In today’s rapidly evolving digital landscape, there has been increase in cyber-attacks, targeting Canadian research, and intellectual property, resulting in stolen work and unauthorized patent filings. Sensitive technology research areas are targeted, with the stolen information being used in ways that threatened Canada’s national security [9].
Cyberattacks on Canadian Research
As a leader in advanced research, Canadian-led research can be an attractive target for those seeking to steal, use and adapt this research for their own priorities and gains. Theft of proprietary information derived from research laboratories is a cost-efficient way for foreign actors to bypass the lengthy and expensive process of domestic research and development. Some countries view academia and associated research and innovation as an opportunity to advance their own economic objectives, using espionage and other illicit means [7].
The targeting of Canadian research is not an isolated phenomenon. Espionage campaigns, particularly those focused on dual-use technologies, have been on the rise [9]. Fields such as artificial intelligence, biotechnology, quantum computing, and genetic engineering—which have both civilian and military applications—are especially attractive to hostile foreign entities [3]. Sensitive research and its resulting technologies could be used to advance a foreign state’s military, intelligence, or surveillance capabilities. Cyber criminals and nation-states frequently conduct spear-phishing campaigns and ransomware attacks to extract this valuable information from laboratories and research institutions [7]. As highlighted by the Canadian Centre for Cybersecurity, ransomware continues to be the most disruptive threat to Canadian organizations, including laboratories; with attackers often leveraging phishing and insider threats to gain access to sensitive research [9].
Policy Response: Safeguarding Sensitive Technology Research
In response to this growing threat landscape, the Government of Canada has taken a proactive step to protect the nation’s research environment. A key part of this strategy is the Policy on Sensitive Technology Research and Affiliations of Concern (STRAC), which came into effect on May 1, 2024. This forward-thinking policy is designed to prevent unauthorized access to Canadian research that could compromise national security [3].
STRAC focuses on advanced and emerging technologies of importance to Canadian research and development, which are also of interest to hostile foreign states and state-sponsored actors. These technologies include fields such as artificial intelligence, cryptography, human-machine integration, quantum science, robotics, and medical innovations. Under the policy, federal research grant and funding applications involving sensitive technology research, will not be funded if any of the researchers are affiliated with organizations and institutions posing national security risks, referred to as Named Research Organization (NRO) [3].
To assist researchers, the Government of Canada has published two key lists:
• Sensitive Technology Research Area List: This list identifies advanced and emerging technologies critical to Canadian research and development that are also of interest to hostile foreign-states and state-sponsored actors. Examples include artificial intelligence, machine learning, cybersecurity, biotechnology, and medical technology [4].
• Named Research Organization (NRO) List: This list includes organizations and institutions linked to foreign military, defense, or state security entities, that pose the highest risk to Canada’s national security [5].
Strengthening Canada’s Research Security: A Multi-Faceted Approach
In addition to the STRAC policy, the Government of Canada has also developed tools and resources for researchers to safeguard their research:
- The Safeguarding Your Research Portal provides detailed guidance on research security, offering resources such as training courses and risk mitigation strategies. These resources help researchers understand the evolving cyber threat landscape and adopt best practices in cybersecurity [1].
- Training Courses:
- Introduction to Research Security: This course introduces the importance of protecting research in today’s global environment [1].
- Cybersecurity for Researchers: This course offers an overview of the cyber threat landscape, emphasizing good cyber hygiene practices for securely handling, storing, and transmitting sensitive research data [1].
- Safeguarding Research Partnerships with Open-Source Due Diligence: This course teaches researchers how to use open-source methods to vet potential partners and ensure they align with the project’s objectives [1].
- The National Security Guidelines for Research Partnerships (NSGRP) require researchers to develop and implement risk mitigation plans for their projects [2]. These plans outline measures to minimize national security risks, ensure partners’ motivations align with the research objectives, and apply sound cybersecurity and data management practices [6].
A Call to Action for Research Institutions
The Cyber Centre for Cybersecurity advice all critical infrastructure network owners, including those responsible for laboratory networks, to take several key measures to protect their systems against cyber threats [8]:
- Train employes and students on cybersecurity best practices
- Implement multi-factor authentication (MFA)
- Use access control systems, back up data, and install security software such as firewalls and anti-virus programs.
- Regularly update and patch devices and software to address vulnerabilities.
Looking Ahead
The protection of Canadian research is no longer just an academic concern; it is a matter of national security. Policies like STRAC, combined with enhanced awareness, and strong cybersecurity best practices are helping Canada strengthen its defenses against the growing number of cyberattacks targeting research institutions.
