At this week's annual shareholders meeting in Waterloo, Research In Motion CEO Thorsten Heins announced a tough decision: in spite of the company's serious financial woes, he decided that the idea of moving manufacturing operations to China was simply out of the question. The reason: he was not willing to sacrifice BlackBerry's high level of security. There hasn't been much to celebrate with RIM lately, but the company's high-road call on China deserves some respect.
That's because China has a unique view in the world when it comes to cyberespionage and intellectual property theft. While every country engages in some degree of espionage, in countries like Canada and the U.S. that espionage apparatus is there for policy making and informed national leadership. What it doesn't do is siphon off Chinese airplane designs and give them to Canada's Bombardier. But that's exactly what China does. In China, many large companies are directly or partially owned by the government and military; and government agencies are actively involved in helping them beat foreign rivals.
As a security professional who consults for many companies with operations in China, there is no doubt in my mind that RIM would have been strenuously targeted by Chinese operatives had it moved its operations there. And for RIM, a company that counts government agencies, military and large corporations as its biggest clients, the threat of data breaches into its security, software and hardware designs would be unacceptable.
After all, China's cyberespionage machinations are beyond speculation at this point. A recent examination of 115 U.S. cyberespionage prosecutions found that 80 percent of cases involving state-sponsored attacks could be linked to the Chinese government. More recently, General Keith Alexander, director of the U.S. National Security Agency, called China's unprecedented level of cyberespionage, "The greatest transfer of wealth in human history."
So how does China do it?
The most common way for the Chinese government to steal corporate secrets and intellectual property is to use skilled state-sponsored hackers to break into a company's computer networks, and then begin a long-term process of extracting all the corporate secrets they can get their hands on. These include blueprints, source codes, email, competitive documents, etc. Often, a company doesn't even know it's been compromised until it finds duplicates of its products in other Chinese plants. Companies can also find themselves outbid on new contracts by Chinese rivals that have access to their intelligence.
The government also goes after its quarry more bluntly. State officials will simply go to a company's offices or manufacturing plants in China and persuade or pressure the Chinese employees to provide access to corporate data or information systems.
Chinese operatives will also target visiting executives (or IT personnel) and install spyware on their phones or laptops. They can do this when the devices are left unattended in a hotel room or restaurant, at the airport, or through sophisticated cyber attacks.
For companies that have a corporate branch or manufacturing operation in China, these threats are virtually impossible to defend against all the time. There's simply no way a company can firewall off a branch in China -- the only solution is to stay out of the country altogether, a lesson that Google learned in 2009 after its networks were breached and source codes stolen in an effort to target Chinese dissidents.
However, in spite of the risks, many companies in Canada, the U.S. and Europe remain drawn to China, due to its low production costs, massive workforce and lax labor and environmental laws. And for a company like RIM that is struggling to keep itself afloat -- going so far as to cut 25% of its workforce and selling one of its corporate jets -- the cost benefits of Chinese manufacturing couldn't have been easy to turn down.
But RIM's decision makes sense, particularly when you consider the market space that it's in -- and here's why:
Safeguarding RIM's Security Credentials -- In spite of the company's plunging consumer market share, BlackBerries remain popular among the IT decision makers in the government, military and large corporations. The main reason for this is the product's strong security reputation. Security is the single strongest asset that RIM holds, as it's the primary selling point for its institutional clients. Had it decided to cut its production costs by manufacturing in China, it would have seriously threatened its "supply chain security" and damaged its brand among these buyers. There is no way an IT department could have faith in the integrity of the phone's software, platform or security settings if Chinese manufacturers had full access to its production and design.
Protecting the Company's Long-Term Value -- The decision was also wise in that it put the long-term interests of the company ahead of its short-term financial needs. In my experience, the majority of companies that go to China are at some point "backdoored"-- i.e., their computer networks are breached, allowing the Chinese full access to corporate intellectual property. Companies that produce their goods in China at a fraction of the cost elsewhere can end up losing more money in terms of increased security costs and stolen IP.
Prioritizing Customers -- Heins' decision also sets an important precedent for a reputable company's commitment to its customers. To this day, RIM's biggest customer is the institutional client -- and for them, having a secure platform is the single most important element of any technology purchase.
RIM's decision, although not an easy one to make, was the right call. "Supply chain security" is a hot topic now among many corporations and government agencies -- and it's particularly significant for companies in the telecom and information technology industries. Companies that save money in the short-term through cheap manufacturing often pay a higher price down the road because of increased security costs and stolen corporate secrets -- and that's a risk that RIM can't afford to make.