“There’s significant control in some areas, but in others it’s just the wild, wild West,” said Tom Creedon, a longtime cybersecurity expert specializing in East Asia.
One reason computers in China are so vulnerable is the widespread use of pirated software, including by government ministries and state-owned companies.
While authentically licensed software such as Windows and Microsoft Office receive frequent security updates to patch exploitable holes, unregistered pirated versions do not. Some hackers have even been known to seed the Internet with free copies of software to which they have added vulnerabilities, so they can later sell such backdoor access to other people, experts here say.
The fragmentednature of China’s Internet and businesses also contributes to the weakness in network security. Even bank accounts and cellphone accounts from the same companies often run on different systems from province to province. That presents Chinese hackers with a wider assortment of vulnerabilities and systems to exploit.
When it comes to the highest levels of Chinese government, however, the depth of vulnerability is less clear, say U.S. and Chinese industry analysts. As in most developed nations, key military systems in China are believed to be “air gapped,” or cut off from the global Internet.
The Chinese government reacted at first with loud indignation to the Snowden revelations. But that has given way to internal discussions on how to beef up domestic security.
In recent weeks, key Chinese ministries held a meeting with leading tech companies to probe the impact from U.S. surveillance and begin formulating a response, according to reports in a handful of tech-focused Chinese media outlets and cybersecurity experts with knowledge of the session.
China’s government is highly reliant on the country’s private cybersecurity firms to help protect its secrets. Such firms typically draw their biggest share of revenue from government work, according to market researchers.
Because such firms are circumspect about their work, estimates of the growth in China’s cybersecurity industry vary. One government report estimated a 30 percent growth rate from 2006 to 2010.
But what is clear isthat the market has huge space to expand. According to calculations by one market research firm in Beijing, IDC, only 1 percent of total IT spending in China goes toward cybersecurity. In the United States, the ratio is roughly estimated at 11 percent.
Chinese spending will probably rise more quickly because of the revelations about U.S. intelligence operations, said Dai Xiangjun, an analyst for CCID, a research firm affiliated with the Chinese government. “The Snowden scandal has caused real panic.”
Snowden’s allegations have raised suspicion of foreign companies to a fever pitch. One state-run magazine ran a cover story on how China allegedly has been “seamlessly penetrated” by eight U.S. companies — Cisco, IBM, Google, Qualcomm, Intel, Apple, Oracle and Microsoft.
But the reality, say many industry insiders, is that China’s technology is not close to being able to replace U.S. suppliers.
“There’s not one Chinese company within years of reaching what some U.S. tech companies are doing at the highest levels,” said one Chinese expert in the security industry who spoke on the condition of anonymity because of the sensitive nature of his work.
Chinese banks, for example, need equipment that is reliable, which often means foreign hardware. Cisco routers still form the backbone of much of China’s telecommunications networks.
The Snowden backlash, however, has been worrisome enough to prompt Cisco to declare on its Chinese Web site that it had nothing to do with the U.S. surveillance programs revealed recently.
Meanwhile, some of China’s booming cybersecurity firms are trying to export abroad, including to the United States, where they have faced suspicion because of their close ties to the Chinese government.
Jeffrey Carr — founder of McLean-based Taia Global, which specializes in thwarting cyber-espionage and theft — recalled his surprise at seeing Chinese vendors this year setting up their booth at a San Francisco convention right up the aisle from Mandiant, a company that has made headlines for its investigations of state-sponsored Chinese hacking.
“It was shocking, but also kind of funny to see,” Carr said. He added, however, that he would not write off the companies’ efforts. “There’s quite a bit of money being spent in China right now,” he said. “The growth opportunities there are simply tremendous.”
Li Qi contributed to this report.