Maritime and Trade Talk | EP12: Oil Price Cap - Implications for Trade and Shipping Risk

Ravi Amin

Welcome to the Maritime and Trade Talk podcast brought to you by S&P Global, and we will be discussing the impact of the U.S. Government Accountability Office's reports regarding export control compliance at U.S. universities and how they want to promote awareness of the risks involved in sensitive technology transfers and the exports of specific items that could be classed as dual-use, military or sanctioned and how U.S. regulators are going to work more closely with the universities to align these compliance programs.

My name is Ravi Amin. I work for S&P Global within the Global Intelligence and Analytics division. I am a trade compliance expert, and I have more than 7 years' experience providing expertise and knowledge around regional export control regulations, trade sanctions, vessel compliance and behaviors and then also know-your-customer and know-your-customer's-customer information as well.

I would like to introduce Dr. Ian Stewart. Ian, can you introduce yourself and then give a background on your kind of professional career if that's okay, please?

Dr. Ian J Stewart

Sure. So I'm Ian Stewart. I'm currently Executive Director of the -- sorry for the long name, James Martin Center for Nonproliferation Studies. Our research institute focused on nonproliferation export control type stuff with middle-grade college and more specifically, middle-grade institute for international studies based in Monterey, California.

So that makes me a researcher, but I'm a bit unusual because my background is sort of export control practitioner and government. And also before joining CNS, I was with King's College London, where I ran a research and outreach program on export control. So I've been working in this sphere for 15 years or so and working with universities and export controllers as a central part of that.

Ravi Amin

All right. Thanks very much, Ian. So if we kind of start with the recommendations of the report that came out. Ian, can you provide kind of a deeper analysis of the documentation and potentially how it could be implemented going forward?

Dr. Ian J Stewart

Yes, sure. I see this -- the GAO report in sort of the broader context. And the question of university implementation of, I'm going to say export controls, but actually, it's more than that, and I think we will spend time talking about this, but it's like the hot-button issue at present. But the China point is really key here. And whilst there is some concern about other countries, all things export controls in the U.S. right now are mostly China, and I guess this last year, also Russia. But it's the China challenge. And we -- I see -- so I sit in Washington, D.C., and I see how much pressure BIS, but also the other government agencies are under on technology transfer issues to China. And I can speak to some specific examples where that sort of really come to the fore recently.

But this report sort of gets to the number of the issue, which is there's been a general sense for years now, both in the U.S. and abroad that it's universities that are -- they're often called the soft underbelly of technology control issues. And with the direction of U.S. relations with China, great power competition, otherwise known as strategic competition, we can talk more about that.

But really, what we see is a really significant focus across U.S. government on the China challenge, and that's sort of manifesting itself through the need to engage universities. And to talk more specifically to that, the whole focus on emerging technologies or emerging and foundational technologies that we've seen in the last few years going back to the National Defense Authorization Act of 2018. That showed that at the height of this, Congress, amongst others, is pushing the administration to do something. In that case, they're pushing the administration to define what technologies to subject to control. But in addition to setting new controls for technologies, I think there's a broad feeling that there's more work to be done with universities in terms of implementation.

So that's the U.S. aspect of this. But let me just say, this isn't just the U.S. I mentioned that a lot of the work I've done on this was done in the U.K. where the background there was that it was not the case that export controls weren't applied to universities. But in practice, most universities were not implementing export controls and government had sort of made clear that their expectations was quite low with regard to export controls.

That's changed. That's changed dramatically. And in the U.K., we've seen the government almost move to try to prosecute some universities, not quite got there yet. I can say more about that, people are interested. And then across the whole of the EU, there's new compliance guidance, export-controlled guidance for universities with the expectation that all of the EU member states now start to work with and sort of really push the issue of implementation of controls in the university setting.

So this is sort of broader than a U.S. challenge, but I think very much driven by the China point, the concern about China using effectively every means available to it to acquire strategic technologies. And with the particular focus on emerging and foundational technologies, a view that it's from universities of what can get those technologies. And therefore, it's universities that needs to be engaged, and engage is sort of a euphemism for friendly engagement, but everything also through to enforcement actions and so on and so on.

So that's the broader context of the report as I see it. The report does make specific recommendations, including on the type of thing that BIS should be doing. But actually, we've seen that BIS has proactively started a new initiative for engagement of universities on export control issues. They're building this into their program of work. And it's been interesting talking to some of those people involved in that.

Actually, the U.S. more broadly is really focused on this effort. And I'm involved in other programs for the U.S., working with foreign governments to do the same thing. So there's a sort of a strong viewpoint that U.S. universities shouldn't be singled out even though U.S. controls are obviously quite unique. And we'll -- I guess we might talk a bit about ITAR, but especially the deemed export control points do make the U.S. approach unique and a bit different. But there is an effort to maintain some form of level playing field, I think.

