Tale of 'Bob': Does outsourcing new software pose cyber security risk? (+video)
Many US companies hire foreigners to build new software for their computer networks – a practice that may raise their risk of cyberattack, some experts warn. Even firms that do not outsource software development may find an occasional employee doing it on the sly, as in the case of 'Bob.'
(Page 2 of 3)
"We are aware of several critical infrastructure organizations that outsource development projects overseas," says Robert Huber, a principal investigator with Critical Intelligence in Idaho Falls, Idaho, a company specializing in security for critical infrastructure providers. "Without a thorough security review by someone in your organization, you have no idea of the issues that are being introduced to your networks that may expand your attack surface." Malware inserted into software in the "software supply chain," as it is being written, can leave companies vulnerable to theft of their intellectual property, he says.Skip to next paragraph
Subscribe Today to the Monitor
Software products that defense contractors supply to the Pentagon, for use in microelectronic and telecommunications, are also at risk. Most contractors have geographically dispersed supply chains that create "a vulnerability of potential insertions of malicious hardware or embedded software on the hardware components," the US-China Economic and Security Review Commission warned in a report last year to Congress.
Problems the report cited included a desktop computer purchased by the Army and made in China by Lenovo. The new computer was discovered to be "beaconing" (attempting all by itself to establish a connection) "to a suspicious foreign entity," the report noted, citing a US Army official who revealed the 2007 incident last February.
The software export business worldwide is booming, as companies around the globe look outside their own national confines to fulfill their software needs as cost-effectively as possible. Ireland, a leading exporter of computer software and services, saw its exports soar to $37 billion in 2010, up from $7 billion in 2000. India's software export sales nearly tripled in five years, hitting $45 billion in 2011. China's software export sales soared to $30 billion last year from $10 billion in 2007, the lion's share headed to the Japanese market, according to the UN Conference on Trade and Development's 2012 report on the global software industry.
American firms are major buyers of software development services from abroad, say researchers at Duke University, in Durham, N.C. Among US software companies, half of all development projects were headed to India and 13 percent to China, a 2008 Duke survey found. Nearly one-quarter of all US companies expected to outsource software development to China.
Against that baseline, US software outsourcing has only accelerated, suggest unpublished Duke data from last year. Helping drive the trend is the emergence of at least 120 eBay-like Internet platforms such as freelancer.com, where software developers worldwide can bid on software projects large and small, Duke researchers say.
"What's amazing to me is that roughly one-third of those bidding on such forums for software development projects are people in full-time jobs – and I'm sure the companies that employ them have no idea," says Arie Lewin of the Duke Center for International Business Education and Research, citing yet-to-be published survey results on software outsourcing by US companies.
Dr. Lewin's "Offshoring Research Network" 2008 survey showed that "data security" and "lack of intellectual property protection" in the software development cycle are among US software companies' top five concerns about outsourcing.