The risk of offshoring security

Outsourcing across all industries has become commonplace, but as the InfoSec Institute's Kim Crawley points out, the economical and security issues of such a trend may cause irreparable damage

Over the past twenty years or more, corporations in nearly all industries have been outsourcing and offshoring at hyperdrive.

[Do ATMs running Windows XP pose a security risk? You can bank on it]

Venture capitalist firms, public shareholders, various types of financial firms, and corporate executives are driven by the temptation of reducing labor expenses, so they're delegating accountability and responsibility to foreign parties. Often the money saved by offshoring simply goes back into the pocketbooks of executives. They also often get bonuses, sometimes in seven or eight figures, to reduce as much domestic labor as possible.

But the costs of this trend are insurmountable.

First of all, with more and more Americans, Canadians, and other people in developed countries out of work, our economies are being destroyed. That doesn't reflect in the stock market — not yet, anyway. But it will, probably within the next decade. Often the millions of chronically unemployed or underemployed (such as working at McDonald's or Walmart) have BAs, MAs, or even PhDs. Many more have significant licenses and certifications in various trades.

A large percentage of those people are in their thirties, forties and fifties. They have years of experience in their areas of expertise, but they cannot find work in their fields, so they collect welfare, and work as Walmart cashiers.

Keep in mind that in the United States, a large percentage of workers at Walmart, McDonald's, and other low wage employers still have to collect welfare and use food stamps in order to survive. When more and more people lack the spending money to buy consumer goods and services, the whole economy suffers. That change started to become noticeable in 2008, and it's only getting worse.

But, our economies and our ordinary citizens aren't the only areas being hurt by outsourcing, offshoring, and hiring "temporary foreign workers".

In the 21st century, we're totally dependent on computer technology. Even your grandma, who may not use a PC, smartphone or tablet, still goes to the bank, and goes to stores to shop. And her medical and governmental records are all managed with computer technology, as are her bank and her favorite shops.

What's most alarming is that IT security is being offshored.

[Offshore outsourcing: Don't forget IT security]

Those who encourage the practice claim that offshoring IT security frees their in-house IT departments from having to do mundane work, so their labor can be allocated more efficiently. And look at all the money our company can save!

What somewhat comforts me is a Computer Security Institute study from several years ago, which surveyed 479 security executives from various corporations and organizations in the United States. 61% of them said they've outsourced none of their security functions. 22% said they've outsourced up to 20% of their security. 8% said they've outsourced 21% to 40%. 10% said they outsourced 41% or more of their security.

[Offshore banking more secure? You're dreaming]

Well, the 39% who said they've outsourced any percentage of their security still worries me a great deal.

But leaders in the IT security world who know what they're doing are too sensible to be tempted by offshoring and outsourcing. Jon Gossels, president of SystemExperts, said to NetworkWorld, "my bias is against it."

Not having direct access to your security management and logging creates a massive vulnerability. There's now a new area of work in my industry; information security auditors who have to dedicate their efforts to monitoring the security of third-party security firms. What's the point? Information security auditors should be able to focus their work on monitoring in-house security only, because, except for penetration testing and third-party compliance, all security work should be done in-house. And third-party pen testers and compliance regulators should be domestic, not foreign.

The NSA scandal and recent news about Russia and China highlight how outsourcing security or any technical work to foreign countries can be a national security threat. The Patriot Act, in my opinion, is bloody well useless for securing the United States. Especially considering America's economic, security, and technological dependence on other countries. Some of them are possibly hostile, namely China.

On February 11th, the Mandiant security firm released an earth-shattering report. They identified attacks on American corporations, individuals, and computing infrastructure from China's People's Liberation Army, using "Unit 61398" as a handle.

Since 2006, Mandiant has recorded attacks on 141 different companies, in a number of industries. The United States, and other predominantly English-speaking countries, like the UK and Canada, are the main targets. Of course, the Chinese government denies everything.

[The 25 most dangerous cities for offshore outsourcing]

My husband and I own and operate a few rackmount servers in the data center owned by Toronto Freenet, a Canadian ISP. We use our servers for various work and recreational purposes. Their network administrator, Michael Kaulbach, is a good friend of ours. Whenever my husband or I visit the downtown Toronto data center, Mike always tells us about attempted attacks he's had to stop, coming from predominantly Russian IP addresses and domain names.

Sometimes, outsourcing firms are simply poorly qualified and incompetent. Foreign workers with no IT experience are writing IT security policies and procedures for domestic corporations. Aric Bandy, the CEO of IT outsourcing firm Agosto Inc. said to the Chicago Tribune, "a lot of these security rules were written by non-IT people, and they aren't specific enough to give IT professionals a clear idea of how to set up security, and there are a lot of other ways to do it. One client wanted us to ensure we had control of who was physically able to access a computer server in our data center. We already had card access to the data center, personal identification numbers for data access, and a guard. But that wasn't enough. They wanted a camera focused on that server, and we had to do that."

[IT offshore outsourcing security: Put it in the contract]

The language problems and having more middlemen than necessary in data center and IT security services are also causing operational problems, many of which I've observed here in Canada.

There's an ongoing class action lawsuit against PC Financial, and the Canadian Imperial Bank of Commerce, which provides all of PC Financial's infrastructure, and handles all of their services. Thousands of PC Financial customers have found their checking and savings accounts to be completely non-operational, with no fix in sight. We're almost completely certain that the CIBC outsources their security and other electronic banking functions to India. With no access to their money, of course those thousands of customers are pissed off.

I have a checking account with the Royal Bank of Canada. There have been a few times over the past couple of months that I've found the ATMs in my downtown Toronto neighbourhood to be non-operational. So, I couldn't withdraw my money. Fortunately, those incidents have been temporary, lasting 36 hours at a time, at most.

But the same problems that caused their ATMs and Interac (a Canadian debit system that all Canadian banks and most Canadian credit unions use) systems to go down also affected their whole electronic banking system. So, customers couldn't even withdraw or deposit via a human teller. My local branch has been swarmed with angry customers on those days. RBC offshores their electronic banking management to India.

[Survey explores cultural differences when work goes offshore]

There's also been a scandal in the last year about RBC replacing their domestic workers in various areas with "temporary foreign workers." The Canadian media has dubbed it the "Temporary Foreign Worker Scandal." Prime Minister Stephen Harper's Conservative government has made it easy for Canadian companies to replace Canadian workers with foreigners who are sent to Canada to work. According to legislation, they can be paid less than Canadians, and aren't protected by the same labor laws. That hurts both the Canadians who lose their jobs, and the foreign workers who are sent here to Canada.

RBC has been taking full advantage of the Harper government's program.

Dave Moreau, an IT systems support worker who was employed by RBC, talked about how the bank's practice of replacing their Canadian workers with temporary foreign workers affected him and his colleagues to the CBC.

"They are being brought in from India, and I am wondering how they got work visas," he said. "The new people are in our offices, and we are training them to do our jobs. That adds insult to injury."

In the next couple of months, I'm closing my RBC checking account, and I'll be transferring my funds and all of my banking services to a credit union. In my opinion, credit unions tend to be less greedy than major banks. When I'm charged extra because I have to use other banks' ATMs, I'll consider it to be a good return on investment. If I accumulate a couple of hundred dollars a year for having to use other banks' ATMs, I figure I'll be saving more than that in the lower fees credit unions charge for services, and I'll get better service. All while supporting Canadian workers and smaller businesses.

Speaking of business ethics, the most effective blackhats are people who used to do IT and computing work for the companies they were laid off from. They have intimate, insider information about how their networks and computing systems work, and their security policies. When a technical worker has been laid off, and then finds it difficult to put food on the table and pay their bills, it's incredibly tempting to attack their former employers. And so far, there have been numerous incidents of that happening.

[The top 10 risks of offshore outsourcing]

There are other costs related to offshoring technical services and work in other industries, as well.

According to Australia's Passion Computing, outsourcing to India isn't actually cheaper at all. Companies and firms often get incredibly buggy code from Indian programmers, and additional money has to be spent on debugging. Because Indian programmers are paid poorly, even by Indian standards, there's no extra incentive for them to spend more time producing quality code.

Even though, in India, English is the language of choice when an Urdu speaker has to communicate with a Hindi speaker, those Indian technical workers and their supervisors often don't have a firm enough grasp of English to talk about technical matters in proper detail to their English speaking clientele.

Outsourced projects can be illegally copied, causing licensing and copyright issues. India's not the worst contender for that sort of thing, but China is.

Until the developed world starts to replace foreign workers with domestic workers, on a significant scale, we're collectively screwed; economically, technically, and security-wise.

Kim Crawley is a security researcher for the InfoSec Institute, an IT security training company specializing in CCNA certification training.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)