[Note: below is Chapter 13 from Great Wall of Numbers]
At the various schools, colleges and organizations I have worked at on the mainland, each facility was staffed by employees with a diverse range of technical abilities. In addition, the equipment ranged from slightly dated to cutting edge. While I have had the chance to work on a SugarCRM and Drupal wire frame development project domestically, I think some general statistics will give you a better idea of the size, scope and marketshare of the software and IT service industries in China.
According to their 2012 annual report, the Ministry of Industry and Information Technology estimated that China’s software and information services in 2011 had an output of $60 billion, “up nearly 40 percent year-on-year.” IBISWorld estimates that the entire software and IT industry in China “generated revenue of $284.02 billion in 2011, up 35.1 percent from 2010.”
For perspective, India’s business process outsourcing and IT industries generated $100 billion in revenue in 2011.
In terms of BPO growth – which is commonly called offshoring in the West – NASSCOM estimates that Indian firms generated $11 billion in BPO revenue in 2008 and $32 billion in 2012. In comparison, by one estimate the Chinese BPO sector “generated revenues of US$3.52 billion in 2009.” Another estimate, by XMG Global, shows that Chinese outsourcing firms generated $43.1 billion in revenue in 2012 (compared with $63.2 billion in India).
Since its humble beginnings as an importer of DEC computers in the late 1970s (e.g. the PDP-7 minicomputer) China’s software development and IT services industry have grown dramatically and by one optimistic estimate, could generate $635 billion by 2015.
Yet for perspective, the US software industry generated $261 billion in 2007 and the ten largest US software companies alone generated over $235 billion in 2010. Furthermore 63 of the world’s largest software companies are headquartered in the US compared with 2 in China.
Big numbers, big opportunities
What this means is that for US-based firms, there are numerous opportunities to provide both software and related-services to the Chinese market. And while market access and intellectual property (IP) infringement issues continue to dominate bilateral forums, there is still potential for foreign firms – especially those that focus on services – to gain substantial market share.
For example, in November 2012 I spoke with Larry Chang, the CEO of Pro-Lambda Solutions which specializes in Computer Aided Engineering (CAE) solutions and provides CAE software packages. Chang is originally from Taipei and had spent 25 years working in the CAE industry including in the US. After conducting due diligence, he created a startup in Shanghai five years ago based on some surprising market research: there is no domestic CAE software company that actually develops and sells its products abroad (yet). Or in Chang’s words, “zero engineering software products that are made in China are sold outside of China. As a consequence everything is by-and-large still imported from other countries. Obviously, something is missing here; if and when we can provide this missing part to the society, the economic payback will follow. That is the opportunity we see and value.”
This is not to say that Chinese individuals and software companies do not make innovative or exportable software. For example, Kingsoft (金山软件) is a Chinese developer that develops antivirus software and a office productivity suite called WPS. It has 50 million monthly active users globally. Internet giant Baidu recently invested in the firm as well. Similarly, local software engineers like Ni Chao, a developer in Beijing, can and do create innovative solutions to large-scale problems such as purchasing train tickets during peak hours. Innovation takes place outside of the computer world as Reuters recently aired a story about various inventions used by migrant workers on their long journey home during Spring Festival, such as a local designed “seat sleeper” that enables passengers without beds to sleep on a mobile tray that can be leaned on. And in another fulfillment of Plato’s dictum “necessity is the mother of invention,” The Telegraph discovered a Chinese man of modest means who hand-built a working dialysis machine that has kept him alive for the past 13 years.
Yet Arthur Kroeber, founder of the research firm Dragonomics sees scalability issues even with this promising amount of creativity. In March 2013 he told a literary panel in Beijing that, “What’s sad is the amount of creativity you see in China is phenomenal but it’s not always directed in ways that are ultimately productive.” He likened it to figuring out how to create homemade solutions to a car whose parts are no longer on the market, yet running into problems trying to create “innovative solutions which are scalable throughout the entire world.”
