Tale of 'Bob': Does outsourcing new software pose cyber security risk? (+video)
Many US companies hire foreigners to build new software for their computer networks – a practice that may raise their risk of cyberattack, some experts warn. Even firms that do not outsource software development may find an occasional employee doing it on the sly, as in the case of 'Bob.'
A software developer at a US company providing "critical infrastructure" – transportation, electricity, water, or the like – last year secretly outsourced his job writing computer programs to software engineers in China. Dubbed "Bob" by investigators – to keep his identity and that of the firm private – he even overnighted his electronic Secure ID token to China so the workers there could log into his company's network.Skip to next paragraph
Subscribe Today to the Monitor
That left Bob, who paid the Chinese software engineers a fraction of what he earned to do his work, plenty of time to surf the Internet and watch cat videos. But it also left Bob's company vulnerable to having its computer network compromised, possibly in ways that interfered with company operations or jeopardized public safety, some cybersecurity experts say.
In this case, the Chinese workers to whom Bob outsourced his work have so far not been identified as cyber monkey-wrenchers, according to a Jan. 14 blog by those who investigated Bob's exploits. But the episode serves as a warning to the thousands of US companies that opt to outsource their software development work to firms abroad, in an effort to cut costs, cybersecurity experts say. The practice, they warn, represents a big hole in the cybersecurity shield America needs to build to protect itself from cyberattack.
"If an attacker is part of your organization as an outsource contractor – writing code, or building the chip – they are in effect insiders with all kinds of advantages that enable them to cause you and your customers all kinds of grief," says Seymour Goodman, a professor of international affairs and computing at the Georgia Institute of Technology.
The cybersecurity risk from outsourcing isn't new. Back in 2005, Dr. Goodman chaired the cybersecurity panel for the Association for Computing Machinery, which found that "offshoring [of software development] magnifies existing risks and creates new and often poorly understood or addressed threats to national security, business property and processes." But the threat continues to grow as companies outsource not just software for smart phone apps, but also software tools that run corporate websites, networks, and databases.
The "Bob" episode came to light during a review of his company's data logs, which revealed that an unknown intruder was connecting daily to the company's network from Shenyang, China, according to "risk team" investigators from Verizon, a provider of cybersecurity services, hired to look into the breach. Bob had received sterling performance reviews, but his Web browser history revealed that he spent a typical work day as follows:
9 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.
11:30 a.m. – Take lunch.
1 p.m. – Ebay time.
4:30 p.m. – End of day update e-mail to management.
5 p.m. – Go home.
"They’re a US critical infrastructure company, and it was an unauthorized ... connection from CHINA," the investigators wrote with emphasis. "The implications were severe and could not be overstated."
While Bob outsourced his software work without his company's knowledge, many other suppliers of "critical infrastructure" offshore such work as a matter of course.