Export Controls: Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

GAO-22-105727 Published: Jun 14, 2022. Publicly Released: Jun 14, 2022.
Jump To:
Fast Facts

Millions of foreign students and scholars study at U.S. universities, and many contribute to U.S. research. But, there's a risk that some may illegally access and share sensitive information, such as data or technology, with their home countries.

Agencies involved in addressing this threat said that outreach and education increases university officials' awareness of research security threats and builds stronger relationships with university officials.

To help prevent illegal transfers, we recommended that agencies determine which universities are at greater risk for such transfers and target outreach and education to them.

International flags on top of a stack of 3 books

Skip to Highlights
Highlights

What GAO Found

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Hypothetical Examples of Deemed Exports Subject to Export Control Regulations

Hypothetical Examples of Deemed Exports Subject to Export Control Regulations

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

Why GAO Did This Study

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

Skip to Recommendations

Recommendations

GAO is making eight recommendations to strengthen Commerce's, DHS's, and FBI's ability to prioritize outreach to at-risk universities. All three agencies concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce The Secretary of Commerce should ensure that the Under Secretary for Industry and Security identifies relevant risk factors and analyzes this information to identify universities at greater risk for sensitive technology transfers, including unauthorized deemed exports. (Recommendation 1)
Open
The Department of Commerce concurred with the recommendation, but it did not provide an action plan for addressing the recommendation. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor Commerce's progress in implementing this recommendation.
Department of Commerce The Secretary of Commerce should ensure that the Under Secretary for Industry and Security shares the results of any analyses aimed at identifying U.S. universities at greater risk for sensitive technology transfers, including unauthorized deemed exports, with EE field offices. (Recommendation 2)
Open
The Department of Commerce concurred with the recommendation, but it did not provide an action plan for addressing the recommendation. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor Commerce's progress in implementing this recommendation.
Department of Commerce The Secretary of Commerce should ensure that the Under Secretary for Industry and Security implements a mechanism to periodically assess the relevance and sufficiency of risk factors used for prioritizing universities for outreach to address new or evolving threats to U.S. university research, including threats pertaining to sensitive technology transfers and unauthorized deemed exports. (Recommendation 3)
Open
The Department of Commerce concurred with the recommendation, but it did not provide an action plan for addressing the recommendation. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor Commerce's progress in implementing this recommendation.
United States Immigration and Customs Enforcement The Director of ICE should assess which, if any, additional risk factors are relevant for identifying universities at greater risk for sensitive technology transfers, including unauthorized deemed exports. (Recommendation 4)
Open
The Department of Homeland Security concurred with the recommendation. In response to the recommendation, DHS provided information about the actions it plans to take to address this recommendation. Specifically, DHS plans to continue to coordinate with internal stakeholders to assess additional risk factors relevant to identifying universities at risk for sensitive technology transfers and unauthorized deemed exports. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor DHS's progress in implementing this recommendation.
United States Immigration and Customs Enforcement The Director of ICE should implement a mechanism to periodically assess the relevance and sufficiency of risk factors considered in identifying at-risk universities to address new or evolving threats to U.S. university research, including threats pertaining to sensitive technology transfers and unauthorized deemed exports. (Recommendation 5)
Open
The Department of Homeland Security concurred with the recommendation. In response to the recommendation, DHS provided information about the actions it plans to take to address this recommendation. Specifically, DHS plans to continue to coordinate with internal stakeholders to assess additional risk factors relevant to identifying universities at risk for sensitive technology transfers and unauthorized deemed exports. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor DHS's progress in implementing this recommendation.
United States Immigration and Customs Enforcement The Director of ICE should share with field offices the results of any analyses aimed at identifying U.S. universities at greater risk for sensitive technology transfers. (Recommendation 6)
Open
The Department of Homeland Security concurred with the recommendation. In response to the recommendation, DHS provided information about the actions it plans to take to address this recommendation. Specifically, DHS plans to share the risk ranking it has already developed with all field offices and to provide an updated risk ranking by the end of the calendar year. DHS's comments stated that this information will include an explanation of how to assess and use the risk rankings for academic outreach. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor DHS's progress in implementing this recommendation.
Federal Bureau of Investigation The Director of FBI should ensure that the appropriate offices assess which, if any, additional risk factors should be considered in identifying universities at greater risk for sensitive technology transfers, including unauthorized deemed exports. (Recommendation 7)
Open
The FBI concurred with the recommendation, but it did not provide an action plan for addressing the recommendation. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor FBI's progress in implementing this recommendation.
Federal Bureau of Investigation The Director of FBI should ensure that the appropriate offices implement a mechanism to periodically assess the relevance and sufficiency of risk factors considered in identifying at-risk universities to address new or evolving threats to U.S. university research, including threats pertaining to sensitive technology transfers and unauthorized deemed exports. (Recommendation 8)
Open
The FBI concurred with the recommendation, but it did not provide an action plan for addressing the recommendation. As of July 2022 we had not received an update from the agency concerning actions taken to address the recommendation. We will continue to monitor FBI's progress in implementing this recommendation.

Full Report

GAO Contacts