Big US and European software companies are increasingly developing code for mainstream products overseas, especially in Asia-Pacific. But despite the temptation for cost savings, analysts say bulk off-shoring of code development comes with an inherent risk – it’s simply less secure than on-shore code development. As the US government seeks to reduce software development costs amid looming budget reductions, this raises two important questions: 1) Is the off-shoring of code development a growing national security concern for the United States and 2) If so, does it need to impose new regulations and hold software developers liable for the quality of their code, especially for critical infrastructure products?
Most cyber security analysts I spoke with say off-shoring introduces unique cyber security concerns. However, the majority still believed it would strategically disadvantage the United States to start regulating private sector code development in the name of national security.
Robert Giesler, SAIC senior vice president and cyber security director, is one of those who oppose regulation as a solution. ‘As the Pentagon and intelligence community ask for better costs, there’s a push to develop code abroad,’ he says. ‘Everyone recognizes this, but there are ways to mitigate it that are easier and more cost efficient than on-shoring. If you regulate, you go back to the Maginot Line. Those with bad intent can manoeuvre around it.’
Giesler points out that the cost-benefit analysis for many off-shore countries, including Russia and India, reduces the likelihood that they would launch major supply chain exploitation operations. He also notes the likely significant economic consequences for the United States if it sought to regulate or impose liability on US software developers’ off-shore operations.
Dan Geer, Chief Information Security Officer at In-Q-Tel, agrees that regulation would be a mistake. ‘Any attempt to regulate software quality and security simply drives the software industry off-shore for good,’ he says. ‘Similarly, requiring trusted on-shore production ensures two things: (1) falling behind world progress as we aren’t the only smart people and we are a minority, and (2) costs rise in a way that makes on-shore-mandated software cost-uncompetitive on the world market.’
Still, not everyone agrees. Sean Costigan, a national security and technology consultant and co-editor of the upcoming book ‘Cyberspaces and Global Affairs,’* is one of the few willing to do so publicly.
In the absence of regulation, Costigan believes the software industry lacks the proper incentives to prioritize the security of their products at the level required to meet current national security objectives. He therefore suggests that new regulation should be considered for the software industry to harden code development, whether on or off-shore.
However, he does so in the context of arguing that supply chain security is only a small part of a much larger problem facing the industry: poor code development. From his perspective, the government must redress all of the issues affecting code quality, including operational security and legacy code, if it’s serious about cyber security.
‘Consider that at large companies there’s often considerable employee turnover to begin with, and it’s doubtful that people are checking credentials all that well. Not to pick on Microsoft, but in a product like Windows 7 that has been estimated at 50 million lines of code, you need a small army to write that code, with thousands of people touching it. Who is checking all that code?’ asks Costigan.
‘There’s a need for regulation to be sure. But…I think we need to focus on the risks of sloppy code as much as who writes it and where they are. Penalties for bad code should be considered,’ he says. ‘Ultimately, the short loop from bad code to easy cybercrime or foreign intelligence exploit is more worrisome. Consider that the White House now estimates cybercrime and industrial espionage damages of $1 trillion a year.’
Given that the software development industry vehemently opposes greater government oversight, such opinions are unlikely to gain favour in the commercial sector. The question, then, is whether like-minded people can change the minds of policymakers and national security analysts who have the power to force industry to adopt more stringent processes and standards if they believe it necessary.
Eddie Walsh is The Diplomat's Pentagon (accredited) correspondent and a WSD-Handa Fellow at Pacific Forum CSIS. His work has been featured by Gulf News, ISN Insights, CSIS, The East Asia Forum, The Jakarta Globe and The Journal of Energy Security. He blogs at Asia-Pacific Reporting, can be reached at asiapacificreporting@gmail.com, and followed @aseanreporting.
* Disclaimer: Eddie authored one of the chapters in Cyberspaces and Global Affairs.
Reddit
Digg
StumbleUpon
Delicious
Technorati
Yahoo
Google
Plurk
Richard D. Arnold
Absurd and silly to suggest the government could possibly regulate the quality of code, or develop regulations to prevent code “sloppiness.” The breadth and depth of the challenge is comparable to all current regulations regarding all consumer products, pharmaceuticals, public infrastructure, and utilities combined.
Even more absurd to believe you could cobble together a brain trust that would be able to even ideate a framework for (let alone have) the skills needed to divine the right regulations to ensure that 50 million lines of code in Windows is up to snuff.
There are very few serious computer scientists in cyber security; still fewer who have the depth and breadth to talk intelligently about issues of software quality across ALL software. None of these guys are going to waste their talents starting the development of government regulations that will never be completed and never deployed – though a few might find the pure research required to begin an intellectually serious approach interesting.
Beware any government that wants to provide “oversight” of something it doesn’t have the talent to understand, nor the ops tempo to keep pace with, nor the foundation from which to launch. What’s really being talked about is a government-funded WELFARE program for wannabee computer scientists and engineers who aren’t talented enough to code and win jobs with commercial firms, and who seek careers in government regulation/service. This is the kind of bologna that’s draining our country of precious tax resources.
Government is responsible for national security, law enforcement, and public safety. Anybody in government who wants to “force industry to adopt more stringent processes and standards if they believe it necessary,” and who has the unmitigated and unwarranted arrogance to actually BELIEVE they know what’s best, should be fired; such a one is no longer a civil servant, but wants to rule over servants.
Pedro Lopez
The approach should be if it is used in the US, a US diplomatic site (which is technically US soil), or a US military base (also technically US soil) mandate software quality. No matter where it is made. The US is such a large market it would force other countries to do this.
This next paragraph sort of expands on Demming’s work.
And has anyone considered that competing with countries with cheap labor and resources, e.g. China, is a recipe for disaster for the US? There are two approaches, go cheap like China because you can or compete on quality like the Germans and the Japanese, who do not have cheap resources and can never compete strictly on price. “Made in Germany” and “Made in Japan” have become synonymous with high quality engineering and manufacturing. If the US were to produce very high quality software It would be able to compete quite well. How to get there is a tough question, but the right question must first be asked.
Quality reduces cost by reducing rework, marketing and sales costs, customer retention costs, and maintenance costs. Low bid contracting is a recipe for disaster. This is coming from an old IT/Software pro who is leaving the industry due to it’s failure to commit to quality.