As a consequence, Chang’s long-term vision is to become the first mover, to build and design engineering software in China which is then exported abroad. There is a small twist to his strategy. One of the problems he (and others like David Veksler cited later) have noted is that if you build and try to sell a product in China, most Chinese consumers will consider the quality is of lesser value. That a product is perceived to be “better” if it originated from a foreign country is a stigma that Chang is hoping to reverse. Thus in August 2012, Pro Lambda began selling its software solutions to the international market with the intention of giving his team experience, credibility and real-world feedback, before they attempt to sell directly on the mainland.
While traditional software solutions may be a risky business, services also have its share of challenges. According to Chang, “one of the problems with the service industry as a whole and the software industry in particular is that this value added service is relatively unknown – and quite a suspicious concept to most Chinese consumers and businesses. For example, upon buying your software they often think ‘why do we have to pay for your services since we just bought your software? You owe me, not the reverse.’ Thus, this is a long-term challenge but I think enterprises and developers have begun making inroads as a younger generation of consumers has begun to understand the importance and value of this business model.”
There are also a few reasons why this lack of engineering software exports exists. Yet according to Chang, this absence presents an opportunity for those willing to do the training needed. For example, he notes that “software architects continue to live and work outside of China as do nearly all software product managers and development facilitating teams. As a consequence, what has moved to China in the past decade is the ‘digital assembly line’ – coders and programmers are pretty much all that currently exists. These coders and programmers are overseen by a project manager who coordinates with the foreign-based research and development office. Yet, there is no facilitating team and no product team for engineering software on the mainland.” Chang’s comment about a dearth of software architects was recently echoed by Ji Yongqing. Ji is a technology author on the mainland who noted that while there are many programmers in China, relatively small amounts of resources are put into long-term projects to generate high-end skills, ideas and fundamental software research. In his words, “Even now in the internet industry, everyone talks about product managers and no one talks about software architects, but in truth the two are equally important.”
Furthermore, there are at least two systemic issues for this phenomenon as David Veksler (see below) and Chang both note: the first is that most Chinese students typically did not participate in team-based activities throughout school. Thus when they are required to work as a team on larger scale projects, they often have difficulties adjusting to cooperation-based tasks – because they have been culturally raised to always compete and silo off information that can be traded and exchanged like currency. Or in other words, whereas many Western education systems encourage teamwork and cooperation, older generations in China were taught a different style which relies more on trust networks (e.g., only share information with those you know, with whom you have guanxi) instead of “being a team player.”
Another key issue which is being addressed and discussed at every level and corner of Chinese society is fostering innovative thinking and creativity – taking the initiative to “think different” (see Chapter 20 too). Yet there is a Chinese phrase that describes and explains why this same phenomenon is being repressed (and one that many Westerners are familiar with): 树大招风、枪打出头鸟or in English, “the stake that sticks up gets hammered down.” There are numerous requirements to build a “creative class” – yet there are also numerous cultural and institutional hammers that prevent this from germinating and blossoming on the mainland. And while rote memorization and a lack of institutionalized ‘free thinking’ (e.g., ‘free expression’) are typically cited as the two main reasons, there are a number of additional factors that explain the constraints on domestic creativity, those would fill volumes if fully discussed.
Yet to be even handed, this is not to say that Chinese people are not creative or innovative. For example, there is an entire industry of shanzhai (山寨) products such as customized smartphones which are cobbled together in a MacGyver-like fashion (though some segments are being shut down). Similarly, web services such as Sina Weibo actually made it very easy to find and maintain trackbacks which illustrates indigenous ingenuity. On that point, Gary Wang, founder of Tudou (a video streaming site that merged with Youku last year) recently told The Wall Street Journal that Chinese incubators, app-makers and innovators actually have cutting-edge, top-quality ideas comparable to those in Silicon Valley. However in his view they fall short due to a lack of experience and skills because of “the educational system and shorter start-up culture.” Thus there is long-term potential as Larry Chang noted, for utilizing and training local talent for research and development.
Later on in this chapter I discuss trade secrets and IT security issues, but one real-world case study that entrepreneurs should be aware of is what Chang himself faced several years ago. His sales team abruptly left and took corporate proprietary information with them and as a consequence his sales bottom line was “burned.”
