EXPERT INTERVIEW — The race between China and the U.S. for tech supremacy gets fiercer by the day. In the latest salvo, the U.S. this week added five Chinese tech giants to a list of Chinese companies it has accused of helping Beijing’s military. The Pentagon maintains the list of companies as part of its campaign to counter Chinese military development, spurred by Beijing’s military-civil fusion strategy and leveraging of dual-use technology.
The Cipher Brief spoke recently with Michael Casey, Director of the National Counterintelligence and Security Center (NCSC), about a specific aspect of this technology competition with China: the trend of Chinese venture capitalists and investors backing U.S. startups in emerging tech, then taking their intellectual property back to China to found competing companies. It’s a unique approach that officials believe China is using to get ahead.
“In the long run, the U.S. system is based on the ability to dominate in the tech sphere,” Casey said. “The Chinese figured that out some years back, and they really want to build competition with us.”
Casey spoke with Cipher Brief CEO Suzanne Kelly for an episode of the “State Secrets” podcast about the scope of the threat, and how startups can work with other companies and with the government to counter or at least mitigate the dangers. Their conversation below has been edited for length and clarity. You can listen to the full discussion on Apple Podcasts or Spotify.
Kelly: When it comes to threats to the startup ecosystem, I can understand why CEOs in some situations might be willing to take the money, and not spend a lot of time on where it's coming from. You're concerned about that. Can you give a little background as to why?
Casey: One of the things we are charged with doing is outreach to the private sector, and we do an increasing amount of warning them of counterintelligence risks and threats. One of the things that we have seen is foreign malign investment. We see, in particular, the People's Republic of China encouraging Chinese venture capitalists and other investors to come invest in U.S. startups for emerging tech, and then sometimes take the IP and go back to China and start a competing company. In the long run, if they were just investing in companies and competing with us, that's fine. They're free to do that. But we also see them blending this with some of their other more traditional espionage activities.
In the long run, the U.S. system is based on the ability to dominate in the tech sphere. The Chinese figured that out some years back, and they really want to build competition with us. They would like to displace us in that realm. They certainly see our lead in technology as the basis for what is the best economy in the world, with the strongest military and the ability to set tech standards and norms around the world. They want it and they have come up with a variety of tactics to try and go get that.
Kelly: How does this work?
Casey: A lot of the problems we see are in the due diligence phase where they are looking at investing in a company and they come and ask a lot of questions. In some cases, we've seen them invest a little bit of money and then not follow through on the full acquisition once they get access to the IP.
There's a great example, and we use it all the time because the company talks about it in public: It's actually a British company, an aeronautical engineering company called Smith's Harlow. The company was interested in essentially selling itself. A Chinese bidder offered about $10 million for it, provided somewhere just short of $4 million as an initial investment, got access to all the IP and then disappeared and set up a competing company in China. The British company lost their IP, and they've got a competitor who's got the exact same thing operating out of China. And because they took that roughly $4 million, they're losing contracts with the British government because they now have $4 million of Chinese money — you can't do business with the Ministry of Defense in that case. It’s a multitude of risks in there.
Kelly: What are you telling young startup CEOs and those looking to raise money about how to vet for something like this?
Casey: One, just understand what your crown jewels are and be a little careful of them. Due diligence is one thing. Giving everybody your crown jewels to prove how cool they are is probably something else. So be a little considerate about that.
We talk to some venture capital firms as well and say to them, when you're investing in a company, you may want to look at who the other investors are. And when you're doing rounds and you have bidders, it's in your interest to also help the small startups vet those bidders. If you invest in a startup and it fails because somebody stole the IP, you've lost your investment too. And by the way, in the future you might be doing business with the United States government. That's not going to be so easy, even if they don't get ripped off, if they have 20% owned by a Chinese state affiliated entity.
Kelly: The North Koreans are doing some interesting things, but they've got a slightly different technique. Can you explain that?
Casey : That's more about getting people to click on the ransomware link. They pose as a venture capitalist, [the company wants] to do some of the due diligence, they set up a virtual meeting and the venture capitalist doesn't show up on the other side. The company emails and says, "Hey, what's going on? I thought we had this meeting." And they get an email back that says, "Sorry, something's technically gone wrong — click on this link." You click on that link and lo and behold, it's malware and then you're busy paying to get your data back, or they steal your data. It's pretty clever. All of this is built on taking advantage of people who are desperate for funding of one sort or another to make their good idea into a super successful company.
Everyone needs a good nightcap. Ours happens to come in the form of a M-F newsletter that provides the best way to unwind while staying up to speed on national security. (And this Nightcap promises no hangover or weight gain.) Sign up today.
Kelly: NCSC has taken part in developing what you're calling secure innovation materials. Can you talk through what that is?
Casey: Secure innovation grew out of an idea that the Brits came up with probably two years ago, [where] all the Five Eyes are seeing essentially the same thing: Foreign hard targets — the PRC, Russia, and to a lesser extent, Iran and North Korea — are all coming after our emerging tech companies. The five of us collectively put out a suite of materials that are designed to help highlight the threats and help emerging tech companies think through what they can do about them. It’s effectively five steps.
Know your threats. Literally sit down and think, how can the bad guys come after my company? Everybody thinks about cyber, but there's insider threats, there's the investment we're talking about, there's a host of things.
