I agree with the spirit of your statement that no crime has occurred. But this isn't a case where someone just expressed a vague interest in a related topic of national security, but their specific intent to steal secrets and give them to an adversary. And then go ahead and interview at certain companies with that intent.
This would be like someone specifically (not vaguely) stating their intent to commit a violent crime and then spend months preparing for it. Yeah, law enforcement, please definitely follow up on that one.
They definitely can be. In the US there are many different ways in which they can overlap as a matter of law. There are myriad frameworks similar to ITAR that place a national security interest on trade secrets or block public disclosure e.g. patents (which effectively turns them into trade secrets).
Your average web dev probably isn’t familiar but navigating this is a routine consideration in deep tech.
Real, and quasi-real national security projects require more stringent background checks than the ones unnecessarily used in most "average web dev" [sic] recruitment processes, and some come with citizenship requirements. I know, because that's one of the reasons I don't work on such projects.
ofc, like in any security-related field, many are LARPing instead of practicing, and that's a different issue.
It is more nuanced than this. A startup is virtually never a "national security project" even if they end up involved in an actual national security project. The kinds of background checks startups do are the same as any other company in any industry. It has nothing to do with national security. There are many things that can factor into a citizenship constraint depending on the type of business.
A "real" national security background check requires support and sponsorship from a national government, and governments don't provide that casually to anyone that asks. If a startup finds themselves with national security customers, there is no requirement for the startup to go full-on Secret Squirrel but governments will calibrate their trust in the startup by how seriously the startup takes security and how diligent they are when vetting employees. It does not involve everyone getting a security clearance, which would not be possible anyway if the startup works with multiple national governments.
I find the opposite situation is more common in practice: startups that find themselves in the national security space are often naive about what constitutes a baseline level of security, vetting their employees, and the pervasiveness and character of espionage programs.
It is important to recognize that national security considerations are starting to affect startups that never go anywhere near national security customers due to escalating concerns and increased rigor around software supply chains. You may not have an interest in national security but national security may take an interest in you. This has ramifications for many software business models.
That’s not what the department of commerce thinks. Just giving information to a foreign national can be considered “deemed export” and get your company in trouble.
This would be like someone specifically (not vaguely) stating their intent to commit a violent crime and then spend months preparing for it. Yeah, law enforcement, please definitely follow up on that one.