Securing Innovation in an Epoch of Geopolitical Competition

The announcement of yet another strategic review – the third in just four years – presents an opportunity for the new government to outline a roadmap for securing the UK’s innovation ecosystem, a crucial backbone of its economic and national security.

The previous strategic reviews outlined the UK government’s goal of becoming a technology superpower. Any advances in key areas of emerging and deep technology will undoubtedly require cultivating a thriving innovation ecosystem. 

This entails promoting research in a higher education sector that is experiencing profound financial challenges, supporting the commercialisation of research, and developing a more informed approach to industrial policy. 

This is already easier said than done. However, in addition to these policy challenges, the UK also faces determined adversaries that are seeking to steal its intellectual property and otherwise disrupt its innovation ecosystem. Ensuring the security of the ecosystem and its resilience against these threats without stifling innovation is an epochal challenge for the UK government. 

Security of Innovation Under Threat

Technological innovation is a key strategic battleground between great powers. Accordingly, organisations that are engaged in technological innovation will be targeted by well-resourced, persistent threat actors.

Economic espionage is not a novel phenomenon. However, Western governments are increasingly open in their assessment of the scale and breadth of China’s theft of innovative technology. 

Research institutions, university spinouts, startups and larger enterprises are all at risk. Greater public awareness of this issue has also increased the pressure on companies to address the threat. However, efforts to strengthen the security of some organisations have run into practical and cultural challenges. 

The range of technologies and companies considered relevant to national security, and therefore falling under the scope of UK government efforts to counter threats, is expanding.

Many organisations innovating in emerging technologies, which are often small startups and spinouts, are unfamiliar with security and do not have well-established connections with the security services. 

The threat extends beyond the comparatively familiar domain of cyber security. Organisations that have an IT-focused information security function may not have organisational policies and processes to address threats to physical, supply chain, personal and personnel security. 

There are also cultural challenges in introducing security controls in some institutions, not to mention opposition to working with government.

The UK Government Response

The National Security and Investment Act (NSIA) was enacted in the UK in 2021. The act provides the UK government with enhanced powers to scrutinise and intervene in business transactions, including mergers and acquisitions, over 17 sensitive areas of the economy that are relevant to national security.

The NSIA is notable for the breadth of its coverage, permitting scrutiny of transactions in catch-all categories such as communications, defence and transport. Other categories cover entire fields of research and development, such as AI, quantum technologies and synthetic biology. 

Anecdotal evidence suggests that the startup ecosystem has not always appreciated the NSIA. There remains uncertainty among businesses over the scope and applicability of the act, likely leading to unnecessary delay in mergers and acquisitions. The impression that emerges is that both government and the private sector are finding their way at the same time. 

The outcome of the NSIA approval process is set out in a legally binding decision called a final order. In addition to prohibiting a proposed deal, or unwinding one that has taken place, these final orders can also impose conditions on the parties involved, pending the acceptance of which the deal can go ahead.

Analysing these final orders shows that, rather than blocking deals entirely, the government is increasingly using final orders to mandate changes in companies’ approach to security. These changes emphasise a holistic approach to protective security, with a focus on security governance, personnel security and vetting, and assurance functions. This suggests a direction of travel in terms of broader requirements for protective security for companies working in sensitive areas of the economy.

The UK government offers some support to industry through the National Protective Security Authority (NPSA), which focuses on economic security and the protection of science, technology and research. The NPSA runs a campaign called ‘Secure Innovation’ that offers guidance to organisations operating in this space. An online survey allows organisations to assess their need for protective security, and the NPSA has also launched a pilot programme with UK Research and Innovation which covers some of the costs for companies seeking protective security assessments from a list of approved providers. This is a positive move towards a more collaborative approach to mitigating risks in this area, but still leaves the onus on companies. 

The Future of Innovation Security

As more – and more diverse – organisations are asked to introduce security controls to protect their work, the ability of the UK government to provide guidance and support will be increasingly strained.

There are pockets of expertise and capability across the private sector and within public institutions such as universities, think tanks and research institutes. Nonetheless, given the UK government’s limited capacity to directly support companies at risk, there is a pressing need for the development of collective responses within industry. This will involve bringing together companies that address different aspects of security, such as cyber security and physical security.

There are also challenges around security awareness and culture, and around the incentives of different actors. Companies operating in this highly competitive space are unlikely to spend on security measures unless the costs of not doing so are immediate and unavoidable. 

Broad statements from government about the criticality of science and technology to national security may resonate with some individuals, but are unlikely to drive organisational behaviour in companies that do not already have a more mature security function.

Changing organisational behaviour around security will likely involve the promotion of forums for sharing information and best practices. It will also involve recognising that this is a diverse and heterogeneous space with existing pockets of expertise and collaboration. The government should focus on building and supporting a system of systems, rather than attempting to impose a single body.

The challenge is to promote the adoption of security controls in a way that does not stifle innovation or undermine the commercial viability of companies. As with the security of academic research, such efforts also need to find a balance between the necessity of international collaboration and the need to protect sovereign capabilities. 

Unfortunately, it may take more high-profile company failures resulting from adversary actions before this issue gains significant attention, prompting companies to seek best practices and benchmarks to justify security spending.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.