[ISN] Experts See Vulnerability as Outsiders Code Software

From: InfoSec News (isnat_private)
Date: Tue Jan 07 2003 - 01:28:10 PST

  • Next message: InfoSec News: "[ISN] Help Wanted: Steal This Database"

    http://www.nytimes.com/2003/01/06/technology/06OUTS.html
    
    By JOHN SCHWARTZ
    January 6, 2003   
     
    As American companies increasingly move their software development 
    tasks out of their own offices to computer programming companies here 
    and abroad, new concerns are being raised about the security risks 
    involved.
    
    Some of these concerns over the practice, known as outsourcing, are 
    being raised by people with an obvious self-interest — for example, 
    programmers who have seen their livelihoods shift to less expensive 
    operations overseas. And the companies providing outsourcing services 
    argue that they take all necessary precautions to limit risk. But the 
    question of whether the booming business in exporting high-tech jobs 
    is heightening the risk of theft, sabotage or cyberterrorism from 
    rogue programmers has been raised in discussions at the White House, 
    before Congress and in boardrooms.
    
    "I can't cite any examples of this happening — but what that means is 
    we haven't found any," said James Lewis, director of the technology 
    program at the Center for Strategic and International Studies in 
    Washington. "It's clearly a temptation for people, and it's a 
    concern," he said.
    
    While operations in some countries, like the United States, Britain 
    and India, are considered generally safe for such software 
    outsourcing, nervousness is beginning to grow at companies and in the 
    government about the possibility of abuse by hackers, organized crime 
    agents and cyberterrorists in nations like Pakistan, the Philippines 
    and Russia.
    
    To Mr. Lewis, the potential for problems in the software design 
    process goes beyond the earlier trend of running back-office 
    operations and call centers in other countries.
    
    "The banks have done a fairly good job of insulating themselves," he 
    said, keeping their call centers overseas from being able to engage in 
    unwanted activity. But letting outsiders work on the software that 
    runs businesses and financial institutions could be opening up a world 
    of trouble, he said. "You're going to have code that will be written 
    in countries like India and China," he explained, "and no one's going 
    to know what's in it."
    
    David McCurdy, a former congressman and executive director of the 
    Internet Security Alliance, an industry group, said that although he 
    considered himself a "free trader" with a strong belief in the 
    benefits of global commerce, he believed that the risk from offshore 
    outsourcing was "the most serious of the industry-based issues that 
    this country faces."
    
    The issue has been discussed quietly at the highest levels of 
    government, said Howard Schmidt, vice chairman of the president's 
    critical infrastructure protection board. At the White House, he said, 
    "this has come up as part of a broader discussion of how do we get 
    trust and reliability" in computer systems.
    
    He said, however, that the issue was outsourcing itself, not simply 
    the overseas kind, and cited spies like Aldrich H. Ames and Robert 
    Hanssen as examples of how Americans could do just as much damage to 
    the nation from within as outsiders could. "Irrespective of where it's 
    done, we need to make sure that our code is clean and protected across 
    the board," he said.
    
    It is easy to see why companies find the economics of outsourcing 
    compelling; cost savings can be 25 to 40 percent. Forrester Research 
    of Cambridge, Mass., predicted in a recent report that the 
    acceleration in outsourcing would result in 3.3 million American jobs' 
    moving offshore by 2015, an exodus reminiscent of the tide of American 
    blue-collar jobs that moved to East Asia in the 1980's. Forrester 
    estimates that 70 percent of these jobs will move to India, 20 percent 
    to the Philippines and 10 percent to China.
    
    Patrick P. Gelsinger, the chief technology officer of Intel, said the 
    cost of one engineer in the United States would pay for the services 
    of three Indians, four Chinese or five Russians. But he said he was 
    not concerned about the potential for mischief within his own 
    company's overseas software development. The software is reviewed, he 
    said, to avoid surprises.
    
    "Is it possible?" he said. "Sure, it's possible. Is it a unique risk 
    there? No, it isn't." 
    
    Offshore outsourcing got its trial run in preparations for the Year 
    2000 changeover, when government and industry had to check every line 
    of software for glitches that could make computer networks and even 
    building security systems shut down at 12 a.m. on Jan. 1, 2000. 
    
    Much of that work was done overseas, and although industry experts 
    warned that foreign programmers might commit crimes or lay the 
    groundwork for terrorism, no evidence of sabotage occurred, said Jay 
    Ehrenreich, senior manager for cybercrime prevention and response at 
    PricewaterhouseCoopers, the consulting firm. After that experience, he 
    said, many companies felt comfortable sending software work overseas, 
    and now such bespoke programming is done around the world.
    
