China's IT security gamble

The Chinese Government's updated security software procurement list favours Chinese security suppliers over Symantec and Kaspersky. Is that a risky choice?

It was announced by the Communist Party organ, The People’s Daily, via Twitter.

Govt procurement agency has excluded Symantec & Kaspersky fm a security software supplier list, all 5 in are fm China pic.twitter.com/cSqCxVN0jI

— People's Daily,China (@PDChina) August 3, 2014

A longer story in the People’s Daily provided no explanation as to why the US security companies were excluded.

Turns out that neither company appears to have been banned as such, and that the move isn’t a political one. It's more likely an opportunity to provide a leg-up for local vendors.

The local heroes in Chinese security are Qihoo 360, Venustech, CAJinchen, Beijing Jiangmin and Rising Global.

The interesting question is, will using local antivirus brands, unknown to most westerners, put China government IT at risk? 

Probably not, but Chinese public service IT managers would be wise to select their local antivirus vendor with great care.

UK specialist malware and security research publication Virus Bulletin is familiar with some of them, according to chief of operations, John Hawes.

Hawes said that Qihoo 360, probably the best known outside China, includes European-developed antivirus engines from well-known vendors Bitdefender and Avira.

That by itself doesn’t guarantee Qihoo is sound, but Hawes notes that the anti-virus has been tested by Virus Bulletin since 2009 and has a good performance record - with 14 passes and just four fails over the years.

Rising Antivirus on the other hand isn’t quite the star performer in Virus Bulletin’s stringent tests, and racked up seven fails and six passes between 2007 and 2011. It rose to infamy in 2010, after the company was found to have bribed a Beijing official and written a virus that could be neutralised by its own software, which was promoted by the civil servant. The official received a two-year suspended death sentence for corruption. 

Nevertheless, Hawes rates Rising Antivirus as the leading anti-malware brand in China. It has lately been squeezed in the market thanks to competition from both free and premium products offered up from Chinese internet vendors like Baidu and Tencent, which both use foreign-developed antivirus engines.

The others are yet to be tested by Virus Bulletin.

CA Jinchen appears to be the result of joint venture between Computer Associates and China Jinchen Security and features an antivirus scanner called Kill.

Venustech is an unknown entity to Virus Bulletin, but it appears to be a Kaspersky partner. The extent of the collaboration isn’t clear.

Jiangmin has been certified by United States security firm West Coast Labs, but Hawes said it hasn’t been tested “for rather complicated reasons”.

Although there are credible local antivirus alternatives included on the procurement list - that often use overseas scanning engines - the Chinese government’s move is still a gamble.

Local, central government and state enterprises remain vulnerable to security incidents as a large proportion are still running the antiquated, unsupported and very insecure Windows XP operating system.

China - not to mention the rest of the world - would breathe easier if the government didn’t restrict the choice of antiviruses available. At least not until XP is phased out for good.