Instead of offering higher pay and enforcing stricter rules, he simply showed the predicament of the start-up company to his employees. What he does is explain to each employee that while they could become temporarily richer by leaving and selling proprietary information, if they stayed and continued to build the company the results and rewards would be substantially larger in the long-run. Thus he considers his employees as partners, not employees – continuously trusting them with vital information while painting a picture of the future in which they are compensated significantly more than they might have otherwise in the immediate short-run. As a consequence, Chang figuratively keeps the door open for all staff and is certain that any proprietary information that does leave would find little market value due to his focus on branding (i.e., why buy a pirated copy of software for the same price as the legitimate software?).
And while it remains a challenging market, as he also noted that “while a younger generation of engineers are willing to buy some types of software and government institutions are required by law to stymie digital piracy, many of the top enterprises, institutions and organizations on the mainland still typically use pirated copies and do not feel bad about it. This presents an opportunity though and I do not begrudge them,” Chang said, “for example, in order to export a product domestic firms will have to eventually benchmark it with a legitimate copy of the software in order for foreign customers to trust its quality. As it stands now, piracy is a form of free marketing and advertising. As subsequent generations of users adopt and use the software they will begin to trust the product and eventually buy both the product and support services. Take Hollywood films for example. If copyright enforcement and penalties had been very strict, it is highly likely that no one would have watched the films to begin with.” This last point is germane to the rapid growth of video stream sites like Youku, who arguably would not have gained preeminence if they had not stored and streamed copies of Hollywood films (Youku has now signed agreements with every Hollywood studio, see Chapter 14 for more).
As a consequence, after hiring his first software architect five years ago, Chang’s firm now has about 30 employees, with growth rate targets of 30% annually, the profit of which is recycled and reinvested back into the company.
In December 2012 I spoke with Richard Qi, the director of SR Force Consultants, a Brisbane-based software consulting firm that focuses on providing SugarCRM solutions to the Chinese marketplace – specifically to joint-ventures and foreign-owned firms. CRM stands for customer relationship management; it is a type of organizational and productivity software that creates a streamlined method for tracking, converting and managing leads and is used at nearly every large enterprise in Western countries. Qi is originally from Dongbei (中国东北) and worked in Australia for 10 years before returning to the mainland two years ago. According to him, “while there is a lot of growth potential, one of the challenges to providing technical services and solutions is that many local firms simply have not done the necessary due diligence to implement and fully utilize a lot of the software and services they purchase. For example, SAP implementations have a roughly 70% failure rate on the mainland (e.g., initial production goals were unmet) because local customers and decision makers typically do not know what to do after the software is installed and integrated.”
Thus one of the reasons why Qi caters to joint-ventures and foreign firms is that, “they usually have detailed operational meetings and specific milestones providing both their internal IT team and external contractor with the necessary requirements gathering to build and use the functionality of the system. They know what they are getting into. In contrast most domestic customers are not fully cognizant of the limitations and features of their IT department let alone something more complex like a CRM system. They may know how to run and synch a Windows server with Outlook yet they typically do not have the necessary enterprise management skill base to utilize some of the more complex packages and projects that are initially funded and installed.”
Thus in his mind, one opportunity that service firms such as his provides is “filling in the blanks with locally sourced expertise. We hire all of our consultants locally based on both bilingual abilities and technical proficiency. Yet services such as ours do not have to be strictly focused on CRM; business consultancy in general is about delivering value to customers and not necessarily every functionality imaginable.” Yet one of the challenges is that “many local businesses are family managed so they typically do not have the training necessary to make long-term strategic growth plans – they are focused on immediate short-term profits that result in millions of different business paths that are often counterproductive. In the past when we have provided solutions to these local firms, the initial service requests typically involve functionality issues (“do you have a PDF convertor”?) rather than strategic long-term issues (“how to distinguish a lead from a contact?”). As a consequence, a challenge that other service firms will face is that if they focus solely on domestic companies, your firm may become part of an endless feature-focused loop that prevents your firm from growing and keeping pace with your international peers.”
Another issue that Qi explained and is not necessarily endemic to China is budgeting constraints. Often time because enterprise software implementation is new to most domestic firms, the allocated budget is usually not adequate. For example, in projects like implementing a CRM typically for every $1 spent on software, $2 needs to be spent on services just in case new modules need to be added or modified or technical support issues crop up. Yet due to aggressive timelines, many firms face budget overruns that can prevent the systems from working efficiently or providing value to the end-user.
