Gartner on doing business in China: Privacy? What’s that?

If you want to use encryption, the government needs the keys

jie zhang Tim Greene

Jie Zhang

NATIONAL HARBOR, Md. -- Jie Zhang says that as a child in China she played a game picking up marbles with chopsticks and performing the delicate task of carrying them to another room without dropping them. That’s what doing business in China is like for Westerners, she told a breakfast gathering today at Gartner’s Security and Risk Management Summit.

They have to get used to long-standing customs and practices that violate some basic business principles respected outside of China and some new ones that deal specifically with technology.

For example, a January 2016 cybersecurity law says that companies operating in China that want to use encryption technology in their infrastructure must pick it from a government-approved list. Other laws dictate that if the gear isn’t on the list, encryption keys must be turned over to the government.

The given reason is to fight terrorism, and the law settles a debate there that is still raging in the West about whether encryption backdoors should be mandatory so law enforcement can gain access to private communication.

Zhang says a Gartner client setting up shop there had been working on its private cloud for six months when the project stalled because it hadn’t gotten this type of approval. “You might find yourself in that position,” she says. “Do your due diligence.”

Jie Zhang

The acceptance of this practice may have something to do with the country’s sense of privacy. “When I translate ‘privacy,’ I have issues,” she says. “There is no direct word in Chinese that means privacy.” The closest term is yin si, which means “hidden personal secret.” “In China people identify with a group and privacy is a non-existent concept.”

+ MORE FROM THE SUMMIT: Gartner: DDoS defenses have been backsliding but starting a turnaround +

This sensibility may carry over into a tolerated but officially unsanctioned banking practice. A colleague told her that someone he knew who worked at a bank routinely sold lists of customer information. Zhang says she later had this practice confirmed by a bank executive who said, “Yes, we know our employees do that.”

Banks are changing, though, with economic policies put forth in the government’s 2015 five-year plan, she says. As part of reforms for more transparency in financial entities, IBM, Oracle and EMC (known as IOE) are losing their seat as the go-to tech firms to supply banking infrastructure.

The push is to encourage use of local suppliers, which has led to a jump in business for the China-based tech giant Huawei. IBM has responded by partnering with local companies, she says. Foreign businesses couldn’t build data centers of their own under the new rules. Microsoft partnered locally; Google left the country.

There are big differences in other areas. The well-established and effective Western practice of meeting governance, risk and compliance (GRC) objectives to boost corporate productivity is a concept just getting a foothold in China, she says.

Last year massive industrial explosions in Tianjin were pinned on issues including IT infrastructure. “They were not diligent that security systems for checking and testing worked,” she says. Now China will look more at GRC, she predicts.

+ ALSO: Gartner: ‘Insider threat is alive and well on the dark Web’ +

In other areas, Chinese are quick to embrace new technologies in ways that Westerners haven’t. Take laptops, for example. Most business people may have a desktop, but most don’t have laptops that they carry around. They do all their mobile computing on cell phones, she says.

Outside of technology, even when it comes to standard practices like contract negotiations, there are curve balls. When Zhang worked for a German pharmaceutical company it sat down with potential Chinese business partners to hash out a voluminous contract, she says. The Chinese partners seemed disinterested in the German presentation, then one of them pulled out a two-page document they said should replace the one they had been working on. The flummoxed Germans had to call for a break so they could regroup.

This type of jarring tactic isn’t so common anymore among large Chinese internationals, but it can crop up dealing with smaller firms, such as local businesses that may be part of a supply chain, so Westerners should be aware. “Expect a lot of unexpected things in China,” she says.

Join the CSO newsletter!

Error: Please check your email address.

Tags China

More about EMCGartnerGoogleHuaweiMicrosoftOracleWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place