Ravi Amin

Yes. Okay. And I guess I have a follow-up on that or maybe a follow-up question. How viable is it that universities in general, can stay on top of all of the regulations that are coming out, not just specifically export control regulations, but specific trade sanctions against countries such as that on China and then, obviously, Russia being the massive one, right? Almost everything gets controlled for exports from Russia. So how viable, how realistic is it that universities can stay on top of all of those changes, which, in some cases, are ad hoc and are on a kind of day-to-day basis and then others, I guess, are more periodic than that in your opinion?

Dr. Ian J Stewart

There's a lot there to unpack. My gut feel is that the China challenge for universities is larger and much more significant than the Russia challenge, I have to say. I guess there would have been difficult days in the last year if there's specific cooperation that's going on.

Actually, if you look at the totality of U.S. university engagement with China versus U.S. university engagement with Russia, the China engagement is going to be orders of magnitude more in terms of volume and in different ways. So some of that's Chinese students coming in.

And -- but this is where it also gets tricky because it's not just about the export control side of things. That's a part of this and universities do export items, certainly, they export technology and software, but it's also the provision of resources to the university by foreign partners, sponsored research, both at the project level and the sort of the center level. And that's sort of been a slightly tricky issue with Huawei and so on in different universities, so Chinese funds for that purpose.

But even more than that, like the other side of this is also universities as more commercial actors. So one of the roles of universities is to spin out ideas for commercial purposes. And when companies are set up for the purpose, as we are close to commercialized technology, we have seen examples of where China has been seeking to invest in those companies.

So that then gives us quite a broad landscape. We have everything from students and visiting researchers or visiting staff. We have the actual export question of the export of items or the export of technology, which is probably orders of magnitude higher than export of items. But also the question of inward investment, either at the research level, the center level or the company level, all of which sort of fall within the scope of control.

So there's definitely a lot there. So your question was how can universities -- can universities keep up? And how can we keep up with all of that? I know there's obviously a lot of work to be done there. And I know that some universities have well-staffed compliance teams. Even universities with well-staffed compliance teams would probably say that they don't have enough.

A lot of universities don't have that. A lot of universities have -- these issues will be embedded within the legal or perhaps the kind of the -- sort of the corporate risk management, a function rather than having dedicated staff and so on and so on. So there's a lot of interesting discussions to be had around the resources required, the resources needed.

In terms of practical implementation. So in my mind, I sort of break down the things that need to be done into 3 or 4 buckets. There's the export control side of things, for sure. There's the sanctions side of things, and maybe I'll say a word more about that. And this one is going to maybe be a bit unusual for me to say, but there's also the cybersecurity side of things. Because if we're thinking holistically about how one controls the university's assets and stops them from leaking out, cybersecurity is a particularly important parallel picture.

And the mix of what universities need to do also depends greatly on the type of work done at the university, what is the old university. In the U.S., I found that there's a lot of universities ecologies that are more focused on undergraduate education. That's quite different from, say, a research-focused university. And the mix of risk exposures, the mix of compliance challenges is going to be very different between an undergraduate institute and a research institute. So that's tailoring the identification of the risks and the tailoring to type of work done at the institute is really important.

And this then starts to get into the question of how does a university deal with the export control issue. One of the first points is to know what type of work your researchers do, what type of departments do you have, which departments are most likely to have work related to, or uses or interfaces with either controlled technology or sensitive foreign partners and so on. And kind of working through that exercise is, I think, the first step, but there's definitely a lot of work to be done here.

Ravi Amin

Yes. Okay. No, that sounds good. I think that's quite interesting. I know you mentioned the different risk factors when it comes to deciding what universities are doing, what -- it's interesting that in that report, they caveat, saying they haven't looked at all of the risk factors. So they know across the board, something needs to be done. But they -- and they're trying to categorize the universities by risk, but they're not basing it on all of the things that you've just mentioned, right? So the types of research being done, type of university, the relationships that the universities have internationally and things like that.

I think one thing that I got from the report was, obviously, the U.S. government are trying to close the gap between what needs to be done from a compliance perspective and what they think is currently being done. And obviously, university by university, there's probably a difference in the level of checks that are done based on size, based on funding, as you mentioned as well.

I guess that leads on to maybe not a question for me to ask but something to think about, should there be a standardized way in which universities are doing compliance checks when it comes to kind of research activity and the compliance that comes with that? So should they be thinking about the end use of the exports? Or even the technology that they're using or research, should they be thinking about that? Should they be thinking about where it could possibly end up?

Should they be thinking about the foreign entities that they do deal with and understanding potentially what those foreign entities do? Do they do similar research? Do they then do something else on the side? Is there an element of kind of KYC, bringing banking into it a little bit? But is there a need for kind of understanding, not necessarily your customer, but your kind of partner in the research in the long term and ensuring that you are remaining compliant with these regulations?