Another challenge for software makers in general is that, irrespective of trade secret issues, a large portion of traditionally developed software (e.g., shrink wrapped packages) has already been emulated, copied and installed at Chinese enterprises. For example, one estimate of the bootleg rate in China is 77% (down from 92% in 2003).
So where does that leave your firm?
Perhaps your company can build out cloud computing on the mainland. For instance, according to IDC, $286 million was spent on cloud-computing specific infrastructure in China in 2011 and this is expected to increase to $1 billion by 2016. There are currently 430,000 data centers and more than 5 million servers on the mainland. Furthermore according to IDC, over the next five years the cloud computing data center market as a whole on the mainland “is valued at 2 trillion RMB ($320 billion).”
In terms of specific build outs, Jingdong Century, owners of 360buy.com (a leading e-commerce site on the mainland), recently invested 4 billion RMB ($750 million) building two new datacenters and in January 2013 opened a new cloud R&D facility in Beijing. In September 2012 Baidu announced that it is investing $1.6 billion in building a cloud computing center. In March 2013 EMC, an information management company, said that it expects to land 1,000 projects over the next five years by focusing on niche segments like healthcare and education in over 300 cities on the mainland. Also in March, the Weather Company International, producers of the Weather Channel, announced that it would further expand its cloud and data services on the mainland where it already has more than 35 clients. And in addition to the Kyocera’s newly launched cloud-based network security services other firms like the Alibaba Group (Taobao, Tmall, Alibaba) are already among the leading local cloud service providers as its sites host tens of thousands of storefronts for SMEs.
During my interview with Eric Azumi, vice president of information services at EF (see Chapter 9) he noted cloud computing as one area on the mainland ripe for opportunities primarily because local players are still largely fragmented, inexperienced and unfamiliar with international ‘best practices.’ For example, due to various legal issues (see below) it is difficult for foreign companies to set up and directly own a data center on the mainland. Thus Salesforce.com built a new center in Japan and Europe because according to Azumi, “there is no big money for the cloud China for the largest international participants at this time but there probably will be in the future.” Yet concurrently he sees abundant openings for experienced foreign firms to still come in and train and provide other ancillary services to this segment.
One word of caution however, “[f]oreign companies that wish to operate cloud service in China must have governmental license.” As a consequence, Microsoft actually leases room in a China Telecom’s data center and outsources data management to a local firm, 21Vianet. And Amazon recently suspended their cloud rollout due to these regulatory requirements. Thus foreign firms specializing in cloud services should investigate the necessary legal requirements before entering this segment as well.
While moving to the cloud is increasingly popular, another area where US expertise and experience still thrives and cannot be easily copied is support services. For example, Gartner forecasts software-as-a-service (SaaS) reached $14.5 billion globally in 2012, with US-firms taking the lions share at $9.1 billion. And Parks Associates estimates that the US tech support industry will “grow from $9.6 billion in 2011 to more than $20 billion by year-end 2015.” Can you or your company provide such services?
There is an app for that
Another potential area for US and foreign software companies is modifying their iOS and Android apps for the Chinese market. As I mentioned in Chapter 6, China is now the world’s largest smartphone market, overtaking the US this past summer. In addition, there are certain demographic groups, such as the elderly (aged 55+) that have been thus far overlooked for targeted apps, specifically games.
What is the breakdown for app ecosystems?
While iOS remains relatively popular within China at more than 17% market share as of Q2 2012, more than 80% of all smartphones sold within China were Android-based. And in Q3 2012 Android marketshare on the mainland reached 90.1%. This mirrors global adoption rates, as of November 2012 Android-based devices now account for 72.4% of the global market (iOS is 13.9%). Unsurprisingly this has brought the total Android ecosystem to more than 50% total market share in China. This has also led Eric Schmidt, chairman of Google, to actively woo Chinese developers to the Android ecosystem. Yet despite this huge potential market, nearly all of these Android phones have been stripped of Google ad-supported services as well as Google Play – replaced by custom 3rd party applications and app stores. In fact, 80% of Android phones in China use a preinstalled version of the Baidu-powered search tool instead. Or in other words, modern smartphones with Chinese characteristics.