    Programmers say the confidence is not justified. 
    
    "Anyone tells you that `offshoring' computer systems does not put the 
    infrastructure at risk is lying," said Ken O'Neil, a programmer who 
    lives on Long Island. He and other programmers talk of "sleeper bugs" 
    that could be set to go off at a later date, or back doors that would 
    let intruders in to shuttle money around, steal fractions of a penny 
    from millions of transactions or shut down the system entirely. They 
    warn of risks from political instability, organized crime and terror 
    cells, and even from governments that might demand the ability to spy.
    
    Such talk could be dismissed as the grumblings of disgruntled 
    white-collar workers who have seen their high-paying jobs move 
    elsewhere. "Nobody is going to cry for people who make $75,000 or 
    $100,000 a year," said Marc Alan Fink, who lost his programming job 
    more than a year ago.
    
    In fact, some of the newly expressed concern is part of a long-running 
    and acrimonious fight by programmers to hold on to their jobs in the 
    face of relaxed immigration standards for technical workers and 
    increased outsourcing. They attack the rise in special visas for 
    immigrant engineers, known as H1-B visas, and the trend toward sending 
    jobs overseas.
    
    The companies that provide software outsourcing services say that they 
    take rigorous precautions to ensure that their employees are 
    trustworthy and their code is secure. 
    
    Arup Gupta, president of Tata Consultancy Services, an Indian company 
    that is part of a conglomerate, said he had gotten worried calls from 
    clients after the recent F.B.I. raid on Ptech, a software company in 
    Quincy, Mass. The agents were looking for connections between the 
    company and Yasin al-Qadi, a Saudi Arabian financier suspected of 
    financing terrorism, but early speculation in news reports focused on 
    questions about whether the company, which provides software used by 
    many government agencies, including the F.B.I., was secure.
    
    Mr. Gupta assured his clients that his company used exacting 
    background checks and multiple reviews of company-written software 
    based on industry standards. "With all these in place, we can 
    guarantee, basically, that the code we deliver will be bug-free and 
    will perform to specifications and will not have holes in it," he 
    said. 
    
    He said he could speak for only his own company, but he added that 
    since the Sept. 11 attacks, security fears and economic troubles had 
    shrunk his industry and brought about the consolidation of the major 
    Indian software houses. "The top five or six companies, you can be 
    assured that they are conforming to these standards," he said. "The 
    others, you cannot be sure — but maybe they are."
    
    United States technology services companies are also expanding their 
    overseas outsourcing offerings. Electronic Data Systems provides 
    outsourcing services in 93 "solution centers" that it has opened 
    around the world since 1990. Paul D. Clark, the chief information 
    security and privacy executive for the company, said E.D.S. understood 
    that the threat of sabotage in outsourcing is real. He said, "To say 
    that it isn't is to deny the realities." That is why the company 
    adheres to security and testing standards wherever code is written, he 
    said, adding, "whether it's India or Indiana, it doesn't make any 
    difference." 
    
    The company is careful about what code it releases to which countries, 
    said Dan Zadorozny, president of application services for EDS 
    Solutions Consulting; some federal government work, he said, is done 
    only in the United States and Britain, and "we're not going to move 
    that anywhere." But E.D.S. insists that its standards are high enough 
    that its outsourcing sites offer "a more secure environment than you 
    can provide yourself."
    
    Some programmers, however, argue that reviews are less thorough than 
    companies say. "If code runs, I assure you, nobody ever looks at it," 
    said one, who said conducting a line-by-line review would be like 
    having an electrician tear into walls to check wiring even though the 
    lights were working. "It never gets done in practice."
    
    Mr. Ehrenreich, the crime consultant, said that it was up to companies 
    to demand that kind of security, even if it cost more. He recalled a 
    case in which he was asked to investigate the possibility of illegal 
    activity on an Indian outsourcing contract and discovered that it was 
    nothing more than run-of-the-mill overbilling fraud. 
    
    What struck him, however, was that the company had no idea how big the 
    problem was. He said far-worse crimes could have been committed 
    without anyone's knowing. "The risk was there that more could have 
    been done," he said. "They clearly did not have the controls in place 
    to mitigate it, control it."
    
    "You can outsource the work," he said, "but you can't outsource the 
    risk."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 04:56:57 PST