Information Without Borders: Maintaining Security Controls for Outsourced IT

When it comes to outsourcing, out-of-site shouldn't mean out-of-mind

What's more, the U.S. military has reason to be concerned. We've used similar regulations in the past to put security holes in software that we've exported to other countries. Back in the 1990s, U.S. export regulations allowed software with 40-bit encryption to be freely exported, but software with 128-bit encryption was restricted because the stronger encryption couldn't be cracked by the U.S. National Security Agency. That presented a problem for Lotus: Foreign customers didn't want to use the weaker versions of its programs. So Lotus and the NSA cut a deal. Lotus was allowed to sell the 128-bit version of its product overseas, but the program was modified so that 88 of the 128 bits for every encrypted message would be leaked to the NSA. Technically, those bits were leaked by encrypting them to a special public key that only the NSA controlled, then including those leaked bits with every Lotus Notes message. The Lotus/NSA deal was publicly discussed inside the United States, but overseas customers were generally unaware of itthat is, until Sweden's government learned that it was using software that had been specially gimmicked by the NSA to allow for easier surveillance.

So clearly, one of the risks of outsourcing your development is that you won't be able to sell your programs (or your services) to others in the United States. But there are other risks as wellspecifically, you might lose control of your intellectual property. That's what almost happened to software company SolidWorks when one of its programmers in India stole the entire source code to the CAD system SolidWorks 2001 and offered to sell it to the company's competitors (see "Big Savings, Big Bucks," www.csoonline.com/printlinks).

The employee, Shekhar Verma, had landed a job with Geometric Software Solutions Ltd. (GSSL), an Indian company that had been given a contract to debug SolidWorks 2001 Plus. Things didn't work out well for Verma at GSSL, and he was fired for poor performance. A short while later, he allegedly sent a series of e-mail messages to SolidWorks' U.S. competitors, offering them the entire SolidWorks 2001 Plus source code for $200,000.

When a competitor turned the e-mail message over to the FBI, a sting was set up, and Verma was arrested. The value of the source code on those CD-ROMs has been reported to be anywhere between $70 million and $90 million.

According to FBI special agent Nenette Day, who spoke about the Verma case at a conference last year, one of the problems that the Indian authorities have had in prosecuting this case is that stealing these sorts of trade secrets wasn't a crime under Indian law at the time. So Verma had to be charged with simple theft. His attorneys then claimed that SolidWorks didn't have a cause of action against Verma, since he wasn't its employee.