Many US companies hire foreigners to build new software for their computer networks – a practice that may raise their risk of cyberattack, some experts warn. Even firms that do not outsource software development may find an occasional employee doing it on the sly, as in the case of 'Bob.'
A software developer at a US company providing "critical infrastructure" – transportation, electricity, water, or the like – last year secretly outsourced his job writing computer programs to software engineers in China. Dubbed "Bob" by investigators – to keep his identity and that of the firm private – he even overnighted his electronic Secure ID token to China so the workers there could log into his company's network.
That left Bob, who paid the Chinese software engineers a fraction of what he earned to do his work, plenty of time to surf the Internet and watch cat videos. But it also left Bob's company vulnerable to having its computer network compromised, possibly in ways that interfered with company operations or jeopardized public safety, some cybersecurity experts say.
In this case, the Chinese workers to whom Bob outsourced his work have so far not been identified as cyber monkey-wrenchers, according to a Jan. 14 blog by those who investigated Bob's exploits. But the episode serves as a warning to the thousands of US companies that opt to outsource their software development work to firms abroad, in an effort to cut costs, cybersecurity experts say. The practice, they warn, represents a big hole in the cybersecurity shield America needs to build to protect itself from cyberattack.
"If an attacker is part of your organization as an outsource contractor – writing code, or building the chip – they are in effect insiders with all kinds of advantages that enable them to cause you and your customers all kinds of grief," says Seymour Goodman, a professor of international affairs and computing at the Georgia Institute of Technology.
Page 1 of 6