Information Without Borders: Maintaining Security Controls for Outsourced IT

January 01, 2004 — CSO — What do textiles, cars and software all have in common? Answer: They're all in industries that once offered high-paying jobs to large numbers of U.S. workers, but then eventually moved production offshore to lower costs. For textiles, most of those exports happened in the 1970s and 1980s; automotive jobs were exported in the '80s and '90s. The software industry has been steadily moving offshore for the past five years, and the trend is likely to accelerate in the coming years.

We live in a world in which information can freely move across international boarders. People, on the other hand, are far less mobile. And because wages in countries such as Argentina, India, Pakistan and Russia are dramatically lower than they are here in the United States, it makes good economic sense for large companies to move as many programmer jobs overseas as possible. Doesn't it?

At a recent MIT-sponsored event for young entrepreneurs, one of the superstars, a twentysomething Pakistani who had graduated from MIT a few years ago, talked about how he had set up a software company to make tools for large websites. His company's headquarters is in the United States, and sales, marketing and support are done domestically too. But all the software development takes place in Pakistan, where the company has hired 24 programmers for what it would cost in Boston to hire four.

Another company that I visited has fewer than two dozen employees in its Boston headquartersbut a team of 60 programmers in Argentina backs them up. It's in Argentina where the heavy-duty engineering happens. The Boston office handles management, consulting and sales.

Coordinating these intercontinental development projects is easier than it might seem. With instantaneous e-mail, free IP-telephony and reasonably good Internet-based videoconferencing, the only real stumbling blocks to overseas development are time zones and language differences. Having bilingual senior management can eliminate the language barrier, and monthly trips between the home office and the programming shop seem to make the time-shift matter less.

But as we have seen time and again, there is no free lunch when it comes to security. Saving money almost always means an increased risk of something. And here, the risks that come with overseas development are many.Not Invented HereThe first risk, surprisingly enough, is not technical but regulatory: If you are selling products to the U.S. government, you may be required to disclose the amount of "foreign content" in your product, and software that is developed outside the United States can count. Especially in the case of computer security tools, certain federal customers may not wish to purchase software programs developed in countries such as Argentina, India or Pakistan—or else they may require additional certification or assurance before the products are accepted. The fear, whether justified or not, is that software developed outside our borders is more likely to have intentional security vulnerabilities, Trojan Horses or back doors than software developed inside the country. Military customers feel especially vulnerable to these sorts of information warfare attacks since it is virtually impossible to analyze a piece of code and state that it doesn't have any security vulnerabilities.