What this means is that for US app developers, there are some opportunities to port and translate their apps and games to the Chinese market. For example, as I also mentioned in Chapter 6, in terms of smartphones and tablets, less than 10% of the Chinese user base are older adults (55+). This same demographic group comprises 7.1% of gaming and entertainment app users compared with substantially larger percentages in the US.
How much larger in the US? For instance, while a Pew Internet study found that only 13% of those ages 65+ in the US had a smartphone, Nielsen reported in May 2012 that in the US, “more than 50% of those who play FreeCell, Solitaire, and Hearts are over the age of 55.” And a June 2012 study from Forrester research found that 44% of US seniors play solo games online.
In contrast, according to their 2010 report from IDC, only 7.1% of those aged 50+ in China played games. More specifically, in terms of online chess gamers and mobile gamers, those older than 50 comprised 5.7% and 2.4% of all players respectively. Or in short, your grandparents and their peers frequently play computer games yet few software firms design games specifically for them, let alone for their Chinese counterparts.
While there may be cultural reasons for such a dramatic difference (7.1% in China versus 50% in the US), in my own anecdotal experience of walking through the parks and streets throughout the cities I have lived in, elderly Chinese seem just as apt to play memory games, dominoes (mahjong) and poker-style games as their Western counterparts. And according to China Daily, “the turnover of China’s mobile gaming market is soon going to hit 5.2 billion yuan ($835 million) as the number of players reach 270 million.” Thus in the long run even if the adoption and penetration rate remains relatively low for the elderly demographic group, 7.1% of 202 million (the number of elderly currently in China, see Chapter 18) is a potential niche market for future growth.
And as I mention in Chapter 6, in general, developers looking to port their apps and games over to Chinese markets should consider modifying the games to include Chinese traditions, symbols and cultural tie-ins – or in other words ‘Western video games with Chinese characteristics.’ For example: the color red, number 8, and the Chinese knot (Zhōngguó jié) are all considered lucky. Perhaps creatively integrating these symbols into your game would prove popular, just as Kung Fu Panda was (see Chapter 14). And since Macau now generates more than six times as much as gambling revenue as Las Vegas (Macau overtook it in 2007) maybe there is a legal way to capture this market. Or rather, because gambling is popular across all demographic groups perhaps designing a social gambling game or non-monetary betting app would find success across the mainland.
Based on the wide variety of demographic groups playing games on the subway in Shanghai and Guangzhou and standing in line at restaurants, casual games such as those from PopCap (e.g., Peggle, Bejeweled, Plants vs Zombies), Imangi Studios (Temple Run), ZeptoLab (Cut the Rope), Halfbrick Studios (Fruit Ninja) and Rovio (the Angry Birds series) are also popular. In fact, “Cut the Rope” has more daily users in China than any other country and according to the Financial Times, “around a quarter of all Angry Birds downloads are conducted in China.” It is so popular in fact that Rovio recently turned Shanghai’s skyscrapers green to market their new product and simultaneously launch a native version for the Chinese market.
Another advantage US-firms currently have in porting their apps to the Chinese marketplace: English is the 2nd largest language in the Chinese iOS app store. And this presents an opportunity for Western developers: in their September 2012 report, Distimo found that after introducing a native language app, their “download volumes on the iPhone [increased] by more than 128 percent during the next week that followed.” And sales revenue increased by 26 percent in the same week. Either way you look at it, even if your company does not create a Chinese-version of its apps, the potential competitive marketshare even in English remains in reach of your company.
Understanding the market
You might be asking yourself, how does the app store function in China? Are they run by Apple and Google and are they censored?
Apple opened its first official app store in China on October 27, 2010. By June 2011, China became the second largest source of app downloads for Apple. And China sales for Apple products and services now accounts for 15% of Apple’s total revenue, $23.8 billion in fiscal 2012. In fact, Apple is actively courting Chinese developers by translating their tools and guides into Chinese. In addition to the large Android userbase, there are more than 70 Android app stores in China, which is estimated to eventually consolidate down to 10 within the coming years.
In terms of censorship, as reported by the New York Times, Apple has been selectively censoring applications in its app store based on requests by the government. And because of Google’s on-again-off-again legal fights with Chinese regulators, it is oftentimes unclear of what is being censored in the Android marketplace. For instance, in the fall of 2011 there was a week-long period in which both the Android marketplace and Gmail application worked intermittently. This occurred once again in the early parts of the summer and fall of 2012 yet service was restored in both cases.
