Tale of 'Bob': Does outsourcing new software pose cyber security risk? (+video)
Many US companies hire foreigners to build new software for their computer networks – a practice that may raise their risk of cyberattack, some experts warn. Even firms that do not outsource software development may find an occasional employee doing it on the sly, as in the case of 'Bob.'
(Page 3 of 3)
"We were quite amazed about the low maturity level of companies managing these software development projects," Lewin says. "Opportunities to penetrate them must be amazing. What you need to be able to do is have capabilities in place to manage and monitor these vendors. But in my opinion, top management doesn't give high priority to this."Skip to next paragraph
Subscribe Today to the Monitor
One trend that alarms Goodman, Lewin, and other cybersecurity experts is that US companies are not adequately inspecting outsourced software for security flaws. Among software-outsourcing companies, the share that also farmed out their quality-control and security testing jumped from 72 percent to 87 percent in a year, a 2012 InformationWeek survey found.
A company that does not do its own security testing is like letting the fox guard the hen house, says Richard Hoffman, a software developer who helped conduct the InformationWeek survey.
"It's understandable that companies are seeking cost savings," he says. "But these companies writing the software are also often inspecting and testing security, too. In many cases, the same people charged with keeping costs down are also supposed to catch security holes."
Still, not everyone in the cybersecurity realm is ready to hit the panic button over software outsourcing. While the practice carries a risk, the threat may have waned at bit, says James Lewis, a cybersecurity expert for the Center for Strategic and International Studies, who wrote a 2007 study on software outsourcing. That's because cyberattackers have cheaper ways to penetrate a company's or agency's computer network, he says.
"Hacking in from the outside is so easy now that in most cases it's probably just not cost effective [for cyberspies or cybercriminals] to insert malware when the software is written," Dr. Lewis says. "Still, this isn't a hypothetical problem. ...As the US begins to get its act together on cybersecurity, you'll see the cost and benefits of hacking change. Then those attackers might look to more costly approaches."
As for "Bob," described as a "family man, inoffensive and quiet," the digital trail eventually revealed that he was freelancing for other US companies – and shipping those software code-writing assignments to China, too, according to the Verizon investigation team's blog. While "Bob" was paid hundreds of thousands of dollars a year from his company and for freelance work, the Chinese firm got perhaps $50,000, investigators estimated in their blog.
Bob's fate is not publicly known. Some people who left comments on the investigators' blog declared him unethical for secretly farming out the work and breaching company security. Others complimented him.
"Sooo… where’s the problem?" reads one comment. "He improved his personal profit and the quality and efficiency of his work, obviously. And all that by using standard business practices – get money to do the job, then pay someone else less to actually do it. This guy is an American hero and deserves a medal."
Others declared the Verizon blog post to be a hoax. After all, wasn't there also a report in The Onion, the satirical online news website, headlined "More American Workers Outsourcing Own Jobs Overseas"? Yes, there was.
Responding to doubters, Verizon's team on Jan. 18 followed up its original blog post with another one declaring that "the case is factual and was worked by one of our investigators."