Security concerns bedevil Chinese outsourcing
U.S. companies might hesitate to send IT work to China in light of new reports on cyberespionage programs there.
China's plan to create a substantial outsourcing industry was hit with another blow last month with the release of a report that laid bare, in ways never seen before, the extent of the security risks of working in the country.
Ten years ago, there was wide expectation that China would emerge as India's top competitor in the third-party IT services provider market. Since then, China has created an outsourcing industry, but it certainly hasn't thrived.
Jimit Arora, a vice president at business consultancy Everest Group, puts the value of China's IT and business process outsourcing (BPO) market today in the $4 billion to $5 billion range. That figure amounts to about half the annual revenue of Tata Consultancy Services, which is just one of India's large IT services companies.
But from that small base, Arora expects China's IT services and BPO market to grow at a rate of 20% to 25% a year.
That projection comes as security firm Mandiant and the White House released separate reports outlining significant security risks facing companies that do business in China.
The Mandiant report identifies the Chinese military as a main instigator of cyberattacks on U.S. companies. And a White House analysis of theft of trade secrets makes numerous references to China.
Mandiant contends that a unit of the People's Liberation Army (PLA) of China is behind a systematic cyberespionage campaign against the U.S. and several other countries that has gone on since at least 2006. Working out of a 130,663-square-foot building in Shanghai, the PLA unit has likely accessed data at more than 140 companies in countries considered strategic by China, according to the firm's report.
Andy Sealock, a partner at consulting firm Pace Harmon, said the reports add evidence to confirm "what many people already assumed was happening." The security risks of working with China have long been "priced into" the decision-making processes of U.S. companies, he said.
With the release of the two reports, it's less likely that companies that are on the fence will send IT work to China. "This will just strengthen their resolve to stay away," said Arora.
Sealock suggested that the latest findings may prompt the U.S. government to "institute policies and sanctions that will make it more difficult to do business with China."
Security experts warn that several other countries, notably Russia, also have government-run cyberespionage programs targeting U.S. companies in a wide range of industries.
Intelligence reports dating back to 2005 have consistently warned that the U.S. is a target of economic espionage undertaken by state-sponsored entities around the world.
Nonetheless, said James Slaby, a security analyst at HFS Research, as long as companies follow best practices for securing data, outsourcing to China leads to only "nominally more risks."
Basic security practices "are more important than thinking about where you are physically located," he said.
Daniel Castro, an analyst at the Information Technology & Innovation Foundation, said it's unlikely that most "businesses will rethink their offshoring decisions because of the Mandiant report."
However, he warned, "they should all be taking a close look at their risk exposure and mitigation measures for these types of threats."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about government/industries in Computerworld's Government/Industries Topic Center.