Security Experts:

China is a Target - Just Like Us

Chinese Companies Are facing Many of the Same Cyber Challenges as Companies Elsewhere in the World

Late last year, I had the opportunity to visit China. It’s not an exotic trip for an American company, but it had been a while since an executive from my company had visited, for reasons that might be obvious. So, I didn’t take this trip for granted, and was excited to have the chance to meet with some of the most innovative companies in China. I wanted to learn about the problems they’re facing them and how they are addressing those challenges. My agenda included companies in high tech, hospitality, healthcare, finance, and security. 

Before my arrival, I asked what topics these organizations wanted to discuss, and they all responded with some variation of “we’d like to hear more about state-sponsored attacks on Chinese companies,” which struck me as an interesting request. I’m not ignorant to China’s place in the world, and I spend a lot of time outside the US. However, I’ll be honest—in a career working in security for a multinational company, and for a cyber security vendor, I’ve not spent a lot of time thinking about Chinese organizations as victims of cyber attacks. 

China Flag with Cyber

The next few days were educational. With 120 companies in the Global 500 (just behind 126 companies from the US), and the world’s second largest economy, Chinese organizations have a huge target on their backs. As compared with the West, life in China is more dependent on online and mobile services, which increases the motivation of threat actors. Chinese companies must respond with commensurate defenses. The same machine learning and artificial intelligence technology that is being used to detect fraudulent payment transactions and fake social media profiles is being effectively deployed to detect insider threats, phishing emails, and lateral movement. I was also impressed to read the threat intelligence and nuanced analysis published by several Chinese organizations. 

So, it’s not surprising that the Chinese companies I met with are facing a lot of the same challenges as companies elsewhere in the world. However, these challenges seemed amplified by a few factors. Although it is risky to generalize about a country as large and diverse as China after a dozen interactions, three themes seemed consistent across companies of various size and industries:

• Scale - Most of the organizations I spoke with are dealing with a scale not seen outside of the largest banks or tech companies in the US. Hundreds of millions of users, billions of daily transactions, all generating data at scale. 

• Verification Challenges - China has strict privacy laws, and many citizens don’t have a banking or credit history. Thus, the identity verification procedures we are accustomed to in US companies (validating previous addresses or loan balances) won’t work. This makes the mobile number a convenient identifier—but new SIM cards can be obtained cheaply, so app-based fraud is common. When a company can’t know exactly who is behind an account, or cannot verify a bank account, there’s little risk for the attacker. One organization I spoke with told me about staggering losses due to fraudulent activity on their platform.

• Growth - Imagine trying to secure an environment of unprecedented scale and complexity, and then also having to build the team, processes, and technology in a couple of years. The rapid growth of so many companies means that they’re still learning as they go.

Stars of China FlagThe business environment in China also provides a few advantages for defenders, compared with their western counterparts:

• Ubiquity of Mobile - Like many travelers from the US to China, I was struck by the convenience of mobile payments, and the fact that many shops and restaurants refused my cash or credit cards. Several of the companies I spoke with have only mobile interfaces. When your organization’s primary (or only) user interface is a mobile app, your threat model is different, but simpler, than a company supporting a variety of methods of user interaction. It’s a smaller surface area to defend, when compared to that at so many Western companies I work with—who are tasked with defending not only mobile and traditional web sites, but dozens of legacy DMZs, 3rd party interfaces, direct vendor connections, legacy system connectors, etc. that have built up over the years. 

• Modern Platforms - None of the organizations I spoke with faced the legacy tech issues that I see at companies in the US. Most are working with systems that have been built in the last few years.

• Cost - The sheer size of security teams at the companies I met with was eye-opening. While some organizations in the US have large information security teams, the Chinese companies dwarfed them on a relative basis—resources are generally more affordable. Reuters has reported that salaries for those with graduate degrees in Artificial Intelligence and Machine Learning are starting to rise, compensation for experts in other security domains—incident analysis, compliance, vulnerability management—remain relatively low.

• Culture - US companies often struggle with the basics as they try to balance user convenience with security. I remember once talking with executives at a Western pharmaceutical company who had been breached. Despite their issues, this company resisted deploying two-factor authentication to their critical research systems and was slow to deploy critical patches to most of the enterprise out of fear of employee disruption. I’m sure many readers have to deal with a similar balancing act in their organizations. I asked several Chinese companies about how they balanced employee convenience and security, and this did not seem to be an issue. “When we need to deploy a patch, we just deploy it.” This is not to say that every organization I spoke with had a stellar security culture, but I did not get the impression that employee convenience got in the way of security.

At the risk of sounding like an Us Magazine article (“Chinese Companies – They’re Just Like Us!”), it’s a reminder that our industry sometimes needs. The companies I met with are facing many of the same threats that your organization faces today, but they are addressing these threats at a massive scale, on emerging platforms, and with innovative approaches that we can learn from.

As we search for solutions to secure organizations around the world, we need to learn from the challenges that China is addressing today. I don’t know how we’ll do this while still balancing the reality of China’s role in the threat landscape, but as we try to solve tomorrow’s security challenges, we’d be remiss if we didn’t enlist the best people and ideas, regardless of where they live. 

RelatedA Convenient Scapegoat - Why All Cyber Attacks Originate in China

view counter
Grady Summers is Executive VP and Chief Technology Officer at FireEye, where he oversees the global CTO team that supports R&D and product engineering and works with customers to address today’s evolving threat landscape. Grady has over 15 years of experience in information security both as a CISO and consultant to many Fortune 500 companies. He joined FireEye through its acquisition of Mandiant in 2014. Prior to Mandiant, he was a partner at Ernst & Young, responsible the firm's information security program management practice. Before E&Y, Grady was the CISO at General Electric, overseeing a global information security organization. His previous roles at GE include divisional CTO and a variety of positions in application security, web development, and infrastructure management. He holds an MBA from Columbia University and a bachelor of science in computer systems from Grove City College.
Previous Columns by Grady Summers: