By James Husemeyer, Chief Security and Intelligence Officer 

As deep tech startups develop the innovations that will define the future of defence and security, they face a threat that extends far beyond market competition. State actors with sophisticated capabilities are actively targeting Western intellectual property, seeking to steal the technological advantages that underpin Allied security. The NATO Innovation Fund’s addresses this reality head-on, providing portfolio companies with the expertise and frameworks they need to protect their most valuable assets in an increasingly hostile threat landscape.

Understanding the threat landscape

There is a real and growing threat to intellectual property in the DSR ecosystem, emanating from state actors with demonstrated track records of seeking and stealing IP from Western companies to their own advantage. These are not opportunistic criminals or isolated hackers – they are well-resourced, technically sophisticated operations backed by governments that view Western innovation as both a strategic threat and an opportunity for advancement.

Western governments, including the UK, US, Australia, New Zealand, and Canada, have been explicit about the scale and capability of certain non-allied nations as collectors of Western IP. The methods are diverse and evolving from traditional espionage to supply chain infiltration, from targeted recruitment of key personnel to sophisticated cyber operations.

For the deep tech startups in the NIF portfolio – companies working on advanced materials, autonomous systems, biotechnology, and other cutting-edge capabilities – the stakes couldn’t be higher. A single breach could compromise years of research, undermine competitive advantage, and potentially put Allied security at risk.

How PROTECT Operates: A Two-Phase Approach

The NIF’s PROTECT programme operates in two distinct modes, designed to address risks before and after investment. These are the best practices that we have developed based on the insights we have gained during the programme’s first two years:

Phase One: Pre-Investment Screening

Before any investment decision, PROTECT conducts an initial screening of every company the NIF considers backing. This isn’t a superficial review – it’s a comprehensive assessment focusing on potential links between the company and non-allied actors of concern.

PROTECT screens potential investments along four main vectors through which IP can be compromised:

1. Investment Structure: Who has invested in the company? Are there shareholders, board members, or financial backers with connections to non-allied states? Understanding the ownership structure helps identify potential influence or access points.
2. Personnel: Who is employed by the company, and could they potentially be either a risk or at risk of becoming a vector for IP exfiltration? This includes not just current employees but also advisors, consultants, and contractors with access to sensitive information.
3. Supply Chain: What is the company’s supply chain? In an interconnected world, dependencies on suppliers, manufacturers, or service providers in certain jurisdictions can create vulnerabilities that sophisticated actors can exploit.
4. Customer Base: Who are the company’s customers? Relationships with certain entities – even seemingly legitimate commercial partnerships – can create pathways for IP compromise.

PROTECT seeks to understand where connections to certain non-allied states exist and makes an assessment of exposure. Critically, this is not a binary decision. In today’s interconnected world, especially when it comes to supply chains, relationships can become entangled in ways that aren’t immediately obvious or easily severed.

The key is not just to assess risk but to propose ways for the NIF to mitigate it. A company with some exposure to non-allied actors isn’t automatically disqualified from investment – but the NIF needs to understand the risks and work with the company to address them before proceeding.

Phase Two: Post-Investment Support

After the NIF makes an investment decision, PROTECT’s role evolves from gatekeeper to trusted advisor. The relationship becomes ongoing and supportive, with PROTECT serving as a source of independent counsel for portfolio companies as they navigate an evolving threat landscape.

Portfolio companies regularly seek PROTECT advice on critical decisions, particularly relating to:

• New hires: When considering candidates with backgrounds that might raise security concerns, or when recruiting for positions with access to sensitive information
• New customers: When evaluating potential partnerships or sales opportunities that could create exposure
• New investors: Particularly relevant for funds of funds, when considering new limited partners who might seek access to portfolio company information

This ongoing relationship ensures that as companies grow and their circumstances change, they have expert guidance to help them maintain robust security postures.

Key Levers for IP Protection

PROTECT helps portfolio companies implement practical measures to safeguard their intellectual property. These aren’t theoretical frameworks – they’re actionable steps that create real barriers to IP compromise:

• Raising Awareness: The first line of defence is ensuring that everyone in the organization understands the threat landscape and their role in protecting company assets. This means regular briefings, clear communication about risks, and creating a culture where security is everyone’s responsibility.
• Developing Appropriate Security Protocols: Companies need robust protocols to safeguard people, assets, and information. This includes everything from secure communications systems to document classification schemes to procedures for handling sensitive meetings and discussions.
• Physical and Cyber Security Controls: Creating access controls on office buildings, implementing ID badge systems, ensuring that physical access to facilities is appropriately restricted based on role and clearance and maintaining robust cyber security defences.
• Building a Positive Security Culture: Perhaps most importantly, PROTECT helps companies develop organizational cultures where security is embedded in daily operations:
  • Line managers need to know their teams and be able to identify behaviours that might indicate someone could pose an insider threat
  • Access to information should operate on a “need to know” basis, with clear justifications required for access to sensitive materials
  • Systems should be in place to flag when individuals attempt to access information outside their normal scope of work

These measures aren’t about creating a climate of suspicion – they’re about building resilient organizations that can pursue innovation while managing risk responsibly.

The Reality of Risk

The threat is never zero. Sophisticated state actors will continue to target Western innovation, and some attacks may succeed.

PROTECT reduces risk and increases resilience. By identifying vulnerabilities before they’re exploited, companies are prepared to respond effectively, contain the damage, and recover quickly when incidents occur.

A Strategic Imperative

Protecting intellectual property is central to advancing the defence, security and resilience of NATO nations – it helps us ensure that innovations reach Allied forces before adversaries can steal them.

By providing rigorous screening, practical guidance, and ongoing counsel, applying insights from the NIF’s PROTECT programme can help ensure that innovations are protected by more than just firewalls and NDAs.