Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Information security in China: A license to print money

The security software market in China is worth £98m and the network security market worth £230m.
The security software market in China is worth £98m and the network security market worth £230m.
Paul McKenzie, Morrison & Foerster
Paul McKenzie, Morrison & Foerster
Information security vendors will earn more than just their bread and butter in China.
Information security vendors will earn more than just their bread and butter in China.
There are over 200 million internet users in China.
There are over 200 million internet users in China.

There are more users surfing the internet in China without proper information security protection than there are broadband users in the whole of Australia. And yet the unprotected only amount to four percent of a total user base of well over 200m people.

"Foreign security technology needs to be localised and made local before it can be offered for sale in China."

Such are the vast numbers of internet users and potential users in China that it is no wonder firms have worked hard to unlock the Chinese information security market place. As one of the fastest-expanding economies, and thanks to the countless numbers of infrastructure projects and investments from international companies, China is expected to continue producing high demand for security products.

"Even with the global economic downturn, the Chinese infosecurity market is still expected to grow by 17% until at least 2013."

Absolute figures are difficult to come by and subject to analyst segmentation. However, Gartner research shows China was one of the fastest-growing markets in information security spending; expanding more than 30% in 2008. The information security software sector was worth £98m/US$153m (Gartner), and network security worth £230m/US$360m (Frost & Sullivan). Even with the global economic downturn, the Chinese infosecurity market is still expected to grow by 17% per year until at least 2013 (Gartner).

Gartner's top picks

From a user survey in the Asia/Pacific region, the top players chosen by Chinese respondents were Rising and Symantec. Rising is a strong local player and was also rated as the top primary information security vendor.

In Asia/Pacific as a whole, the top three information security software and appliance vendors are Symantec, Microsoft and Cisco, followed at a distance by McAfee, Trend Micro and IBM.

These top three are also the top primary vendors of survey respondents, with Cisco being No. 1 and Symantec No. 2. The ranking of the top three players in Asia/Pacific aligns with worldwide rankings in general, except in China.

Land grab

Despite the already burgeoning user base, much of that growth will come from new users and new entrants to the market.

Harry Cheung is managing director for Kaspersky, Asia Pacific. He's been focussing on the Chinese anti-virus market since 2005 and attracting new users to the Kaspersky product family is his primary concern. "We are selling our licences for a longer period, and I can afford to do that. If I was doing that in Australia, there is no chance of selling one licence for two or three years because the renewal market is very important.

"In China, renewals are less important. There are something like 20 million new users a year. Capture maybe 10 or 20% of new users and it's enough", he adds.

From a pure opportunity perspective, Cheung continues, "Even the small cities are bigger than the entire Australian market."

Local partnerships, global thinking

Teaming up with a local company in the early days of Kaspersky's China presence was a requirement by the Chinese authorities, but this adds a realistic perspective to foreign thinking, so should not be thought of as a disadvantage, says Cheung.

China and personal data law

According to Morrison & Foerster, The People’s Republic of China (PRC) still lacks a comprehensive legal framework to regulate the use and disclosure of personal data. While the introduction of a national, generally applicable data privacy law remains elusive, recent months have seen a resurgent, if piecemeal, legislative interest in the topic at both national and local levels.

Recent developments include:

  • An amendment to Criminal Law in February 2009 to criminalise the sale or other unlawful disclosure of personal data by government officials and employees in key industries.
  • The introduction by several provinces and cities of independent local legislative measures to address internet privacy concerns.
  • Further legislative progress of the draft Torts Liability Law, a long-debated measure with potentially important privacy implications.
  • Decisions by courts that help clarify when civil liability may arise under existing defamation rules if personal data is disclosed without authorisation.

Paul McKenzie of law firm Morrison & Foerster, Beijing office, says information security companies typically work with a local software development firm in China. "Foreign security technology needs to be localised and made local before it can be offered for sale in China. You need to work on it to change its character from an imported product to a local product", he says.

From a government perspective, this is not just about remaining in control of encryption and information security products, but it's also protecting local jobs and growing the skill's base.

"There is a significant body of legislation governing the establishment of subsidiaries of foreign companies. Chinese foreign investment law is still fairly restrictive. Chinese labour legislation is protective of employees and has been tightened up recently. Companies need to understand the rules applicable to the engagement and termination of employees. There is a long list of things that work differently."

