The Limits of Nationality-Led Research Due Diligence: Lessons from Norway

Nationality is often central to research due diligence, with universities and institutions screening international collaborators or staff based on citizenship. In the UK, certain foreign students and researchers who want to study or conduct research in specific sensitive technology-related fields in the UK are subject to the Academic Technology Approval Scheme and other countries like the Netherlands are considering their own equivalents. However, notable espionage incidents—including recent cases in Norway—expose the shortcomings of over-reliance on nationality as a risk filter. Here’s why nationality-led due diligence is too blunt a tool for a complex, global research and innovation ecosystem.

Case Study: Espionage in Norwegian Academia

The Arctic University Spy

In 2022, Norwegian authorities arrested a university lecturer at Tromsø who had posed as a Brazilian citizen but was identified as a Russian agent. The individual presented credible documents and a coherent academic profile, enabling them to infiltrate research networks in Norway, gaining access to sensitive information about the country’s northern affairs. Norway's national security service described the person as a "threat to fundamental national interests" and underlined that the suspect's real identity went undetected until advanced investigation stages, far beyond routine nationality based checks.

Case Study: Malaysian Espionage Arrest in Norway

In 2023, Norwegian security services detained a 25-year-old Malaysian national in Oslo on suspicion of espionage. The individual was reportedly driving a rental car near government buildings, including the Prime Minister's Office and the Ministry of Defence, allegedly attempting to intercept sensitive communications using technical equipment. Norway did not accuse Malaysia of involvement. Their suspicions focused on the possibility that the suspect was recruited in Australia by a third country, seeking to exploit the "low-risk" profile of a Malaysian citizen.

Why Nationality Fails as a Sufficient Filter

1. False Identities and Document Fraud

• Espionage operatives often adopt different nationalities, complete with forged passports and fabricated personal histories.

• The perceived “low-risk” status of certain nationalities offers a path for deception, as in the Norwegian cases.

2. Over-Exclusion and Academic Bias

• Over-relying on nationality can unfairly target applicants from specific regions or countries, hindering genuine cross-border collaboration and leading to exclusion or discrimination without evidence of individual wrongdoing.

• Legitimate researchers can face suspicion solely due to their citizenship, undermining academic freedom and diversity.

3. Information and Risk Moves Beyond Borders

• International research is inherently transnational: knowledge, data, and risks flow across borders. Focusing only on passport origin ignores collaboration networks, funding sources, and digital footprints.

• Sophisticated threat actors adapt to nationality-led controls by using intermediaries, whether individuals or organisations, able to pose as credible partners and funders.

  
  

A Smarter, Holistic Due Diligence Approach

It is important to adopt a holistic and contextualised approach that considers a range of factors. These should include research and technology areas involved, organisational and collaborative links, geographical and geopolitical context, risk awareness levels and risk mitigations in place.

Conclusion

Recent Norwegian espionage cases show that nationality-based approaches to research due diligence—while administratively simple—can offer a false sense of security. Modern threats are complex, and rarely respect national borders or simple categories. Only by moving toward holistic, evidence-based risk assessment can research organisations protect their work, their people, and the integrity of their research.