One of the next questions that I had for you was in your opinion, how do you think U.S. regulators are going to train up these universities? From the report, it seemed like they set out that these are the recommendations I've given, the Department of Commerce, ICE, FBI acknowledge that these are the things that needed to be done. But 7 months later, there hasn't been any sort of advancement on that. So they acknowledged that there is a gap, but they haven't actually started to close that gap. So what do you think that they will have to do in order to ensure that these universities are remaining compliant from kind of a risk perspective when it comes to exports and sensitive technologies?

Dr. Ian J Stewart

Yes. Well, I mean, I guess there's quite a lot there. And to go back to your previous point before I talk to this question, I'll link them. So my sense is that the expectation on universities probably goes beyond your reading of the GAO report. My sense is that many universities are already as part of their understanding of the compliance burden, working to understand their partners, making sure that the partners are not on the entity list, for example.

Then the question is, how do they do that and how do they do that systematically, and so on and so on. But I certainly know universities in the U.S. that are taking many of the similar steps to what industry partners would do and for a good reason. So in some ways, my sense is that in some institutes at least, practice might kind of have sort of fogged over what was suggested in the GAO report. But my sense is also that that's not universal. And I think some of the important work to be done here is the question of how to engage all universities or multiple universities in some way.

Now the next thing I wanted to say is once you get into the nuance of this, you can't treat universities as monolithic. And what I mean by that is, so some of the work that I did in the U.K. on this topic was with University of Cambridge, for example, which is sort of an interesting institute, because each college there is independent, each department, each academic is independent. They can do sort of whatever they like in their individual capacity, which is very different from how a company is set up.

And it was interesting when I first started talking to the U.K. authorities about the need for work specific to universities. And these were my former colleagues in government, because their response was to say, well, we'll treat universities the same as we treat companies. But that obviously doesn't work because universities are structured differently and so on.

But I take from this -- my starting point for universities is always to say, there's challenges around the enforcement question about who's liability is it. So my view on this is that at the very least, the university has to come up with and promulgate guidance for their academics. Whether or not the academics implement that and whether the university is responsible for ensuring they implement that, we can talk about. But if the university doesn't come up with guidance and distill it, then it seems to me that, that does leave a liability with the university.

And when we look at some of the individual enforcement actions and so on and so on, this question of had the university told their staff about the requirement for export controls, had the individual staff member knowingly and willingly violated export controls despite knowing about it have been really important factors in the question of government has taken enforcement action against.

So this is an important point. So the first step here in my mind is for universities to be expected to, be required to, to have and to disseminate guidance on export control and sanctions compliance for their staff. The question of how those universities then engage individual academics and so on is sort of a hard one. There's a big conversation to be had around that for sure, but that sort of comes along in the next part of this.

Now with regards to U.S. government, so BIS has started this program for engagement of universities. What I guess I'd expect and what we saw in the U.K. and the EU was the creation of guidance for universities. So I could kind of foresee that something like that would happen. But then this is BIS really kind of trying to get out and about and talk to different universities, making sure that they've got these compliance programs in place.

And then associated with that, we can expect there to be audits and export control checks and so on and so on, which says, so show us your policy, open your books, show us how you know -- show us what work you've done to figure out who in your university might hold technology and with whom they're dealing. How do you ensure you're not dealing with the entities in the entity list? So that is the work that I think BIS is doing or will do more of. And that's the broader direction of travel here.

And it comes in a context -- I said at the beginning, I can share some war stories. There were recent news articles about U.S. -- this was software, but whatever, U.S. software being found to be central to China's hypersonic weapons program. And I know on the back of that, BIS sort of got raked over the coals to say, why didn't you know about this? Why weren't you taking measures to stop it? And that's -- there is a real impetus, a real momentum for BIS to be proactive on this because they don't want to run afoul of Congress. So I think that's exactly what's going to be happening over the next year and beyond.

Ravi Amin

I think it will be interesting to see whether there is maybe a drop off in certain universities engaging in certain types of research knowing that there's going to be more kind of focus from the government on compliance. It will be interesting to see whether that does happen or kind of doesn't happen based on the fact that there will be more current requirements from a compliance perspective, if engaging in certain types of research.

So I guess another thing that I was kind of thinking about on top of the training is it seems like government is trying to align how they look at universities with potentially other sectors. And I know you said that you have to treat them separately, not as one, and that does make sense. But I think that there needs to be some level of standardization based on the risk factors that they've mentioned in regards to certain countries trying to get hold of certain types of information.

So my kind of belief or the way I see it happening is this is potentially just the start of it. Obviously, universities have been doing certain levels of compliance checking and kind of sanctions compliance checking as they have been. This report will kind of add to that with the help of U.S. government and advice from them. We're now potentially seeing getting potentially stricter or like you said, more audited in the future just to make sure that those programs are maintained and that they are kind of aligning themselves with what is expected of them.

So that's kind of the way I see it happening, and that's based off of the fact that is happening in other sectors, too. So it would also make sense for it to happen in the academic sector as well.

I think we're going to leave it there. We'd like to thank everybody for listening to this webcast. Do not forget to subscribe, and make sure you don't miss our next episode. Thank you very much.