An effective research security approach cannot simply be a list of prohibitions. It must be a thoughtful, risk-based framework that acknowledges our unique geopolitical position, the realities of international science diplomacy, and the pressures faced by researchers at the coalface of global engagement. This is the view of Dr Cornelia Malherbe from the Division for Research Development in an opinion piece for University World News.

• Read the original article below or click here for the piece as published.

Cornelia Malherbe*

South Africa finds itself at a crossroads in the global research security conversation. Over the past several years, through my engagements with universities across Europe and the United Kingdom (UK) and ongoing work within my own institution, I have come to appreciate just how quickly the international landscape is changing. 

South Africa currently does not have a national policy dedicated to research security. Instead, it operates within a fragmented ecosystem of legislation—intellectual property protection, export‑control laws, non‑proliferation frameworks, privacy and cybersecurity statutes, and guidance from bodies such as the Academy of Science of South Africa on areas like artificial intelligence (AI). This offers partial coverage but leaves critical gaps, particularly in areas such as screening foreign collaborations and mitigating foreign interference. The result is a fragmented and often ambiguous governance environment that is increasingly difficult to navigate as global expectations rise.

The Department of Science, Technology and Innovation’s recent indication that research security will be high on the national agenda in 2026 is encouraging, and I believe it signals a turning point. 

But until a national dialogue matures into policy, universities must carry a disproportionate burden. This is especially complicated for a country like ours, positioned deliberately as non‑aligned. 

We collaborate widely: with Western partners, BRICS+ networks, the African research community, and various multilateral science platforms. But non‑alignment also exposes us to reputational risk when we engage with countries or institutions deemed “foreign countries of concern” by those with strict research security regimes. As I have witnessed in several international forums, these dynamics can have real consequences—not only for partnerships, but for perceptions of integrity, trustworthiness, and compliance.

One example that crystallised the urgency of this issue for many in the South African sector was the cyberattack on the Tshwane University of Technology on 17 December 2023. The theft of extensive sensitive institutional and personal data, the disruption to operations, and ultimately the suspension of a senior executive highlighted the fragility of our systems and the severity of the risks we face. Incidents like these do more than compromise information—they undermine trust, expose governance weaknesses, and remind us that universities are increasingly attractive targets for those seeking access to valuable knowledge and digital infrastructure. 

Another more recent case involves a researcher, Marcel Bucher, who lost two years of academic work after disabling a “data consent” setting in ChatGPT, which caused all stored conversations and project folders to be permanently deleted without warning. This highlighted the vulnerability of research materials stored in third‑party AI tools, especially when mistakenly assuming platform continuity equals data security.  Although there were no malicious actions intended, this case illustrated that reliance on cloud‑based or AI‑assisted tools without robust, institution‑controlled backups poses significant risks to research security, data integrity, and intellectual property protection.

In the broader global context, research security has emerged as a shared concern among leading science nations. The definition of the Group of Seven advanced economies (G7) resonates strongly with my own understanding: the commitment to promoting open research while recognising that there are circumstances requiring proportionate limits (my emphasis) on access to knowledge, data, and technology. My exposure to these principles—particularly the emphasis on preventing the misappropriation of research outputs by actors who do not respect academic norms—has shaped how I think about responsible collaboration. 

As South African higher education institutions, we must begin by asking ourselves difficult but necessary questions: How do we design internal systems when national guidance is absent? How do we remain meaningfully open while protecting our researchers, infrastructure, and intellectual assets? 

Through my research and institutional work, I have come to see that an effective research security approach cannot simply be a list of prohibitions. It must be a thoughtful, risk‑based framework that acknowledges our unique geopolitical position, the realities of international science diplomacy, and the pressures faced by researchers at the coalface of global engagement. 

This includes due‑diligence processes for collaborators and funders, risk categorisation, dual‑use research of concern assessments, and clear internal pathways for addressing credible threats. When a credible threat exists, it will trump the academic freedom that we so desperately want to protect. However, the question is:  who is to judge whether there is a credible threat?

At the level of individual researchers, the challenges are often more acute. Many of the dilemmas that arises involve no malicious intent—simply a lack of awareness of the complexities associated with foreign partnerships, especially those involving high‑risk institutions or sensitive technologies. It serves as a reminder that transparency is the cornerstone of responsible collaboration. Undisclosed affiliations, hidden contracts, or conflicting commitments may seem minor at first glance, but they have real implications for institutional accountability and reputational protection. 

At the same time, researchers are increasingly navigating pressure from foreign funders, talent programmes, or geopolitical expectations that may conflict with our legal or ethical frameworks. Balancing academic freedom with societal responsibility is difficult, but it is essential—and in some cases, it may require us to self‑sanction when the risks become too great.

Before a decision is made to self-sanction, a situation should constitute a “critical threat”. A credible threat assessment requires a structured process, reviewing the nature of the partner institution, the research domain, the sensitivity of the data or technology involved, and the specific terms of the collaboration. Institutions in Europe and the UK have established committees dedicated precisely to this work. Their experience demonstrates both the value of institutional support and the danger of relying on ad‑hoc or individual assessments—especially in areas involving dual‑use technologies, politically exposed entities, or potential military applications.

At Stellenbosch University (SU), we have been on our own learning journey. The insights I gained from eight universities in Belgium, the Netherlands, Norway, and the UK were invaluable, but they also highlighted how difficult it can be to balance compliance with academic freedom. In several cases, overly strict regulations abroad have created paralysis—researchers too afraid to act, or uncertain about how to navigate ambiguous legal obligations. That was a powerful reminder for me of why our own approach must be proportionate, transparent, and contextually grounded. 

At SU, we have been developing a framework that includes risk categorisation, enhanced screening of funders and collaborators, researcher awareness, international sound boarding, and establishing and participation in national and regional networks such as the Southern African Research and Innovation Management Association’s newly established Community of Practice for Research Contracts and Compliance and EUTOPIA’s conversations around responsible internationalisation. These efforts are far from complete, but they are helping us build a culture of security‑aware open science—one that is grounded in ethics, responsibility, and collective deliberation.

Strengthening research security in South Africa is not simply a compliance exercise; it reflects our commitment to public trust, academic integrity, and the equitable pursuit of knowledge. Our non‑aligned position gives us unique opportunities to collaborate broadly, but it also places us under greater scrutiny. If we want to remain a trusted partner, our approaches to partnerships must demonstrate that we take our responsibilities seriously and that we are willing to make difficult decisions when required, including declining collaborations that pose unacceptable risks. I have learned that responsible openness requires more than goodwill—it requires intentional governance, institutional courage, and a willingness to examine the broader consequences of our research choices.

Ultimately, what I have come to believe is that research security is not the opposite of openness. It is what enables openness to endure. When we protect our people, our knowledge, and our institutional credibility, we create the conditions in which meaningful collaboration can flourish. And when we remain ethically grounded and aware of global norms, we not only protect our own work; we also strengthen South Africa’s position in the global research ecosystem. For me, this is the heart of research security: a commitment to openness, yes, but openness anchored in responsibility.

*Dr Cornelia Malherbe is Director: Research Contracts and Compliance in the Division for Research Development, and Senior Lecturer in the Department of Industrial Engineering at Stellenbosch University, South Africa.