This also raises another visceral point. Despite its off-and-on wrestling with Chinese regulatory authorities, with a mere 4.72% search marketshare, Google’s revenue in “China’s mobile-app ad market will probably more than double to about 1.8 billion yuan ($283 million) this year , exceeding the 1.2 billion yuan from mobile-search queries.” In fact, despite these ongoing disputes with Chinese regulators, Google is “still the 3rd largest advertising revenue generator in that country doing $640 million a year (annualized).” And despite being hard to access at times Google has roughly 15% of the search engine market on the mainland. If they can achieve this in the face of never ending challenges, then your firm has potential as well.
An app that helps find customers
Over the past 18-months Windisch-based coresystems has been working on a cloud-based digital assistant called Mila (an app) that was a finalist in the GMIC G-Startup competition held in October 2012.) Mila allows entrepreneurs and SMEs to create an online assistant and unified online store front which is hosted on the cloud for free. The assistant (Mila) can then search social media sites like Twitter to look for potential customers based on what your company provides as services. And once a match is found, it then guides you through a streamlined sales process including invoicing using a smartphone.
In October 2012 I spoke with Andrea Chang, the marketing manager for Mila’s branch in China. According to Chang, in their effort to localize the brand on the mainland, Mila has partnered with China Unicom (the second largest telecom company in China). Together they have modified Mila to integrate with Sina Weibo (which I noted in Chapter 12 is the world’s 2nd largest microblog site) and Alipay (the largest online payment provider on the mainland). According to Chang, “the process of opening an online shop is one of the easiest and cheapest ways to generate leads and do business in China. Using an integrated chat feature that allows customers and business to speak directly to one another, Mila not only communicates directly with your customer but also conduct all transactions, including invoicing.”
Chang also noted that because of the wide proliferation of smartphones and social media in China that one of the advantages of using Mila is that its cloud based transaction model substantially lowers the sales cycle costs (e.g., locating potential customers) while simultaneously providing customer service (e.g., by storing customer contacts). This in turn allows entrepreneurs and SMEs to compete more on service instead of spending resources on search-engine optimization (SEO) or virtual store fronts.
So how does this help foreign companies wanting to do business in China?
Again, as mentioned in Chapter 12, before your company even establishes a physical presence on the mainland, you can use Mila and other services like Wildfire to search and discover the potential customer base for your company’s products and services. And as I mentioned in Chapter 12 as well, because Facebook and Twitter are currently blocked on the mainland, you will need a way to localize your customer search to Chinese web services. Solutions like Mila and Wildfire makes the process easier for your team, even if you are unfamiliar with Chinese customs and culture.
Securing your network
Cybersecurity is a sub industry that is often overlooked and dismissed by many businesses in China. It has not helped that some media outlets resort to hyperbole to describe the real – and sometimes imagined – dangers for all firms with insecure IT networks. For example, in July 2012, General Keith Alexander director of the NSA announced that up to $1 trillion in cybercrime damage was done globally each year. This figure was later debunked. Yet determined hackers – both domestic and foreign – can and will compromise trade secrets and other proprietary assets typically without being caught. Because a lot of theft and digital espionage goes left unnoticed it is very difficult to guess how much damage cybercrimes create. However in September 2012, Symantec released arguably one of the most extensive studies related to cybercrime and estimated the damage to be $110 billion a year globally.
How does cybercrime affect China, Chinese business and foreigners doing business in China?
In March 2012, Businessweek published a widely circulated report about corporate espionage of a US wind turbine supplier (AMSC) conducted by its Chinese client, Sinovel. In short, while AMSC attempted to isolate its trade secrets and proprietary software code outside of China (using an ‘air gapped’ facility), Sinovel still managed to use social engineering (e.g., bribery) to lure one of AMSC’s key Austrian-based programmers to China. An ‘air gapped’ facility in their case meant the proprietary code – “secret sauce” – was only accessible at a workstation that was not connected to the internet. Using the ‘defense in depth’ IT security strategy (e.g., multiple firewalls and secure zones nested within one another) AMSC purposefully built this facility with the sole intention of building a physically isolated silo that could not be easily compromised. While the case is still being fought in court, this is not an isolated instance. According to Akamai, a leading content-delivery network provider, in Q3 2012 one third of all cyberattacks originated from China (the US was second with 13%). All told, since 2007 the FBI and the Justice Department have opened more than two dozen cases involving trade secret, economic espionage and embargo circumvention restrictions involving Chinese contractors and individuals.
