Big US and European software companies are increasingly developing code for mainstream products overseas, especially in Asia-Pacific. But despite the temptation for cost savings, analysts say bulk off-shoring of code development comes with an inherent risk – it’s simply less secure than on-shore code development. As the US government seeks to reduce software development costs amid looming budget reductions, this raises two important questions: 1) Is the off-shoring of code development a growing national security concern for the United States and 2) If so, does it need to impose new regulations and hold software developers liable for the quality of their code, especially for critical infrastructure products?
Most cyber security analysts I spoke with say off-shoring introduces unique cyber security concerns. However, the majority still believed it would strategically disadvantage the United States to start regulating private sector code development in the name of national security.
Robert Giesler, SAIC senior vice president and cyber security director, is one of those who oppose regulation as a solution. ‘As the Pentagon and intelligence community ask for better costs, there’s a push to develop code abroad,’ he says. ‘Everyone recognizes this, but there are ways to mitigate it that are easier and more cost efficient than on-shoring. If you regulate, you go back to the Maginot Line. Those with bad intent can manoeuvre around it.’
Giesler points out that the cost-benefit analysis for many off-shore countries, including Russia and India, reduces the likelihood that they would launch major supply chain exploitation operations. He also notes the likely significant economic consequences for the United States if it sought to regulate or impose liability on US software developers’ off-shore operations.
Dan Geer, Chief Information Security Officer at In-Q-Tel, agrees that regulation would be a mistake. ‘Any attempt to regulate software quality and security simply drives the software industry off-shore for good,’ he says. ‘Similarly, requiring trusted on-shore production ensures two things: (1) falling behind world progress as we aren’t the only smart people and we are a minority, and (2) costs rise in a way that makes on-shore-mandated software cost-uncompetitive on the world market.’
Still, not everyone agrees. Sean Costigan, a national security and technology consultant and co-editor of the upcoming book ‘Cyberspaces and Global Affairs,’* is one of the few willing to do so publicly.
In the absence of regulation, Costigan believes the software industry lacks the proper incentives to prioritize the security of their products at the level required to meet current national security objectives. He therefore suggests that new regulation should be considered for the software industry to harden code development, whether on or off-shore.
However, he does so in the context of arguing that supply chain security is only a small part of a much larger problem facing the industry: poor code development. From his perspective, the government must redress all of the issues affecting code quality, including operational security and legacy code, if it’s serious about cyber security.
‘Consider that at large companies there’s often considerable employee turnover to begin with, and it’s doubtful that people are checking credentials all that well. Not to pick on Microsoft, but in a product like Windows 7 that has been estimated at 50 million lines of code, you need a small army to write that code, with thousands of people touching it. Who is checking all that code?’ asks Costigan.
‘There’s a need for regulation to be sure. But…I think we need to focus on the risks of sloppy code as much as who writes it and where they are. Penalties for bad code should be considered,’ he says. ‘Ultimately, the short loop from bad code to easy cybercrime or foreign intelligence exploit is more worrisome. Consider that the White House now estimates cybercrime and industrial espionage damages of $1 trillion a year.’
Given that the software development industry vehemently opposes greater government oversight, such opinions are unlikely to gain favour in the commercial sector. The question, then, is whether like-minded people can change the minds of policymakers and national security analysts who have the power to force industry to adopt more stringent processes and standards if they believe it necessary.
Eddie Walsh is The Diplomat's Pentagon (accredited) correspondent and a WSD-Handa Fellow at Pacific Forum CSIS. His work has been featured by Gulf News, ISN Insights, CSIS, The East Asia Forum, The Jakarta Globe and The Journal of Energy Security. He blogs at Asia-Pacific Reporting, can be reached at firstname.lastname@example.org, and followed @aseanreporting.
* Disclaimer: Eddie authored one of the chapters in Cyberspaces and Global Affairs.