The Infosec Market in China: Proceed with Caution

“At HSBC we never underestimate the importance of local knowledge.” So says the Hongkong and Shanghai Banking Corporation, Europe’s largest bank and one that, at the time of writing, is rumored to be contemplating a move from London back to its origins in Hong Kong. It is already the largest international bank in China, and the advice inherent in its advert is crucial for any company seeking to do business in China: understand the local culture and its differences with Western culture.

The Chinese attitude toward intellectual property is key to this. Yicun Chen, an intellectual property specialist and one-time assistant professor at Zhejiang University City College in China, wrote: Collectivism – a traditional and socialist value – has a long tradition based on Confucianism, which prioritizes the needs of the group over the rights of individuals. Historically, there was little protection of individual rights, especially in the intellectual property field. Copying and sharing created works without any compensation was widely accepted in traditional China.¹

This view is shared by Gartner principal research analyst Matthew Cheung. “Historically, because China has traditionally been ruled by the Emperor, the citizens don’t have ownership of their personal privacy or personal data – everything is owned by the government/emperor. Basically, the Chinese people don’t realize that they have the right to own data or privacy.” If the Chinese people don’t own personal privacy or data, it is left in the ownership of the state. So, from the early days of Confucius, throughout the history of the empire, right through to modern communist China, the driving force is the collectivist state and not the individual.

East Meets West

How does this affect Western companies seeking to do business in China, then? “You have to understand”, explains Cary Conrad, Integralis’ president North America, “that to the Chinese mindset, stealing is when you take something physical from one place to another. But if you’re just appropriating technology and copying it, that’s not theft, that’s good business.”

So on one level, taking a product to China that is dependent upon intellectual property is a risky business – and let’s face it, security products are full of patented and copyrighted ideas. “There’s no moral problem for the Chinese to reverse engineer a chip by hooking it up to a test bed, sucking out the object code and then putting it back in another”, continues Conrad. “There are some smart engineers and there are some very smart people in that market.”

Incidentally, this attitude could also explain the consistent suspicion in the West that the Chinese government condones cyber-espionage – it is, after all, “just good business”.

But the potential problem, and you should decide for yourself whether this is just hypothetical, could affect a company’s worldwide business, and not just its business in China.

“So here’s what’s going to happen”, explains Conrad. “A firewall that does everything a Cisco firewall does in a miraculously similar fashion is going to hit the marketplace. Instead of costing $1000, it’s going to cost just $200. The Western integrator and distributor is going to look at this product and say, well I can re-sell this for a lower price and at a higher margin than I could re-sell a similar Western product.”

It will effectively be the same product, having been manufactured with China’s lower labor costs and with no R&D overheads. It could then be exported to the West, re-badged by an OEM, and sold without the buyer necessarily knowing it has come from China.

Proceed with Caution

That’s the first lesson. According to the experts Infosecurity spoke with, if loss of intellectual secrets would seriously impact your business, think very carefully before going to China. There are other problems too, warns Gartner’s Cheung. “I think the first thing is the regulation around encryption technology. When you import your product into China – say a security product such as a router or a switch that has some sort of encryption technology – then you have to hand your encryption algorithm/technology to the Customs people”, he says. “Many of our clients are concerned about this because they consider their encryption as a trade secret, and they don’t know whether the Chinese government will leverage that platform to steal their IP. This is a critical issue; but the government insists it is for national security – and that’s why it is with Customs and not the Ministry of Commerce. So far, vendors such as Cisco are doing OK complying with this law.”

Then there’s the effort, and the sheer cost of that effort, to consider. For example, you must “have a local presence in China”, explains Cheung. They call it the ‘legal person’. You have to register the company in China; and there are many other rules and regulations. If you operate a website you have to apply for a license – an internet content provider license. And you have to file your trademark, your patents, and copyright – you can’t just use existing overseas copyrights – you have to do it all again in China.

“Security companies must also look at the competition in China”, Cheung adds. “There are many, many local vendors there exploiting the PRC [People’s Republic of China] market, both hardware and software; so you need to evaluate your market very carefully. The government sector is particularly sensitive. You might well be required to be 50% or more developed in China. So, if you are dealing with the Chinese government or its agencies, you will need to partner with someone else in China so that when you make up a deal you can be sure that about 50% of that deal, the costs of that deal, should come from China.”

“If you’re [entering China] for the first time”, adds Conrad, “it’s going to cost about five million bucks just to set up shop in China”. If doing business in China is so difficult then, why should we bother? “There are billions of people in China”, Conrad says. Quite simply, the market is huge and getting bigger.

A Mass Market

One of the biggest players in the Chinese infosec market, and with pretensions to become even bigger, is Kaspersky Lab – or more specifically, Kaspersky Lab China. Security researcher with the firm, Konstantin Sapronov, explains the importance of the Chinese security market to a Russian company. Despite Asia-Pacific business contributing only 7% to Kaspersky Labs’ total revenue, this is their fastest-growing market.

Jia Juan, the vice general manager of the Research Centre for Software and Information Service Industries at CCID Consulting², has said that the size of the information security product market reached CNY 9.294 billion [$1.41 billion; £0.88 billion] in 2009, with a 17.2% rise year on year, Sapronov recalls.

It is predicted to reach a compound annual growth rate of 21.5% in 2011 and 2012. “CCID has further reported that the market is likely to enter a fast-growing phase in forthcoming years”, says Sapronov. “Its size is estimated to be CNY 16.658 billion [$2.53 billion; £1.58 billion] by 2012, and it will enter a growth period after 2012”.

“If you want to grow, China really is a mass market: very vast and very big – and it’s still growing”, adds Cheung who believes all of the risks China creates are manageable. “You have to deal with the IP issues, and you have to think about how to protect your IP. But recently we have seen a growth of IP litigation in China, with companies seeking to protect their intellectual property. When you look at Chinese companies, they are actually very aggressive at filing their patents. Something like 80% of new patents are granted to Chinese local companies rather than foreign companies.”

When in Rome

“Is it worth going to China? Yes, it is really worth going to China”, Cheung answers his own question. “You have to manage your risk, and you have to understand the culture and how the market operates and what is the competition; and all these things you must understand in order to make the right decisions.”

When China steps onto the world stage, he says, it will be the second largest economy in the world. “Any major company that does not go to China will be irrelevant within a few decades. So I would say that to keep your business sustainable, you simply have to go to the Chinese market.”

China, however, is still a scary place if you’re not an IBM or a Cisco or a Microsoft. What if you’re a just a small, albeit thriving, niche security company? An Assuria – UK-based provider of automated vulnerability assessment, compliance, configuration assurance and log management – for example? Assuria’s chairman, Terry Pudwell, has had a close look at the market and has decided, for now at least, not to go in.

“I looked at the possibility of building a channel in the PRC market; but I eventually shied away for a number of reasons. Firstly the IP issue – who knows if there is any real protection at all? Localization is another issue – your costs are unquantifiable until the right partners can be found. ‘The legal person’ is a whole other area of concern; and the costs and effort required to travel to and build a business in China could be crippling.

“The bottom line I think for us”, he continues, “was that the perception, and it may only be a perception, is that China is too difficult and that there are other, easier markets to try to crack. I eventually decided that the only sensible way to progress in China, for a small company like Assuria, is to work with a major such as IBM!”

That’s what Assuria is doing – working with IBM China to bring its SIM/Log Management product to the PRC market. That might be the solution. If the IBMs of the world have to go to China, the ‘Assurias’ might be able to go with them.