'Foreign threat actors' are targeting US tech startups to steal IP and sensitive data, cyber agencies warn

A number of US security agencies have warned US tech startups that foreign adversaries are using their investments to gain privileged access to state secrets and other sensitive data.

The joint bulletin , issued on 24 July, was a collaboration between the US National Counterintelligence and Security Center (NCSC), the Office of Economic Security and Emerging Technology (OESET), and special units within the Air Force and Navy.

Titled ‘Safeguarding our innovation’, the bulletin describes the risks investment from foreign entities poses to startups in the region.

First among these dangers is threat actors obtaining proprietary data during the investment process, which they can then use to compete against the startup in global markets.

The NCSC also warned that threat groups can acquire sensitive data and technology from US startups that could significantly advance the foreign entity’s military and economic capabilities.

The entities could give what would appear to be legitimate reasons for requesting access to proprietary data from startups under the guise of “ due diligence before investing”, the bulletin stated.

It added that some may be affected by ‘undue foreign influence’, which could sway corporate decisions and the direction of the firm to benefit threat actors at the startup’s expense.

As a result, startups can be denied US government contracts or funding if any of the US’ cyber adversaries are deemed to have a ‘footing’ in the company.

Startups that do have government contracts or important roles in other critical national infrastructure are also likely to be targeted by foreign threat actors, according to the bulletin.

Investment in US tech startups is an “easy entry point” for foreign adversaries

Speaking to ITPro , Rose Ross, founder at Tech Trailblazers, said startups with some sort of relationship with any nation’s national security can be considered both an asset and liability. In these instances, investment or acquisition can be an easy entry point for foreign adversaries.

“Startups are an essential source of innovation and none more so than in cyber and other areas of defense. It seems obvious any local startup with technology and close proximity to any country's defense should be viewed as a huge asset, but on the flipside is a vulnerability if other nation states become involved either through acquisition or investment,” she explained.

“Supply chain security has to be a huge consideration in all aspects of defense and critical national infrastructure, so the stance of both the US and UK governments is not to be unexpected. In fact, if they didn’t view this seriously, that would be the real surprise.”

China is a particular threat to US startups

The NCSC described the difficulty startups may face in determining the ownership and intent of foreign investors, who could employ a number of techniques to disguise their nefarious motivations.

For example, foreign threat actors could structure their investments in a certain way to avoid scrutiny from the Committee on Foreign Investment in the United States (CFIUS).

This could involve routing their investments through intermediaries around the world or using minority and limited partner investments, the bulletin warned.

China was explicitly identified by the NCSC as a prominent source of malicious foreign investment in US startups.

The bulletin referred back to a 2018 statement from a US Trade Representative, warning that the Chinese government had directed local firms’ investment in, and acquisition of, US companies with the intention of obtaining intellectual property .

The bulletin added that venture capital (VC) investment from China has been focused on emerging technology sectors like AI , listing a number of recent developments that have heightened these concerns.

In January 2024, China-based private equity firm IDG Capital, which has invested in over 1,600 companies - several of which are located in the US - was added to the US Department of Defense’s list of ‘Chinese military companies’.

Foreign investment is not a new threat to national security, but could become more pronounced in future

Rob Dartnall, CEO at threat intelligence specialist SecAlliance, told ITPro clients have requested the company carry out threat assessments of entities with financial relationships to foreign states, adding that startups should consider their long-term goals when weighing up investment from abroad.

“We have indeed been requested by clients to do threat assessments against entities that have either taken funding from, or been acquired by, funds in foreign states, in particular China. Ultimately this ends up with the firms being precluded from participating in tenders or being onboarded as suppliers ,” he said.

“This means an organization should think very carefully about its long-term objectives and examine the opportunity costs surrounding such an investment.”

Dartnall pointed out this threat is not new, but will likely become more pronounced as technology continues to occupy an increasingly large role in business around the world.

Understanding the role of data storage in cyber resiliency

“However, this threat is not new, it has been around for decades and has been used as a tool for anything from espionage to economic warfare. It is likely that it is more prevalent and at the forefront of minds now due to the more tech led world we live in, which also leads to more innovation and startups .”

He offered some advice to startups which are managing particularly sensitive information, noting they must consider potential threats from inside the entity as well its own supply chain , board, and clients.

“If a startup entity knows it is creating particularly sensitive IP that will be used in sensitive industries, they not only need to think of the source of the funding,” he explained.

“It is essential to also consider who it employs from an insider threat perspective, what suppliers it uses (and therefore who has access to data or infrastructure), who is brought on to boards, who its clients are and its cyber security to protect against digital espionage.”