovers that the university professor, a recognized global expert, has undisclosed research affiliations with foreign research universities with direct ties to a high-risk military organization. During the investigation, it was determined that your company failed to conduct the necessary due diligence on the university researcher, jeopardizing your new government SBIR-funded grant. How could this problem have been avoided? Your company should have implemented a "Know Your Researcher" risk management plan into your grant application process to identify problematic foreign affiliations of concern to your supply chain partners.
"Know Your Researcher" Due Diligence
Due diligence is the process of investigating or exercising due care that a reasonable business or organization undertakes before entering into an agreement or contract with another party or performing an act with a certain standard of care. The "Know Your Researcher" due diligence concept focuses on investigating the backgrounds of the researchers, scientists, technicians, and other staff members working on critical technology programs to identify potential "risky" foreign collaborations and relationships. The due diligence practice leverages open-source information, including published research papers and transcripts, patent applications, issued patents, and business registration data, to determine if an employee, contractor, or external partner has a high-risk affiliation with a foreign influence or Nation-State-Sponsored threat actor. The due diligence findings inform security risk management decisions to protect the interest of employers and their supply chain partners, including state and federal research grant funding agencies, venture capital, and private equity funders. Implementing a "Know Your Researcher" due diligence program will reduce the risk of research security compliance concerns, improve transparency in your outside activity reporting processes, and enhance your overall insider threat and supply chain security programs.
SBIR | STTR Program Due Diligence
In 2023, the Small Business Administration (SBA) implemented new rules requiring federal agencies authorized to provide research grants to small companies and other organizations to conduct due diligence to protect federally funded research from exposure to foreign risks. The federal funding agencies, including the National Institutes of Health (NIH), the National Science Foundation (NSF), the Department of Energy (DoE), and the Department of Defense (DoD), require research grant recipients to certify that they conducted appropriate due diligence to confirm there are no foreign influence or foreign military risks in their workforce or supply chains. These requirements apply to Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) grants administered by federal agency customers. Founders and start-up company leadership teams must implement due diligence and security screening practices to meet the more rigorous compliance requirements. In addition to examining foreign affiliations maintained by the listed principal investigators working at the grant-awarded organization (i.e., the prime contractors), the due diligence process should include all subcontractors, such as university researchers and other experts added to the project team.
Investment Due Diligence
Covert foreign capital on a cap table can sink the best of critical technology companies. Likewise, most investment portfolios managed by leading venture capital, private equity, and family office teams are vulnerable to hidden foreign influence risks. Conducting due diligence on existing portfolio companies and their supply chain partners can de-risk investments by reducing exposure to intellectual property theft by competitors and foreign influence threats. The firms providing the capital for early- and growth-stage companies are uniquely positioned to require the implementation of due diligence practices, insider threat programs, and other security controls to protect the underlying innovations and the investments made into the technology, teams, and intellectual property.
Relevant Indictment - A Cautionary Tale
In a press release on September 16, 2024, the U.S. Department of Justice provided the summary details of an indictment against an individual who allegedly targeted a critical technology using spear phishing. The indictment serves as a case study of the risks facing organizations working in critical technology sectors that can be reduced by implementing a due diligence process.
According to the indictment, Song Wu, a Chinese national, has been indicted on charges of wire fraud and aggravated identity theft arising from his efforts to fraudulently obtain computer software and source code created by the National Aeronautics and Space Administration (“NASA”), research universities, and private companies. Song allegedly engaged in a multi-year “spear phishing” email campaign in which he created email accounts to impersonate U.S.-based researchers and engineers and then used those imposter accounts to obtain specialized restricted or proprietary software used for aerospace engineering and computational fluid dynamics. This specialized software could be used for industrial and military applications, such as developing advanced tactical missiles, aerodynamic design, and weapons assessment.
In executing the scheme, Song allegedly sent spear phishing emails to individuals employed in positions with the United States government, including NASA, the U.S. Air Force, Navy, and Army, and the Federal Aviation Administration. Song also sent spear phishing emails to individuals employed in positions with major research universities in Georgia, Michigan, Massachusetts, Pennsylvania, Indiana, and Ohio, and with private sector companies that work in the aerospace field. Song’s spear phishing emails appeared to the targeted victims as having been sent by a colleague, associate, friend, or other person in the research or engineering community. His emails requested that the targeted victim send or make available source code or software to which Song believed the targeted victim had access.
The tactics described in the indictment showcase the risks of not knowing with whom you share information. The federal agencies and research universities mentioned in the indictment would benefit from implementing "Know Your Researcher" due diligence practices.
Editorial Note: This article is part of a "Know Your Researcher" awareness campaign series being offered by IPTalons in emerging start-up hubs like Austin, Houston, Dallas (Texas), Bentonville (Arkansas), Huntsville (Alabama). and Knoxville (Tennessee). Please feel free to contact IPTalons for more information.
