Is Offshoring Code-Writing Creating a Cyber Security Threat?

There are two potential threats, actually. One is the obvious: that foreign intelligence services will undermine the security of mainstream business code in order to gain access to the secrets of those using it. The second is more mundane, but could be just as harmful: that supervision will be less effective and that sloppy code will result.

The view on these threats is not universal. The big software firms are, naturally, offended at the notion that they do not know how to manage or that they would sacrifice security for profit. Industry analysts ignore those self-serving claims but are divided on the degree of seriousness the putative threat presents.

The view here is that without strong systems and a history of managing globally, any operational extension can be degraded. The question here is whether the companies in question have the incentive to invest in prevention or whether they will take a 'management by exception' stance and wait to see if further action is warranted. Either way, corporate security is hopefully, by now, suspicious of anything sourced outside its own boundaries. Emphasis, alas, on the word hopefully. JL

Eddie Walsh comments in The Diplomat:

Big US and European software companies are increasingly developing code for mainstream products overseas, especially in Asia-Pacific. But despite the temptation for cost savings, analysts say bulk off-shoring of code development comes with an inherent risk – it’s simply less secure than on-shore code development. As the US government seeks to reduce software development costs amid looming budget reductions, this raises two important questions: 1) Is the off-shoring of code development a growing national security concern for the United States and 2) If so, does it need to impose new regulations and hold software developers liable for the quality of their code, especially for critical infrastructure products?
Most cyber security analysts I spoke with say off-shoring introduces unique cyber security concerns. However, the majority still believed it would strategically disadvantage the United States to start regulating private sector code development in the name of national security.

Robert Giesler, SAIC senior vice president and cyber security director, is one of those who oppose regulation as a solution. ‘As the Pentagon and intelligence community ask for better costs, there’s a push to develop code abroad,’ he says. ‘Everyone recognizes this, but there are ways to mitigate it that are easier and more cost efficient than on-shoring. If you regulate, you go back to the Maginot Line. Those with bad intent can manoeuvre around it.’

Giesler points out that the cost-benefit analysis for many off-shore countries, including Russia and India, reduces the likelihood that they would launch major supply chain exploitation operations. He also notes the likely significant economic consequences for the United States if it sought to regulate or impose liability on US software developers’ off-shore operations.

Dan Geer, Chief Information Security Officer at In-Q-Tel, agrees that regulation would be a mistake. ‘Any attempt to regulate software quality and security simply drives the software industry off-shore for good,’ he says. ‘Similarly, requiring trusted on-shore production ensures two things: (1) falling behind world progress as we aren’t the only smart people and we are a minority, and (2) costs rise in a way that makes on-shore-mandated software cost-uncompetitive on the world market.’

Still, not everyone agrees. Sean Costigan, a national security and technology consultant and co-editor of the upcoming book ‘Cyberspaces and Global Affairs,’* is one of the few willing to do so publicly.

In the absence of regulation, Costigan believes the software industry lacks the proper incentives to prioritize the security of their products at the level required to meet current national security objectives. He therefore suggests that new regulation should be considered for the software industry to harden code development, whether on or off-shore.

However, he does so in the context of arguing that supply chain security is only a small part of a much larger problem facing the industry: poor code development. From his perspective, the government must redress all of the issues affecting code quality, including operational security and legacy code, if it’s serious about cyber security.

‘Consider that at large companies there’s often considerable employee turnover to begin with, and it’s doubtful that people are checking credentials all that well. Not to pick on Microsoft, but in a product like Windows 7 that has been estimated at 50 million lines of code, you need a small army to write that code, with thousands of people touching it. Who is checking all that code?’ asks Costigan.

‘There’s a need for regulation to be sure. But...I think we need to focus on the risks of sloppy code as much as who writes it and where they are. Penalties for bad code should be considered,’ he says. ‘Ultimately, the short loop from bad code to easy cybercrime or foreign intelligence exploit is more worrisome. Consider that the White House now estimates cybercrime and industrial espionage damages of $1 trillion a year.’

Given that the software development industry vehemently opposes greater government oversight, such opinions are unlikely to gain favour in the commercial sector. The question, then, is whether like-minded people can change the minds of policymakers and national security analysts who have the power to force industry to adopt more stringent processes and standards if they believe it necessary.