Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

China is a Target – Just Like Us

Chinese Companies Are facing Many of the Same Cyber Challenges as Companies Elsewhere in the World

Chinese Companies Are facing Many of the Same Cyber Challenges as Companies Elsewhere in the World

Late last year, I had the opportunity to visit China. It’s not an exotic trip for an American company, but it had been a while since an executive from my company had visited, for reasons that might be obvious. So, I didn’t take this trip for granted, and was excited to have the chance to meet with some of the most innovative companies in China. I wanted to learn about the problems they’re facing them and how they are addressing those challenges. My agenda included companies in high tech, hospitality, healthcare, finance, and security. 

Before my arrival, I asked what topics these organizations wanted to discuss, and they all responded with some variation of “we’d like to hear more about state-sponsored attacks on Chinese companies,” which struck me as an interesting request. I’m not ignorant to China’s place in the world, and I spend a lot of time outside the US. However, I’ll be honest—in a career working in security for a multinational company, and for a cyber security vendor, I’ve not spent a lot of time thinking about Chinese organizations as victims of cyber attacks. 

China Flag with Cyber

The next few days were educational. With 120 companies in the Global 500 (just behind 126 companies from the US), and the world’s second largest economy, Chinese organizations have a huge target on their backs. As compared with the West, life in China is more dependent on online and mobile services, which increases the motivation of threat actors. Chinese companies must respond with commensurate defenses. The same machine learning and artificial intelligence technology that is being used to detect fraudulent payment transactions and fake social media profiles is being effectively deployed to detect insider threats, phishing emails, and lateral movement. I was also impressed to read the threat intelligence and nuanced analysis published by several Chinese organizations. 

So, it’s not surprising that the Chinese companies I met with are facing a lot of the same challenges as companies elsewhere in the world. However, these challenges seemed amplified by a few factors. Although it is risky to generalize about a country as large and diverse as China after a dozen interactions, three themes seemed consistent across companies of various size and industries:

• Scale – Most of the organizations I spoke with are dealing with a scale not seen outside of the largest banks or tech companies in the US. Hundreds of millions of users, billions of daily transactions, all generating data at scale. 

• Verification Challenges – China has strict privacy laws, and many citizens don’t have a banking or credit history. Thus, the identity verification procedures we are accustomed to in US companies (validating previous addresses or loan balances) won’t work. This makes the mobile number a convenient identifier—but new SIM cards can be obtained cheaply, so app-based fraud is common. When a company can’t know exactly who is behind an account, or cannot verify a bank account, there’s little risk for the attacker. One organization I spoke with told me about staggering losses due to fraudulent activity on their platform.

• Growth – Imagine trying to secure an environment of unprecedented scale and complexity, and then also having to build the team, processes, and technology in a couple of years. The rapid growth of so many companies means that they’re still learning as they go.

Advertisement. Scroll to continue reading.

Stars of China FlagThe business environment in China also provides a few advantages for defenders, compared with their western counterparts:

• Ubiquity of Mobile – Like many travelers from the US to China, I was struck by the convenience of mobile payments, and the fact that many shops and restaurants refused my cash or credit cards. Several of the companies I spoke with have only mobile interfaces. When your organization’s primary (or only) user interface is a mobile app, your threat model is different, but simpler, than a company supporting a variety of methods of user interaction. It’s a smaller surface area to defend, when compared to that at so many Western companies I work with—who are tasked with defending not only mobile and traditional web sites, but dozens of legacy DMZs, 3rd party interfaces, direct vendor connections, legacy system connectors, etc. that have built up over the years. 

• Modern Platforms – None of the organizations I spoke with faced the legacy tech issues that I see at companies in the US. Most are working with systems that have been built in the last few years.

• Cost – The sheer size of security teams at the companies I met with was eye-opening. While some organizations in the US have large information security teams, the Chinese companies dwarfed them on a relative basis—resources are generally more affordable. Reuters has reported that salaries for those with graduate degrees in Artificial Intelligence and Machine Learning are starting to rise, compensation for experts in other security domains—incident analysis, compliance, vulnerability management—remain relatively low.

• Culture – US companies often struggle with the basics as they try to balance user convenience with security. I remember once talking with executives at a Western pharmaceutical company who had been breached. Despite their issues, this company resisted deploying two-factor authentication to their critical research systems and was slow to deploy critical patches to most of the enterprise out of fear of employee disruption. I’m sure many readers have to deal with a similar balancing act in their organizations. I asked several Chinese companies about how they balanced employee convenience and security, and this did not seem to be an issue. “When we need to deploy a patch, we just deploy it.” This is not to say that every organization I spoke with had a stellar security culture, but I did not get the impression that employee convenience got in the way of security.

At the risk of sounding like an Us Magazine article (“Chinese Companies – They’re Just Like Us!”), it’s a reminder that our industry sometimes needs. The companies I met with are facing many of the same threats that your organization faces today, but they are addressing these threats at a massive scale, on emerging platforms, and with innovative approaches that we can learn from.

As we search for solutions to secure organizations around the world, we need to learn from the challenges that China is addressing today. I don’t know how we’ll do this while still balancing the reality of China’s role in the threat landscape, but as we try to solve tomorrow’s security challenges, we’d be remiss if we didn’t enlist the best people and ideas, regardless of where they live. 

RelatedA Convenient Scapegoat – Why All Cyber Attacks Originate in China

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...