[url= http://www.nytimes.com/2003/01/06/technology/06OUTS.html
]Experts See Vulnerability as Outsiders Code Software[/url]

January 6, 2003
Experts See Vulnerability as Outsiders Code Software
By JOHN SCHWARTZ

As American companies increasingly move their software development tasks
out of their own offices to computer programming companies here and
abroad, new concerns are being raised about the security risks involved.
Some of these concerns over the practice, known as outsourcing, are being
raised by people with an obvious self-interest — for example, programmers
who have seen their livelihoods shift to less expensive operations
overseas. And the companies providing outsourcing services argue that they
take all necessary precautions to limit risk. But the question of whether
the booming business in exporting high-tech jobs is heightening the risk
of theft, sabotage or cyberterrorism from rogue programmers has been
raised in discussions at the White House, before Congress and in
boardrooms.
"I can't cite any examples of this happening — but what that means is we
haven't found any," said James Lewis, director of the technology program
at the Center for Strategic and International Studies in Washington. "It's
clearly a temptation for people, and it's a concern," he said.
While operations in some countries, like the United States, Britain and
India, are considered generally safe for such software outsourcing,
nervousness is beginning to grow at companies and in the government about
the possibility of abuse by hackers, organized crime agents and
cyberterrorists in nations like Pakistan, the Philippines and Russia.
To Mr. Lewis, the potential for problems in the software design process
goes beyond the earlier trend of running back-office operations and call
centers in other countries.
"The banks have done a fairly good job of insulating themselves," he said,
keeping their call centers overseas from being able to engage in unwanted
activity. But letting outsiders work on the software that runs businesses
and financial institutions could be opening up a world of trouble, he
said. "You're going to have code that will be written in countries like
India and China," he explained, "and no one's going to know what's in it."
David McCurdy, a former congressman and executive director of the Internet
Security Alliance, an industry group, said that although he considered
himself a "free trader" with a strong belief in the benefits of global
commerce, he believed that the risk from offshore outsourcing was "the
most serious of the industry-based issues that this country faces."
The issue has been discussed quietly at the highest levels of government,
said Howard Schmidt, vice chairman of the president's critical
infrastructure protection board. At the White House, he said, "this has
come up as part of a broader discussion of how do we get trust and
reliability" in computer systems.
He said, however, that the issue was outsourcing itself, not simply the
overseas kind, and cited spies like Aldrich H. Ames and Robert Hanssen as
examples of how Americans could do just as much damage to the nation from
within as outsiders could. "Irrespective of where it's done, we need to
make sure that our code is clean and protected across the board," he said.
It is easy to see why companies find the economics of outsourcing
compelling; cost savings can be 25 to 40 percent. Forrester Research of
Cambridge, Mass., predicted in a recent report that the acceleration in
outsourcing would result in 3.3 million American jobs' moving offshore by
2015, an exodus reminiscent of the tide of American blue-collar jobs that
moved to East Asia in the 1980's. Forrester estimates that 70 percent of
these jobs will move to India, 20 percent to the Philippines and 10
percent to China.
Patrick P. Gelsinger, the chief technology officer of Intel, said the cost
of one engineer in the United States would pay for the services of three
Indians, four Chinese or five Russians. But he said he was not concerned
about the potential for mischief within his own company's overseas
software development. The software is reviewed, he said, to avoid
surprises.
"Is it possible?" he said. "Sure, it's possible. Is it a unique risk
there? No, it isn't."
Offshore outsourcing got its trial run in preparations for the Year 2000
changeover, when government and industry had to check every line of
software for glitches that could make computer networks and even building
security systems shut down at 12 a.m. on Jan. 1, 2000.
Much of that work was done overseas, and although industry experts warned
that foreign programmers might commit crimes or lay the groundwork for
terrorism, no evidence of sabotage occurred, said Jay Ehrenreich, senior
manager for cybercrime prevention and response at PricewaterhouseCoopers,
the consulting firm. After that experience, he said, many companies felt
comfortable sending software work overseas, and now such bespoke
programming is done around the world.
Programmers say the confidence is not justified.
"Anyone tells you that `offshoring' computer systems does not put the
infrastructure at risk is lying," said Ken O'Neil, a programmer who lives
on Long Island. He and other programmers talk of "sleeper bugs" that could
be set to go off at a later date, or back doors that would let intruders
in to shuttle money around, steal fractions of a penny from millions of
transactions or shut down the system entirely. They warn of risks from
political instability, organized crime and terror cells, and even from
governments that might demand the ability to spy.
Such talk could be dismissed as the grumblings of disgruntled white-collar
workers who have seen their high-paying jobs move elsewhere. "Nobody is
going to cry for people who make $75,000 or $100,000 a year," said Marc
Alan Fink, who lost his programming job more than a year ago.
In fact, some of the newly expressed concern is part of a long-running and
acrimonious fight by programmers to hold on to their jobs in the face of
relaxed immigration standards for technical workers and increased
outsourcing. They attack the rise in special visas for immigrant
engineers, known as H1-B visas, and the trend toward sending jobs
overseas.
The companies that provide software outsourcing services say that they
take rigorous precautions to ensure that their employees are trustworthy
and their code is secure.
Arup Gupta, president of Tata Consultancy Services, an Indian company that
is part of a conglomerate, said he had gotten worried calls from clients
after the recent F.B.I. raid on Ptech, a software company in Quincy, Mass.
The agents were looking for connections between the company and Yasin
al-Qadi, a Saudi Arabian financier suspected of financing terrorism, but
early speculation in news reports focused on questions about whether the
company, which provides software used by many government agencies,
including the F.B.I., was secure.
Mr. Gupta assured his clients that his company used exacting background
checks and multiple reviews of company-written software based on industry
standards. "With all these in place, we can guarantee, basically, that the
code we deliver will be bug-free and will perform to specifications and
will not have holes in it," he said.

