On-Shoring, Off-Shoring, Bad Code and Cyber Security
Should there be stricter regulations for bad code? How about a real push for bad code off-sets like these?
In this story published by Eddie Walsh in The Diplomat, you’ll find several viewpoints worth entertaining. Consider the following:
Robert Giesler, SAIC senior vice president and cyber security director, is one of those who oppose regulation as a solution. ‘As the Pentagon and intelligence community ask for better costs, there’s a push to develop code abroad,’ he says. ‘Everyone recognizes this, but there are ways to mitigate it that are easier and more cost efficient than on-shoring. If you regulate, you go back to the Maginot Line. Those with bad intent can manoeuvre around it.’
Dan Geer, Chief Information Security Officer at In-Q-Tel, agrees that regulation would be a mistake. ‘Any attempt to regulate software quality and security simply drives the software industry off-shore for good,’ he says. ‘Similarly, requiring trusted on-shore production ensures two things: (1) falling behind world progress as we aren’t the only smart people and we are a minority, and (2) costs rise in a way that makes on-shore-mandated software cost-uncompetitive on the world market.’
and my own point of view
In the absence of regulation, Costigan believes the software industry lacks the proper incentives to prioritize the security of their products at the level required to meet current national security objectives. He therefore suggests that new regulation should be considered for the software industry to harden code development, whether on or off-shore. However, he does so in the context of arguing that supply chain security is only a small part of a much larger problem facing the industry: poor code development. From his perspective, the government must redress all of the issues affecting code quality, including operational security and legacy code, if it’s serious about cyber security.
Here’s the longer version, with the reporter’s questions and my answers in quotes:
1) Large US and European software companies increasingly are developing code for mainstream products (i.e. Microsoft Office) overseas - especially in Asia-Pacific (ex. India and China). Some analysts suggest that bulk offshoring of code development is inherently more risky than the importation of skilled labor to the US. They cite the benefits of immigration vetting, law enforcement jurisdiction and oversight, and difficulty of foreign state interference on domestic soil. They also cite the potential for rural on-shoring of such jobs around technical universities in the Mid-West and South.
* From your perspective, do you believe that offshoring coding to Asia-Pacific introduces more risk and vulnerability and, if so, what are those risks (more root vulnerabilities, increased foreign state cyber capabilities, etc.)? Which major software vendors, who are developing code in countries that do not align with US national security interests (ex. China), are you most concerned about from the perspective of US national security interests?
The short answer is yes, but that’s not a complete answer. There’s a set of dynamics here that isn’t all about security. But if we treat the security issues first, consider that at large companies there’s often considerable employee turnover to begin with and it’s doubtful that people are checking credentials all that well. In a product like Windows 7 that has been estimated at 50 million lines of code, you need a small army to write that code, with thousands of people touching it. Who is checking all that code? That said, bad code is a major issue here too. The short loop from bad code to easy cybercrime or foreign intelligence exploit is more worrisome to me than who is writing the code to begin with or where they are in the world. Bad code means almost instant vulnerability, and patches are almost exclusively produced after some exploit has popped up. As we’ve just seen with Operation Shady RAT, sometimes it takes years for the victim to know that they’ve been had, too. There’s another issue here that has to do with immigration policy for students: there’s something decidedly odd with inviting people into the U.S. to get a first-rate education, only to push them out the door when they are ready to be employed and start their own businesses. I’d say you want students in IT to feel invested in the country that helped educate them, and employment in the U.S. might have a knock-on effect for improved security, broadly writ.
2) With code developed abroad now regularly checked into the code base of main stream products, some analysts suggest countries of origin should be designated on products by software vendors.
*Do you believe that US CIOs would benefit from knowing where specific products - and perhaps more importantly specific features (ex. X proofing tool was developed in Y country) - were developed? Would this play a major role in their procurement/deployment decisions? Would this put additional pressure on software vendors to ensure that their business practices were robust enough to confront the challenge?
We’re well along into a globalized workforce and so I think there’s very little to be gained from putting a “Coded in China” or “Coded in India” tag on the box. With complex code it would end up looking more like a bottle of Tropicana apple juice, with apples from Canada, Chile, China, Germany, United States, etc.
3) Some analysts suggest that major US software firms choose to (or are forced to by investors) place their economic interests above US national security interests when offshoring coding projects to Asia-Pacific (particularly China).
* Do you believe that US or EU software vendors have demonstrated this willingness in the past or will do so in the future? What are the risks (i.e. technology transfer concerns [ex. Boeing 747]) of doing so.
In short, yes. There’s always been a need for good code and strong security, but to date precious few companies have maintained those priorities. Investors seek profit, and profit almost inevitably means reducing production costs, and the leap from there to bad and/or malicious code is pretty short. I’d suggest we start with regulation that penalizes businesses for writing junk or bad code and begin to reverse the tide here. A more far-flung option would be a new “arsenal” approach to code for government, wherein government employees write the code that the government needs. Surely many will scoff at this suggestion, saying that commercial-off-the-shelf has given us the power of computing that we see today, but if we consider the downsides of not really knowing what’s in the millions of lines of code, it’s worth considering.
4) Some analysts suggest that new policies are required to confront the risks posed by offshoring coding for major software products to Asia-Pacific.
* Does the US and EU require greater regulation and oversight of software vendors who elect to ship coding overseas in order to protect long-term Western national security interests? If so, why has such legislation not been enacted on critical infrastructure grounds? Are US policymakers not well versed in the product development practices employed by major software vendors?
There’s a need for regulation, to be sure, but again I think we need to focus on the risks of sloppy code as much as who writes it and where they are. Penalties for bad code should be considered.
5) Some analysts suggest that it is important for long-term peace and stability in Asia-Pacific for the US and China to develop deeply integrated economies that are dependent upon one another. This reduces the likelihood of China emerging as a revisionist power. However, others cite China’s growing military and diplomatic assertiveness as reason for rejecting this claim.
* From your perspective, are there any national security benefits to offshoring coding to countries that do not necessarily share US national security interests (ex. China)? How should the US government balance the risks verses the reward?
Absolutely there are risks. But we needn’t lump together all commercial/consumer goods with all government-related IT needs. First, I think it’s clearly in U.S. economic interests to retain the lead in IT. There’s only one Silicon Valley and it’s a major driver of ideas and profits for the U.S. and the world. Consider that Apple is about to be worth more than Exxon! I suggest we look to improve education and immigration policy first as a matter of priority, aiming to figure out ways to develop critical infrastructure code on shore with the people that we’ve educated here in the U.S. That’s in keeping with U.S. security and economic interests and is a long-range vision for retaining vitality. That said, we clearly need to help enrich the world and straighten our ties and so there’s dynamic tension.