The cybersecurity risk from outsourcing isn't new. Back in 2005, Dr. Goodman chaired the cybersecurity panel for the Association for Computing Machinery, which found that "offshoring [of software development] magnifies existing risks and creates new and often poorly understood or addressed threats to national security, business property and processes." But the threat continues to grow as companies outsource not just software for smart phone apps, but also software tools that run corporate websites, networks, and databases.
The "Bob" episode came to light during a review of his company's data logs, which revealed that an unknown intruder was connecting daily to the company's network from Shenyang, China, according to "risk team" investigators from Verizon, a provider of cybersecurity services, hired to look into the breach. Bob had received sterling performance reviews, but his Web browser history revealed that he spent a typical work day as follows:
9 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.
11:30 a.m. – Take lunch.
1 p.m. – Ebay time.
4:30 p.m. – End of day update e-mail to management.
5 p.m. – Go home.
"They’re a US critical infrastructure company, and it was an unauthorized ... connection from CHINA," the investigators wrote with emphasis. "The implications were severe and could not be overstated."
While Bob outsourced his software work without his company's knowledge, many other suppliers of "critical infrastructure" offshore such work as a matter of course.