He said he could speak for only his own company, but he added that since
the Sept. 11 attacks, security fears and economic troubles had shrunk his
industry and brought about the consolidation of the major Indian software
houses. "The top five or six companies, you can be assured that they are
conforming to these standards," he said. "The others, you cannot be sure —
but maybe they are."
United States technology services companies are also expanding their
overseas outsourcing offerings. Electronic Data Systems provides
outsourcing services in 93 "solution centers" that it has opened around
the world since 1990. Paul D. Clark, the chief information security and
privacy executive for the company, said E.D.S. understood that the threat
of sabotage in outsourcing is real. He said, "To say that it isn't is to
deny the realities." That is why the company adheres to security and
testing standards wherever code is written, he said, adding, "whether it's
India or Indiana, it doesn't make any difference."
The company is careful about what code it releases to which countries,
said Dan Zadorozny, president of application services for EDS Solutions
Consulting; some federal government work, he said, is done only in the
United States and Britain, and "we're not going to move that anywhere."
But E.D.S. insists that its standards are high enough that its outsourcing
sites offer "a more secure environment than you can provide yourself."
Some programmers, however, argue that reviews are less thorough than
companies say. "If code runs, I assure you, nobody ever looks at it," said
one, who said conducting a line-by-line review would be like having an
electrician tear into walls to check wiring even though the lights were
working. "It never gets done in practice."
Mr. Ehrenreich, the crime consultant, said that it was up to companies to
demand that kind of security, even if it cost more. He recalled a case in
which he was asked to investigate the possibility of illegal activity on
an Indian outsourcing contract and discovered that it was nothing more
than run-of-the-mill overbilling fraud.
What struck him, however, was that the company had no idea how big the
problem was. He said far-worse crimes could have been committed without
anyone's knowing. "The risk was there that more could have been done," he
said. "They clearly did not have the controls in place to mitigate it,
control it."
"You can outsource the work," he said, "but you can't outsource the risk."

Copyright 2003 The New York Times Company

It's amazing to me that young kids are still going into CS and engineering. The way people are treated, I certainly wouldn't tell my kids to go that route (even though I did).