In a joint warning, U.S. and Canadian intelligence partners are publicly acknowledging a long-standing espionage threat, pitch competitions and are advising Western tech startups how these international competitions are being exploited by hostile foreign adversaries. The bulletin, issued by the Office of the Director of National Intelligence (ODNI) and the Canadian Security Intelligence Service (CSIS), confirms that these events are not just a stage for innovation, but a covert mechanism for foreign intelligence services to acquire cutting-edge technology and talent, posing a direct threat to economic and military advantage.
“International pitch competitions should be a nurturing ground for innovation, not a hunting ground for foreign threat actors and competitors to coopt Western technology and talent for their own benefit. Western tech startups face significant risks when participating in international pitch competitions organized by entities affiliated with the Chinese government or the Chinese Communist Party,” said James Cangialosi, NCSC Acting Director. “Working with our U.S. and Canadian partners, today we’re arming Western tech startups with information on the risks associated with these events and basic steps they can take to protect themselves.”
The Exploitation
The bulletin clarifies that the threat is not a matter of blunt force; it’s a sophisticated, multi-pronged approach designed to operate in the gray space between legitimate competition and outright theft. The primary tactics used by the hostile foreign adversaries are the “bait and switch” and the “talent grab” which are in reality merely the entry points for a more insidious, long-term strategy of intellectual property theft. Adversaries, particularly those with ties to the Chinese government or the Chinese Communist Party, see these events as not just a one-time opportunity but as a persistent pipeline for technology and expertise.
One of the more subtle forms of exploitation is the long con. A startup might be invited to a series of seemingly collaborative events, from pitch competitions to networking forums and “innovation summits,” all orchestrated by entities with hidden state affiliations. The goal is not immediate theft, but to build a relationship of trust. Over time, these entities gain access to the startup’s internal processes, key personnel, and strategic direction under the guise of partnership. A case study referenced in a related counterintelligence briefing involved a deep-learning startup.
The company was courted for nearly two years by a state-backed investment fund that praised its technology. This fund provided a small, non-controlling investment, using its board seat and access to internal data to quietly reverse-engineer the startup’s core algorithms. By the time the startup realized the extent of the infiltration, a competing entity in the adversary country had already developed a nearly identical product.
Another method is the exploitation of open-source culture. Many tech startups rely on open-source code and public forums for development and collaboration. Adversaries exploit this transparency by participating in these online communities, posing as independent developers or enthusiasts. They use pitch competitions as a vector to identify promising projects and then funnel their state-sponsored resources into the public-facing aspects of the project. The bulletin describes an instance where a startup’s groundbreaking cybersecurity tool, which was built on a public code repository, was compromised. The foreign entity, having identified the startup’s talent and unique approach at a pitch competition, began contributing code with hidden vulnerabilities. When the startup later integrated these contributions, it created a backdoor that allowed the adversary to remotely access the tool once it was deployed by the startup’s clients, including critical infrastructure firms.
It is important to note that these competitions occur in numerous countries other than China, to include Australia, Canada, the United Kingdom, and the United States.
Proactive Safeguards and the Call to Action
To combat these evolving threats, the bulletin stresses that vigilance must become a core part of a startup’s operational security. It’s no longer enough to protect sensitive data behind a firewall; the human element and public-facing interactions must be secured as well. The guidance provides three suggested steps for mitigation.
First, due diligence is paramount. Startups must move beyond simply checking the website of a competition organizer. The bulletin recommends investigating the full spectrum of a sponsor’s affiliations, including parent companies, funding sources, and key personnel. Are there direct or indirect links to state-owned enterprises, military-affiliated research institutions, or government ministries? The presence of such ties should be considered a major red flag, even if the competition itself appears benign.
Second, the bulletin advises a strict information hygiene protocol. Companies should establish a clear policy for what intellectual property can be shared, and with whom. This includes not only technical schematics but also business plans, market strategies, and proprietary data models. The guidance suggests creating a “pitch deck” specifically for competitions that contains only high-level, non-sensitive information. Detailed technical briefings, data sets, or code should only be shared under the protection of robust, enforceable non-disclosure agreements (NDAs) that are vetted by legal counsel.
Finally, if a startup/entity suspects it has been targeted or compromised, it is urged to report the incident immediately. In the United States that is to the FBI, CFIUS, and AFOSI.