One solution – a drastic solution – was detailed by the Washington Post in 2011. They interviewed several American executives who frequently traveled between the US and China each year for a variety of meetings. A few of the executives had a straight forward security solution: buy a new iPad before flying to China, download all of the needed information from the cloud and then never use it again (e.g., throw it away). Another simple low-tech, yet increasingly popular solution is to simply no longer provide external media outlets like a USB in a terminal with access to sensitive information. In fact, in some IT security circles, one nickname for the USB is now “Ubiquitous Security Backdoor” due to this chronic problem – the ease in which sensitive information can be removed with a flash drive or in which malware can be conveniently installed, such as Stuxnet and Flame.
But what if the hackers simply move and setup shop overseas in your hometown? In May 2010, NetworkWorld ran a story about an ongoing espionage attempt by unknown Chinese operators and a large US firm in the Midwest. Similarly, according to a recent Bloomberg story, right before its attempted $2.4 billion acquisition of Huiyuan Juice Group fell through, Coca-Cola was hacked in 2009 by a Chinese hacker group dubbed Comment Crew. While it is unclear whether either of the espionage activities was successful, the threat of domestic and foreign hacking should motivate your company into proactive risk assessment – even if it does not plan to operate overseas.
Yet it is not just US firms that are on the losing end of cybercrime. According to the same McAfee study above, malware and phishing attacks cost Chinese consumers $46 billion in 2011, twice as much as the US. The Ministry of Information Technology and Industry published a report that said “in 2012 alone that foreign hackers used viruses and other malicious software to seize control of 1,400 computers in China and 38,000 websites.” In fact, according to the Anti-Phishing Alliance of China (APAC) between January and November 2012 there were 24,535 phishing websites and scams targeted specifically at China’s online populace. In addition, in just a matter of weeks into 2013, a new virus called “Bill Shocker” has already impacted 620,000 users in China targeting the popular QQ messenger (see Chapter 12). In another instance, there was a 47% month-to-month phishing surge during Single’s Day (11-11) in November 2012. This is the biggest online shopping day of the year as mentioned in the previous chapter. Furthermore, Rising Information Technology, a web security company located in Beijing, estimated in a January 2013 report that nearly 200,000 Chinese websites were hacked in 2011 and at least 60% “of the attacks targeting China’s large companies, government, and scientific research institutions come from overseas.” According to Rising’s report, because Internet security typically is overlooked “[a] growing number of Chinese companies are turning to overseas Web security companies for protection, a move which still leaves them vulnerable to attacks.”
However with these challenges come opportunities for foreign security experts such as David Veksler, CEO of CryptAByte based in Shanghai. In October 2012 I had a chance to talk with him regarding some of the key opportunities in China’s nascent security industry. He noted that “Chinese companies and foreign firms doing business on the mainland are equally in need of information protection. Since retooling and retraining in business is increasingly based on software, losing proprietary information and trade secrets to any competitor, irrespective of physical location, can lead to losing your competitive advantage in innovation.” Later in Chapter 20 he explains several other challenges and opportunities, but according to him, there are numerous possibilities for security experts since SMEs on the mainland are typically unaware of IT vulnerabilities such as zero-day exploits. Zero-day exploits (or day zero) are threats and attacks that take place on the first days of a discovered vulnerability, before a developer patches the hole(s). Thus according to Veksler, security consultants can help train mainland-based IT departments on ‘best practices’ and preventive measures that Western firms have learned the hard way with.
How does this work in practice? For example, the world economy is shifting from capital intensive retooling which typically involved heavy machinery, to rapid prototypers and 3D printers (see Chapter 7). This means that capital tools are now software. Thus if you want to steal a new factory in the 21st century, all you really need to do is pilfer software. As a consequence, the theft of entire industries could conceivably take place, allowing perpetrators to simply take the data to the cheapest country (e.g., based on land and labor costs) and eat into the marketshare of the original innovator.