References
- Government of Canada. 2022. Safeguarding your research.
https://science.gc.ca/site/science/en/safeguarding-your-research - Government of Canada 2022. National Security Guidelines for Research Partnerships
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/national-security-guidelines-research-partnerships - Government of Canada. 2024. Sensitive Technology Research and Affiliations of Concern
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/sensitive-technology-research-and-affiliations-concern/policy-sensitive-technology-research-and-affiliations-concern - Government of Canada. 2024. Sensitive Technology Research Areas
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/sensitive-technology-research-and-affiliations-concern/sensitive-technology-research-areas - Government of Canada. 2024. Named Research Organization
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/sensitive-technology-research-and-affiliations-concern/named-research-organizations - Government of Canada. 2023. Mitigating Your Research Security Risks
https://science.gc.ca/site/science/en/safeguarding-your-research/guidelines-and-tools-implement-research-security/mitigating-your-research-security-risks - Government of Canada; Canadian Centre for Cyber Security 2024. The cyber threat to research laboratories.
https://www.cyber.gc.ca/en/guidance/cyber-threat-research-laboratories - Government of Canada; Canadian Centre for Cyber Security. 2024. Security considerations for research and development organizations
https://www.cyber.gc.ca/en/guidance/security-considerations-research-and-development-itsap00130 - Government of Canada; Canadian Centre for Cyber Security 2023. National Cyber Threat Assessment
https://www.cyber.gc.ca/sites/default/files/ncta-2023-24-web.pdf - Image Source: Research Security: Safeguarding your Research, University of Windsor
Amazing work Cynthia, so well documented. Safeguarding Canadian Research is core to safeguarding national security. Canadian Research Network has to protect years of hard work by our Scientists working towards our next gen technology, healthcare, aerospace, electrical enhancements. Adversaries will continue to attack this critical infrastructure with their most sophisticated weapons, so does our defence against such adversaries needs to step up. You have rightly pointed out the need to train students, employees and instil security mindset, threat detection, as we all know this is a culture to be cybersecurity aware. Even if have the best intrusion prevention systems deployed, and one of our own is compromised then there is potential for the entire system to fail, hence its a collective responsibility to safeguard our research.
Blog well written, Cynthia. In today’s world, cybersecurity attacks have become a significant issue for everyone, especially when dual-use technologies are at risk. The potential damage from these attacks can be devastating for any nation, affecting both civilian and military sectors. This makes it crucial to train the next generation of students and employees to recognize and prevent these threats. It’s reassuring to see that the Canadian government has taken proactive measures, such as the Policy on Sensitive Technology Research (STRAC) and the implementation of the National Security Guidelines for Research Partnerships, to safeguard research and ensure that future innovations are protected from misuse.
A very informative post! I believe the hackers consider academic and research organizations to be attractive targets since they have large pockets to pay ransom and contain valuable data that can be sold. This is why we must be vigilant and proactive. Embedding security awareness and policy measures can help to create a cybersecurity culture and protect organizations’ valuable data and reputations. It is also critical to incorporate cybersecurity training into everyone’s daily routine in order to combat cybercrime.
Great informative article Cynthia, data privacy and knowledge protection are key topics in cyber security. In addition to the research protection and the governance guidelines, two trending factors exacerbate the data privacy dilemma. First, is the modern research collaboration solution on the “Cloud” (e.g., Snowflake, Palantir, etc.). These solutions provide astonishing data exchange and analytical tools that allow researchers to access global data sets in specific domains. For instance, in 2020 and precisely during COVID-19, the race to understand the virus and how it behaves was crucial to the researchers who were keen on having data from all over the globe to link the symptoms of that disease and present a cure [1]. Secondly, the rapid emergence of Artificial Intelligence (AI) and data analytical tools added more challenges to data privacy and knowledge protection, especially the intelligence in some cases demands exposing or disclosing research ideas or classified data [2].
[1] https://health.google.com/covid-19/open-data/
[2] https://hai.stanford.edu/news/privacy-ai-era-how-do-we-protect-our-personal-information
Well, I personally found this blog post about securing Canadian research from cyber threats to be incredibly insightful. The increase in potential threats targeting sensitive information by bad actors is concerning, and it is good to see that the Canadian government is taking action to prevent these unethical activities.
The introduction of STRAC policy is important because it focuses on most important technologies like artificial intelligence, quantum computing, genetic engineering and biotechnology. These are key areas where data breaches could have severe national security implications. Researchers get clear guidance on risks with the introduction of the Sensitive Technology Research Area List and the Named Research Organization List. While government policies are crucial and the government is doing it’s best to protect the system, individual researchers and organizations must also play their role to safeguard sensitive research information by using a Multi-Faceted approach.
Very interesting post, Cynthia! When we think about increasing security networks, we mostly steer toward the realm of technology and industry but often forget to account for the field of research where novel ideas are continually worked on by scientists for many years making this field an attractive target.
In such instances, it is critical to implement training programs and courses that educate employees and students on best cyber security practices, as you mentioned. Unfortunately, during my time conducting research, no measures were taken to educate students and researchers on safe attack prevention systems. Oftentimes, lab data is distributed to all members of the lab making it easy for attackers to gain access by simply gaining access to one member’s system. As such, emphasizing strong defense mechanisms to safeguard Canadian research remains of vital importance as we move forward.
Fantastic post, Cynthia! Your work is a timely and perceptive response to a pressing problem that the country’s research community is currently experiencing. The careful balancing act between protecting our intellectual property and encouraging transparent collaboration is brought to more light by your research.
Great work thanks for sharing this is a very insightful topic because it draws our attention more to the research institute because that’s where all the works, ideas and inventions starts from, which means we need to pay more attention to protecting data and assets by improving the cybersecurity measures and even going forward as well in training the staffs and students in the research industries on how they can safeguard their information from cyber criminals.