Labour laws are not necessarily an example of restrictive practices, stresses McKenzie. "If you look at labour rules in the EU they can be restrictive too, for example in France. Rules work differently in China than they do in the UK, but if you were to sit down with a French lawyer there would be recognition of similarities."

World class education

China's impressive growth of computer-use is driven by a population well versed in science and technology. Partnering with local firms is a smart way of tapping into that expertise.

"The quality of engineering talent is believed to be some of the best in the world. This talent is helping push China to the forefront of new innovative technology."
Haifeng Gong

Fortinet's country manager for China, Haifeng Gong, says: "The Chinese culture is driven by an understanding that cuts across all classes and cities. Most parents believe education is essential for their children to secure a better future and contribute more to society. This mentality results in a competitive schooling landscape, in which science and mathematics are popular subjects for students.

"The quality of engineering talent is believed to be some of the best in the world. This talent is helping push China to the forefront of new innovative technology", he adds.

The quality of education is reflected in the percentage of Chinese that go online more than aware of the risks. According to a survey of internet users released by the China Internet Network Information Centre (CNNIC), by the end of 2008, over 96% used information security software. Around 70.5% had installed both anti-virus and firewall software, while 28% had used online anti-virus services.

Chinese security product legislation

Encryption Products

  • Office of State Commercial Code Administration (OSCCA) supervises the import, sale and use of encryption products.
  • The term ‘encryption product’ is not defined clearly and the potential range of products deemed to be an encryption product is broad.
  • At present, encryption regulations generally prohibit the distribution and sale of foreign developed encryption products in mainland China.
  • Foreign companies and foreign nationals may import and use foreign developed encryption products for their own use - subject to obtaining an import and use permit from the OSCCA.
  • Foreign invested enterprises in mainland China may import and use foreign developed encryption products for communications with overseas entities, subject to obtaining an import and use permit.

Security Products

  • The Public Security Bureau (PSB) is the administrative authority supervising the import, sale and use of security products;
  • 'Security products' are defined as "special hardware and software products that are used for the protection of the security of computer information systems".
  • For domestic distribution of a security product, the manufacturer of the security product must apply to the PSB for a sale permit. The product must be tested by an agency designated by the PSB.
  • Currently the import and sale of foreign developed security products in mainland China is generally permitted.

Wireless is King

Furthermore, many new users to China's internet services are bypassing the Western model of cable or ADSL and going straight for a mobile solution delivered wirelessly.

"How people use the internet and how they view it is somewhat different to how we see it in Europe", explains Anthony Walsh, director of enterprise risk services at Deloitte. "The portal provider, or the digital platform being used, provides a full blown service in terms of social networking, instant messaging and email. The portal model is much more prevalent."

Consumers want ISPs (Internet Service Providers) to provide information security packages as part of a service agreement, "There is no need for private software, consumers purchase by subscription from a number of extremely successful portals, or virtual personal spaces", he says.

Walsh argues this could be seen as a more advanced model than in the UK. "It's not so much a maturity as a convenience scenario. Consumers have gone straight to mobile platforms."

Vendors have to take the structure into consideration for sales and marketing. Kaspersky's Harry Cheung has forged relationships with ISPs, focussing on the point at which consumers connect. "I used local ISPs with hundreds of thousands of users providing email for free, and we put Kaspersky into their systems. Whenever users logged into their email they saw their email had been scanned by Kaspersky."

Strategies that work

It's a sales strategy Gartner's Matthew Cheung sees across the sector, "Chinese customers don't tend to buy anti-virus together with the hardware, and the OEM market for anti-virus programmes is not that large. Vendors go direct to the consumers and align with the telecom operators, and consumers purchase security from the telecom operator or broadband provider."

There is a similar one-vendor preference in the enterprise market. Gartner reports that, "Chinese companies seem to prefer one vendor for most applications", selecting providers of stand-alone, best-of-breed products only when the vendor of choice lacks strength in the required features.

Fighting against such a market structure with its huge user and relentless momentum is likely to be suicide. "Foreign companies that have been successful in China have managed to achieve a balance between adaptation to local practices, with the maintenance of basic standards and approaches that make sense in other jurisdiction as well", explains Walsh.

"The wisdom is in balancing good common sense with sensitivity to how things are done in China."

What’s Hot on Infosecurity Magazine?