Why China Produces No Meaningful Cyber Security Start-Ups

During the past four years, I cannot recall a single meaningful discussion with a cyber security start-up founded in China. And this is not for lack of trying. At TAG Cyber, we have no policy to avoid countries in our assessment of cyber security vendors. Despite this, I can report that I’ve found nothing interesting to date. And yes – I know that Huawei and ZTE list cyber security as capabilities on their websites, but neither are security vendors.

This might seem surprising, given the vigorous attention China has placed in adjacent high technology markets. Witness those cool electric SUVs coming off those intelligent, automated assembly lines in Wenzhou. And check out the amazing (and terrifying) facial recognition systems that capture people jay-walking in Shenzhen. And don’t forget the recent innovations being accelerated (uh, tariffs) in Chinese semiconductor firms like SMIC.

So, it’s unreasonable to suggest that cyber security start-ups are missing from China due to Luddite culture or lack of capital. This cannot be the reason. Instead, our analysis at TAG Cyber suggests a somewhat different explanation for this unusual gap. By looking carefully at the social conditions that would seem to nurture the development of cyber security start-up founders, we’ve identified three factors that might help explain this phenomenon:

Mischievous Youth Culture – We discover in our work at TAG Cyber many security founders, especially in the US and Europe, who developed an interest in cyber-related issues during a mischievous youth. We hear stories every day from edgy young founders who poked around in places where perhaps they should not have – only to find that this yearning to explore, and even break the law (ahem), would be a useful tendency for cyber security.

Now, I am no psychologist, and I cannot provide a comprehensive commentary on youth culture in China. But as an NYU and Stevens professor of computer science for decades, I’ve come to meet many hundreds of young people who grew up in China. And I can tell you that they never, ever tell me stories of brazenly breaking the law as youngsters. In contrast, American students brag their stories of mischievousness all the time.

Continuous Threat Awareness – We also find in our work at TAG Cyber that many cyber founders honed their technical skills in an environment which included consistent societal awareness of an imminent and present threat. Israeli founders win the prize here, and we are treated to stories literally twice per day of cyber executives – young and old – who are driven by a culture of country threat, often reinforced by time served in the military.

Once again, during decades of many wonderful Chinese graduate students in their early twenties answering questions about Kerberos on my midterms, I don't recall ever hearing stories from these youngsters of growing up in constant fear of foreign attack – and admittedly, US students rarely offer this view (most were toddlers in September, 2001). Again, this might be anecdotal, but it seems relevant to the lack of Chinese cyber start-ups.

Enterprise Legacy Vulnerabilities – A third observation from our work at TAG Cyber is that many cyber start-ups build business cases on the nagging, legacy vulnerabilities in existing corporate and government infrastructure. They point to weak corporate LANs, misconfigured firewalls, uninformed employees clicking on phishing links, and on and on. These legacy enterprise weaknesses fuel platform sales and help start-ups get off the ground.

In contrast, China is building the canonical leap-frogged infrastructure with focus on brand new 5G-powered networks. They simply do not have much of an embedded, legacy base of companies with poorly managed systems, because they don’t have much of an embedded, legacy base of business. Capitalism is a relatively recent phenomenon, so one is more likely to hear about issues with mobile devices than with legacy firewall-based LANs.

Now – before you start typing in your angry protest, showing me the dozen or so cyber security companies like Sangfor that popped up in your Google search, let me comment: I did not say that there were no security start-ups. I understand that there are Chinese companies building AV and NAC, and other traditional solutions. What I said instead was that I could find no meaningful cyber security companies. And I stand by that point.

Despite all this, perhaps the real reason – the honest reason – that China barely scratches the surface in the cyber start-up ecosystem is that their government knows that it cannot dominate this area. With the Israelis and Americans so far ahead, one can only imagine the planning sessions of Chinese leaders. Why focus on crowded markets like cyber, they have likely concluded, when you can dominate AI, solar energy, and electric cars?

Why is this relevant? Well – as the United States and other countries continue to develop their long-term strategies for protecting critical infrastructure, the idea that China has largely punted in developing their own cyber defensive offerings should factor into the planning discussions. Sadly, the United States has such poor leadership in this area (witness, no Cyber Czar) that this observation might not have been made in Washington. Hence, my article.

I hope that you forward this article to your government representative. They seem happy to go on Fox News, CNN, and MSNBC to complain about Chinese Trojans in Huawei equipment, or in Chinese investments in American companies. But no one seems to mention this other thing – namely, that virtually 100% of the cyber protections built to defend against cyber threats – are invented, developed, and maintained by companies outside China.

I understand that this might have been a somewhat edgy article. Let me know what you think.