The U.S. security agencies are warning technology startups to be wary of foreign venture capital investments that may be attempts to steal secrets.
The warning, issued today by the Director of National Intelligence’s National Counterintelligence and Security Center (NCSC) and three other agencies, notes that concern about startup investments by the People’s Republic of China (PRC) has been an issue since at least 2018, but recent events have heightened concerns that the PRC is using VC investments to attempt to gain access to AI technology and other sensitive intellectual property (IP).
The guidance – and the threat of lost business and deals if national security risks are later discovered – puts startups in the difficult position of judging investor ownership at the same time that they may be seeking a critical financial lifeline. The NCSC document spells out warning signs to look for in a venture investor, and also shares some horror stories of stolen startup intellectual property.
IDG Capital, Other Venture Capital Threats Cited
The warning from NCSC, DNI’s Office of Economic Security and Emerging Technologies (OESET), and the Air Force and Navy criminal investigative services, notes that in January 2024, the U.S. Department of Defense (DoD) added China-based private equity firm IDG Capital to its list of “‘Chinese military companies’ operating directly or indirectly in the U.S.”
IDG Capital, which has invested in more than 1,600 companies, including several in the U.S., denies DoD’s claims.
The agencies’ warning cites a few examples where a venture investment masked hidden national security risks.
Last year, the CEO of a U.S. startup that is suing defendants in China for trade secret theft testified before Congress that some China-based VC firms may target and pay employees of U.S. startups to acquire technology, then fund competitors in China who try to monetize the stolen technology.
Some U.S. and European firms have claimed that China-based investors offered them investments, then withdrew the offers after obtaining their proprietary data in the due diligence process.
One U.K. firm, after agreeing to a takeover by an investor in China, began transferring technology in exchange for part of the acquisition price. The investor later abandoned the acquisition, and the U.K. firm faced bankruptcy after sharing its IP.
In addition to stolen IP and lost market share, the agencies note that startups can also be denied U.S. government contracts or small business funding if foreign threat actors have been found to have a presence in their firms.
Warning Signs of Foreign VC Involvement – And Defensive Steps
The NCSC document acknowledges the difficulty of determining “the ownership and intent of foreign investors,” and offers some warning signs of foreign investment and some defensive steps to take.
Foreign investors may structure investments to avoid scrutiny from the Committee on Foreign Investment in the United States (CFIUS), which reviews mergers, acquisitions, and investments that may have national security implications.
They may route investments through intermediaries in the U.S. or other countries, and use minority and limited partner investments.
Some of the tactics that could be warning signs of foreign threat actors may also be routine legal moves, complicating assessment efforts. These include complex ownership, including separate entities that share key personnel, or shell companies “with no substantive purpose.” Incorporation in offshore locations lacking transparency and oversight is another such tactic.
Investments through funds, partners, or intermediaries in the U.S. or other countries can be another potential warning sign, as can Limited Partner Investments and requests for proprietary or other sensitive data. “Startups should be alert to intrusive requests for sensitive data,” the document notes.
Before seeking investments, the agencies advise startups to “identify and compartmentalize your company’s ‘crown jewels’” with physical and virtual protections and access restrictions. A risk manager should be empowered to protect assets, and startups should make sure that legal and contractual agreements “are enforceable in the investor’s home country.”
Startups with concerns or tips about potential foreign investments with national security implications should contact CFIUS, the FBI or DoD, the guidance notes.