Secure your business. Think about how to build security into your corporate structure. Don’t take it for granted. Don't just assume you put in the virus protection software, but actually think through who's in charge of security, how do they relate to the corporate leadership to the extent an emerging tech startup has it. Be very thoughtful about this from the beginning.
Secure your products. Most of these emerging tech companies are software facing and building software products, and it is a lot easier to build security in from the beginning than it is to try and build it in a lot later.
Secure your growth. As you go through and try to get additional investors, you really have to think through who those people are. As you go overseas and start thinking about, Well, I want to expand markets, what are those additional risks that you're taking as you're exposed to other legal regimes? We talk about PRC a lot because it is the pacing threat. If you were to try and set up business in the PRC, they have laws saying you have to cooperate with the intelligence community. They have cracked down on all sorts of U.S. companies trying to do business there for things that we think of as just normal business activities. Think through where you're going to expand. Think through what the legal threats are and what the environment is there and what your competitors have there.
And secure your partnerships, which is really thinking through your supply chain, because we see risks and foreign adversaries taking advantage of that, too. The whole idea is really just to sit down and think strategically, step by step, what are those things I have to worry about and what can I do about it?
Kelly: What are you advising when it comes to understanding the threat from insider risk, and how to try to mitigate that as you're building your team?
Casey: The threat is pretty easy to state actually – which is, you hire an insider, they take your IP, they flee somewhere and try and set up another company. This happens to companies up and down the food chain. I think Apple was hit three times when they were doing an autonomous vehicle program, and Google's been hit a couple of times. These are fairly large, sophisticated companies with resources and that's still a huge problem for them. Ultimately, the insider is dangerous because you let them in, you trust them and you give them access to things and then they just walk out the front door with a thumb drive or a laptop full of secrets.
Be cautious about who you're hiring and who you're doing business with, and think about what you have to protect and who you're giving access to. Do you have to give everybody access to all the core IP of your widget that you're building or your piece of software? The threat is not rocket science. None of these things are magic wands that are going to solve it, but it can at least hedge the bet. The burglar alarm isn't going to stop the super high-end art thief from coming in your front door, but it's going to make the average thief look at the next house, not your house.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? Watch for expert-level discussions on China, Russia, the Middle East and more.
Kelly: Do you give the advice in a sort of war gaming?
Casey: You're exactly right. We tell people all the time: you should think about what your worst day is. What happens if you got hit and your crown jewels disappeared? How would you react to that? What are the ways you could have gotten hit and how do you go back and prevent them?
And don't do it once. Everybody wants to do the war game, and then we've got a perfect plan and that'll be great for 10 years. That's not how that works. The adversary evolves, your corporate structure probably evolves. You need to do this on a fairly regular basis.
Kelly: What's the reception been?
Casey: Generally speaking, we've gotten pretty good reaction. We've talked to various groups of investors in New York and Silicon Valley. For the most part, the reaction is intellectually we know that people are out there trying to steal IP, but it really brings that home. And there's an appetite for what we do about it.
I think we've seen over the last five to 10 years a lot more awareness of this as a problem. There’s a few venture capital firms who've gotten together and effectively said we're going to lay out some security we want all of our companies to take, here are the kinds of investors we're not going to let in, and [we should] establish some pretty good standards. I think we're hoping more join that effort. We've seen discussions, particularly in Silicon Valley, of some of the venture capital firms changing their term sheets to build in security, which is huge.
I should give thanks to the FBI, which has done a lot of outreach, particularly in Silicon Valley. They've spent a lot of time with the venture capital guys and the emerging tech guys really hammering home that message and gotten some really good cooperation.
Kelly: What are some of the other things that people could be doing? The last thing you want to do is have to call the FBI if something did go wrong.
Casey: It's a much easier call if you already know them and they already know you. And so that is absolutely one of the things we suggest. The FBI has offices everywhere. Go introduce yourself and establish a relationship. They are interested in helping companies and helping educate about the threats.
We’ve seen certain sectors start to self-organize a little bit. You see industrial associations start sharing resources. You see it in the computer industry. The FBI and everybody else had done a thousand threat briefs for them. At some point their CISOs decided to self-organize and start sharing information and building an organization for sharing best practices. That kind of thing has been very helpful. It's also a great way for the fed side to interact [because] it's easier to hit a thousand companies if they're all part of the same association. Anything we can do or the FBI can use [to be a] force multiplier for getting that messaging out and then getting feedback from them about what they're seeing and what really works.
Kelly: Were there any moments that you can recall that really surprised you about the nature of the threats?
Casey: I am amazed by the breadth of it, honestly. I've worked in Washington my entire professional career. I've worked in national security. Obviously the bad guys are all after state secrets. In fact, what the bad guys are after is literally everything. In some cases, frankly, [I am amazed by] the cleverness for how they're doing it — what we'd call blended operations, where it's doing due diligence and then insider threat and a cyber attack on top of it, all to get one little piece of IP that they really, really want. It's frankly pretty impressive.
Kelly: What is the one thing that keeps you up at night?
Casey: The thing that mostly keeps me up at night is that on our side, we take our eye off the ball. We know what the adversary's doing, even if it's at a scope and scale and pace that makes it hard. We can raise a level of threat awareness. We can help people with security. We can do all those things, but if we take our eye off the ball, we're going to lose. That's just the reality of it. We can and have and should and will continue pushing back on the adversary and protecting our secrets and our way of life. The easiest way to lose this competition is for us to quit fighting it. We can't afford to do that. We have to keep doing what we're doing and doing more of it.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
