1 p.m. – Ebay time.
4:30 p.m. – End of day update e-mail to management.
5 p.m. – Go home.
"They’re a US critical infrastructure company, and it was an unauthorized ... connection from CHINA," the investigators wrote with emphasis. "The implications were severe and could not be overstated."
While Bob outsourced his software work without his company's knowledge, many other suppliers of "critical infrastructure" offshore such work as a matter of course.
"We are aware of several critical infrastructure organizations that outsource development projects overseas," says Robert Huber, a principal investigator with Critical Intelligence in Idaho Falls, Idaho, a company specializing in security for critical infrastructure providers. "Without a thorough security review by someone in your organization, you have no idea of the issues that are being introduced to your networks that may expand your attack surface." Malware inserted into software in the "software supply chain," as it is being written, can leave companies vulnerable to theft of their intellectual property, he says.
Software products that defense contractors supply to the Pentagon, for use in microelectronic and telecommunications, are also at risk. Most contractors have geographically dispersed supply chains that create "a vulnerability of potential insertions of malicious hardware or embedded software on the hardware components," the US-China Economic and Security Review Commission warned in a report last year to Congress.