"If an attacker is part of your organization as an outsource contractor – writing code, or building the chip – they are in effect insiders with all kinds of advantages that enable them to cause you and your customers all kinds of grief," says Seymour Goodman, a professor of international affairs and computing at the Georgia Institute of Technology.
The cybersecurity risk from outsourcing isn't new. Back in 2005, Dr. Goodman chaired the cybersecurity panel for the Association for Computing Machinery, which found that "offshoring [of software development] magnifies existing risks and creates new and often poorly understood or addressed threats to national security, business property and processes." But the threat continues to grow as companies outsource not just software for smart phone apps, but also software tools that run corporate websites, networks, and databases.
The "Bob" episode came to light during a review of his company's data logs, which revealed that an unknown intruder was connecting daily to the company's network from Shenyang, China, according to "risk team" investigators from Verizon, a provider of cybersecurity services, hired to look into the breach. Bob had received sterling performance reviews, but his Web browser history revealed that he spent a typical work day as follows:
9 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos.
11:30 a.m. – Take lunch.