In response to the spate of cyber attacks on Australian Universities in recent months, the government has released a set of guidelines with the intention of helping Australian universities protect themselves against foreign interference.
The University Foreign Interference Taskforce, assembled at the end of August 2019, has released the Guidelines to Counter Foreign Interference in the Australian University Sector.
The guidelines covered areas including governance and risk frameworks, due diligence, communication and education, knowledge sharing and cyber security.
The Due Diligence guideline, in particular, dictates the manner in which universities should partner with other bodies, including vendors. It expresses the requirement for universities to know their partners and the associated risks of foreign interference.
While international collaboration is not discouraged, the nature and purpose of the partnership should be transparent and prevent posing harm to Australia’s interests.
“It is not in Australia’s interests to withdraw or pull back from global collaborations,” said Catriona Jackson, Chief Executive of Universities Australia.
“I think you’ll find the final guidelines will telegraph the Australian university sector’s clear determination to rebuff foreign interference, without damaging the openness and global engagement that are pivotal to Australia’s strengths and values.”
The guidelines acknowledge the nature of much international collaboration including Australian universities is often informal, involving dialogue and information exchange between individual staff. This exercise of core values, such as freedom of enquiry, is to be supported.
When conducting formal arrangements with other universities or companies, the institution is required to carry out due diligence including:
- Inquiry into the partner’s past activities
- The sectors it operates in
- The beneficial owners
- The commercial and ethical standing of its governing body
The guidelines suggest that universities should ask the following questions as part of their due diligence:
- To the extent that it is reasonable for a university to determine, do partners or their associates have relevant research backgrounds, is their organisation reputable, and are reasonable background checks conducted for new people working on a project?
- What information or advice is available from government to assist?
- What elements of the activity need to be scoped differently as a result of the partnership and if so, do the benefits outweigh the risks?
- What are the partner entity’s relationships with foreign governments, political parties and related entities and individuals? Are these appropriately disclosed, for example is the information available to the public through a website or register such as the Foreign Influence Transparency Scheme register?
While these guidelines are written for higher education bodies, the implications for vendors, independent research bodies and other third parties should be considered and planned for.
In response to the guidelines, organisations and companies considering partnering with universities should be prepared with complete historical transparency and willingness to cooperate with education institutions.
The Cyber Security for Higher Education conference, running in Sydney from 24 – 25 March 2020, has been designed to help you better protect your institution. Bringing together heads of information security, cyber and IT, this is your opportunity to learn from your industry colleagues and field experts to better understand how to improve human resilience to and implement better solutions against the latest cyber threats.