The infosec market in China
At HSBC we never underestimate the importance of local knowledge. So says the Hong Kong and Shanghai Bank Corporation; Europe’s largest bank and one that, at the time of writing, is rumoured to be contemplating a move from London back to its origins in Hong Kong.
It is already the largest international bank in China, and the advice inherent in its advert is crucial for any company seeking to do business in China: understand the local culture and its differences to western culture.
Key to this is the Chinese attitude towards intellectual property. Yicun Chen, an intellectual property specialist and one-time assistant professor at Zhejiang University City College in China, wrote:
In contrast to individualism in the West, collectivism – a traditional and socialist value – substantially influences the cultural, social and legal areas in China. Collectivism has a long tradition based on Confucianism, which prioritizes the needs of the group over the rights of individuals. Historically, there was little protection of individual rights, especially in the intellectual property field. Copying and sharing created works without any compensation was widely accepted in traditional China.
The Impact of ACTA on China’s Intellectual Property Enforcement
This view is shared by Gartner principal research analyst Matthew Cheung. “Historically, because China has traditionally been ruled by the Emperor, the citizens don’t have ownership of their personal privacy or personal data – everything is owned by the government/emperor. Basically, the Chinese people don’t realise that they have the right to own data or privacy.” And if they don’t own personal privacy or data, neither does anyone else other than the state. So from the early days of Confucius, throughout the history of the empire, right to modern communist China, the driving force is the collectivist state and not the individual.
How does this affect the western company seeking to do business in China? “You have to understand,” explains Cary Conrad, Integralis’ president North America, “that to the Chinese mindset stealing is when you take something physical from one place to another. But if you’re just appropriating technology and copying it, that’s not theft, that’s good business.”
So at one level, taking product to China that is dependent upon intellectual property is a risky business – and let’s face it, security products are full of patented and copyrighted ideas. “There’s no moral problem for the Chinese to reverse engineer a chip by hooking it up to a test bed, sucking out the object code and then putting it back in another,” continued Conrad. “There are some smart engineers and there are some very smart people in that market.” And incidentally, this attitude could also explain the consistent suspicion in the west that the Chinese government condones cyber-espionage – it is, after all, just good business.
But the potential problem, and you should decide for yourself whether this is just hypothetical, could affect a company’s worldwide business and not just its business in China. Conrad again: “So here’s what’s going to happen; a firewall that does everything a Cisco firewall does in a miraculously similar fashion is going to hit the marketplace. Instead of costing $1000, it’s going to cost just 200 bucks. So the western integrator and distributor is going to look at this product and say, well I can resell this for a lower price and at a higher margin than I could resell a similar western product.”
It’s effectively the same product, but having been manufactured with China’s lower labour costs and with no R&D overheads, it can be exported to the west, rebadged by an OEM and sold without the buyer necessarily knowing it’s come from China. And all because of good business practices in China.
That’s the first lesson: if loss of intellectual secrets would seriously impact your business, think very carefully before going to China. But there are other problems. “I think the first thing,” says Gartner’s Cheung, “is the regulation about encryption technology. When you import your product into China – say a security product such as a router or a switch that has some sort of encryption technology – then you have to hand your encryption algorithm/technology to the Customs people. Many of our clients are concerned about this because they consider their encryption as a trade secret, and they don’t know whether the Chinese government will leverage that platform to steal their IP. This is one critical issue; but the government insists it is for national security – and that’s why it is with Customs and not the Ministry of Commerce. So far, vendors such as Cisco, are doing OK complying with this law.”
And then there’s the effort, and the sheer cost of that effort, to consider. For example, you must “have a local presence in China” explains Cheung. They call it the ‘legal person’. You have to register the company in China; and there are many other rules and regulations. If you operate a website you have to apply for a licence – an internet content provider licence. And you have to file your trademark, your patents, and copyright – you can’t just use existing overseas copyrights – you have to do it all again in China.
“Security companies must also look at the competition in China,” he adds. “There are many, many local vendors there exploiting the PRC [People’s Republic of China] market, both hardware and software; so you need to evaluate your market very carefully. The government sector is particularly sensitive. You might well be required to be 50% or more developed in China. So, if you are dealing with the Chinese government or its agencies, you will need to partner with someone else in China so that when you make up a deal you can be sure that about 50% of that deal, the costs of that deal, should come from China.”
“If you’re doing it for the first time,” adds Conrad, “it’s going to cost about five million bucks just to set up shop in China.” But if doing business in China is so difficult, why should we bother? “There are billions of people in China,” he says. Quite simply, the market is huge and getting bigger.
One of the biggest players in the Chinese infosec market, and with pretensions to become even bigger, is Kaspersky Lab – or more specifically, Kaspersky Lab China. Security researcher Konstantin Sapronov explained the importance of the Chinese security market. “Jia Juan,” he said, “the vice general manager of the Research Centre for Software and Information Service Industries at CCID Consulting, has said that the size of the information security product market reached CNY 9.294 billion [USD 1.41 billion; £0.88 billion] in 2009, with a 17.2% rise year on year.” It is predicted to reach a compound annual growth rate of 21.5% in 2011 and 2012. “CCID has further reported,” added Sapronov, “that the market is likely to enter a fast-growing phase in forthcoming years. Its size is estimated to be CNY 16.658 billion [USD 2.53 billion; £1.58 billion] by 2012, and it will enter a growth period after 2012.”
“In terms of the size of the market,” adds Cheung, “well, if you want to grow, China really is a mass market: very vast and very big – and it’s still growing. I think all of the risks are actually manageable. You have to deal with the IP issues, and you have to think about how to protect your IP. But recently we have seen a growth of IP litigation in China, with companies seeking to protect their intellectual property. And when you look at Chinese companies, they are actually very aggressive at filing their patents. Something like 80% of new patents are granted to Chinese local companies rather than foreign companies.
“Is it worth going to China? Yes, it is really worth going to China. You have to manage your risk in China; and you have to understand the culture and how the market operates and what is the competition; and all these things you must understand in order to make the right decisions. Because when China steps onto the world stage it will be the second largest economy in the world. And any major company that does not go to China will be irrelevant within a few decades. So I would say, to keep your business sustainable, you simply have to go to the China market.”
But it’s still a scary place if you’re not an IBM or a Cisco or a Microsoft. What if you’re a just a small, albeit thriving, niche security company? An Assuria, a provider of “automated vulnerability assessment, compliance, configuration assurance and log management solutions” for example? Assuria’s chairman, Terry Pudwell has had a close look at the market; and has decided, for now at least, not to go in.
“I looked at the possibility of building a channel in the PRC market; but I eventually shied away for a number of reasons. Firstly the IP issue – who knows if there is any real protection at all? Localisation is another issue – your costs are unquantifiable until the right partners can be found. ‘The legal person’ is a whole other area of concern; and the costs and effort required to travel to and build a business in China could be crippling.
“The bottom line I think for us,” he continued, “was that the perception, and it may only be a perception, is that China is too difficult and that there are other, easier markets to try to crack. I eventually decided that the only sensible way to progress in China, for a small company like Assuria, is to work with a major such as IBM!”
That’s what Assuria is doing – working with IBM China to bring its SIM/Log Management product to the PRC market. That might be the solution. If the IBMs of the world have to go to China, the Assurias might be able to go with them.