This cloak-and-dagger industrial espionage is in Veskler’s words, “actually becoming a prime motivator for innovation. While competitors could learn trade secrets through hiring former employees or reverse engineering, because you are never quite sure if someone has hacked into your systems or used social engineering – like Kevin Mitnick did – to gain access to proprietary information, every incumbent must now continually innovate. Otherwise their competition could use a stealth startup and out-maneuver you with your own confidential information.” In economic theory, when a firm is successful it sends profit signals out to the marketplace (e.g., by satisfying consumer demand you become profitable and other participants take notice). As a consequence, because the firm realizes it will eventually draw competition with these “signals of success” it has to always keep striving to improve and innovate.
Kevin Mitnick was a hacker in the 1980s who used social engineering (e.g., manipulating secretaries to give him secure access) to compromise corporate networks such as DEC and Motorola. Samuel Slater, known as the father of the Industrial Revolution in the US, was born in the UK. He was an originally an apprentice at a cotton mill based on Richard Arkwright’s design near Cromford Mill in England. When he immigrated to the US, he later used a design similar to Arkwright’s to kick-start the American Industrial Revolution. This a common risk noted Kent Kedl of the consultancy Control Risks, who recently told The Economist that, “The easiest way to get intellectual property from a firm is by buying or renting an employee inside it.” Thus, a stealth startup today could conceivably appropriate proprietary information (e.g., CAD models, engineering designs) via social engineering, hiring or hacking, build a warehouse in a developing country where resources costs are relatively low, and fill the warehouse with 3D printers. Then in turn, export the products to world markets. Some of the practical issues involving VPNs for corporate environments, such as preventing industrial espionage, are discussed later in Chapter 20 as well.
During my February 2013 interview with Shaun Rein, founder of China Market Research, he noted that “for any company in the world, internet security is an increasingly important issue. And especially in China I think a lot of MNCs are continuously worried about protecting IP. As a matter of fact, our firm recently received an RFP [Request for Proposal] from a very large internet company building a marketing expansion strategy on the mainland. As part of the proposal we are supposed to disclose our firm’s security issues to make sure we are a reliable partner to work with. In other words, to prevent any proprietary information from being leaked by a vendor they are modifying their risk management to hedge against the possibility of being hacked. The flip side of this is that there are currently no large barriers to entry for doing internet security consulting because the government is very supportive of intellectual property transfers at this level. At the same time, it may be more difficult selling antivirus software directly because then you would be competing with domestic forces and local firms like Kingsoft. But services such as IT security are quite open.”
In January 2013, internet giant Baidu announced that it was investing in Kingsoft, makers of antivirus software (and an office productivity suite). At the beginning of this year, several media outlets such as Businessweek have released additional reports covering Comment Crew (see above), also known as ATP1 (which may be the same as PLA Unit 61398) which has purportedly hacked into nearly 150 companies and organizations in more than a dozen countries over a period of 7 years bringing this IT security issue to the attention of more stakeholders such as MNCs.
And with all of these local and international security issues laid bare, for another perspective one should also consider the comments from General Electric Vice Chairman, John Rice who recently explained that, “Despite hacking and other issues in China, foreign companies need to be there, due to the country’s potential as the world’s biggest marketplace. The greater risk lies in staying away.” Without going into details, GE is purportedly “improving how it handles threats to its information.” Thus eternal electronic vigilance may be the new normal but it is something that your competitors (both domestic and foreign) will probably have to overcome as well.
Takeaway: The software development, IT support and security services industry is both alive and growing at a fast pace in China. US firms relying on traditional revenue models such as selling shrink wrap packaging will need to modify their business model for entry into China. This may come in the form of cloud computing and software-as-a-service. Yet either way their expertise and quality management – even at higher costs – are still marketable within China. In addition, US firms specializing in developing apps have yet another revenue stream they can tap into if they are able to modify and translate their applications for Chinese consumption – the world’s 2nd largest app market. Furthermore, IT security firms also have potential opportunities to secure and optimize the networks of Chinese enterprises and SMEs whom suffer billions in economic losses each year.