The Insecurity Of Outsourcing

I wrote a very long post titled "Outsourcing To Hell" and as a TV show aired, I am not only right but I also did not sound enough alarms.  My principal concern was rogue programming code in critical systems but as this ZDNet Asia article shows security problems can also be very low tech in nature.

Outsourcing To Hell

Outsourcing is best described as the race to the bottom line. Most if not all of the Fortune 1000 have outsourced or are contemplating the transfer of many business functions to countries outside the United States. It is big business. The largest US companies, IBM, EDS, Accenture as well as emerging global players such as Infosys, Tata and Wipro are all in the game. Everything from call centers, medical transcription services to programming of critical software is being sent overseas to deliver incredible cost savings to corporations, public and private, large and small.

It is difficult not to listen to the siren song of outsourcing. Promises of up to 80% cost savings on a company’s non-core activities are just too hard to ignore. Several factors come into play - global competition, a near maniacal push towards optimum performance characterized by cost savings and efficiency and the demand for greater growth and profits all play into the hands of companies who promise incredible cost savings to America’s corporations. Unfortunately the push to higher profits and greater savings and cost efficiencies often come with greatly magnified risks.

Even the most American of companies cannot ignore the trend. “If we don’t do it, we will be killed on prices by our competition” carps one giant consulting company executive. Unabashed free traders likewise add fuel to the fire by arguing that in a global economy with borders blurred by the Internet, the outsourcing trend is an inevitable consequence of progress.

Maybe so.

In a world transformed by global terrorism, it is clear that uncontrolled, unabashed and unregulated move to outsourcing plays into the hands of those who see the current world order as fundamentally wrong and immoral. Unlike the movement of industries like Nike shoes from Portland and Levis jeans from San Francisco to China and the Philippines, the outsourcing of information processing intensive industries will inevitably bite and mangle the hands that feed it.

It is one thing to stamp automobile body parts in Korea, assemble bicycles in Taiwan or manufacture t-shirts from Ecuador and bring them back to the world’s largest market, the United States. It is a wholly different dynamic and a far more gruesome scenario when we send deeply personal and private health care, personal and corporate financial information to Bangalore, Kiev, Hyderabad, Shanghai or Islamabad. It is even more frightening that many critical system and application software and imbedded systems are being coded in countries by people who may not have the sophistication to write secure code or conversely, even worse have the evil knack and skill to create backdoors and Trojans that very few can find.

We struggled through our own complex legislative and political processes to create and pass landmark legislation such as HIPAA, Gramm-Bliley-Leach and Sarbanes-Oaxley yet we send the most precious bulk, not just pieces of information, to the most politically unstable and volatile regions of the world that are all rife with economic disparities that best described as worlds of mass poverty. One wonders about the wisdom of sending terabytes of information into places like India and Pakistan, who have gone to war over patches of wastelands, have nuclear warheads pointed at each other, fundamentally have hated each other for hundreds of years and where religious zealots of all sects are as prolific as dirt.

Further the countries that are the largest beneficiaries of the global outsourcing trend have lax laws and non-existent enforcement against those who may use the information for ill gain. What effect or deterrent does the US computer crime statutes have on a foreign call center agent making $90 a week (…or a month in some places)? There are hundreds of thousands of these folks who can harvest your full personal profile including your social security number and latest bout with genital herpes.

Imagine selling the information for $1 a name to someone’s distant third cousin (…and unabashed identity thief) in some US city (…or Europe) who can pick up the information from a computer system in a Kinkos or public library. When you have hundreds of thousands of platinum cardholder names with complete information, $100 a month becomes tip money. Shredding your mail and guarding your mailbox to guard against identity theft becomes a “why-bother?” issue.

With Internet banking showing no signs of slowing down it is not only possible to move monies out of unsuspecting accounts in seconds but also very easily turn it into untraceable yet highly negotiable assets such as precious metals, diamonds or RAM chips. Money laundering used to be the trade of corrupt bankers and financial wizards. Today it takes an Internet connection, greed or disdain for what the free world stands for to transfer huge amounts of money to unsavory people and uses.

An even more deadly and evil scenario is possible when all this information is accessible to those who consider the United States the great Satan. With the advances in laser color printing, holographic reproductions, smart chips and RFID (radio frequency identification chips) being globally available, it may be possible to steal identities without ever setting foot in the United States. These advances are greatly magnified by some grave technological shortcomings like the inability to trace cell phone calls in a globally connected telecom world. Almost anywhere in Europe and Asia, you can buy fully charged cellular phone GSM SIM cards from street hawkers that work perfectly well in the US. Even in the US, our “advanced wireless networks” cannot trace a 911 call to respond to emergencies. We can only tremble in disgust and fear on what is possible.

Consider that an act of stealing a “little information” (or a lot) from any system has been trivialized by progress in storage technology and the Internet. USB (universal serial bus) and Firewire ports make copying gigabytes of information child’s play into small handy hard drives or flash memory devices. Most of these overseas customer contact and support centers that handle the millions of inquiries by the John and Jane Does of Cedar Rapids, Iowa have computers that are connected to the internet and make the transfer of bits of information or even whole files and directories an inconsequential matter. Add a little sophisticated computer memory cache management and the act is 100% undetectable even by the spooks at the National Security Agency.

Publicly and globally available peer-to-peer file transfer and computing capabilities have already demonstrated both the great benefits and unmitigated information anarchy that is possible. Global peer-to-peer and/or grid computing systems are being used to crack genomic sequences at costs and speeds that could not even be imagined 20 years ago. On the other side, peer-to-peer software has decimated the economics of the moribund music and recording industry forcing it to turn to litigation and abuse of the subpoena process to attempt to intimidate 12-year olds from downloading the latest Eminem song. The crux of the matter is clear --- It is not getting harder to steal information; it is becoming so trifling and easy that it has lost the edge of danger, illegality and ethics. The proverbial genie is out of the bottle.

Free traders and efficiency wonks see no difference between a cashmere sweater or a can opener and the health records or financial information of a housewife, US senator or corporate executive. Very little retrospect points to a trend that is patently dangerous to the national security and interest of the United States and the civilized world in general. A Bush administration official pronounced on television recently, “…We have to be right all of the time. Our enemies only have to be right once”.

There are has always been the notion of “do-the-right-thing”. The right thing to do is to regulate the transfer of information systems and data overseas. Even after the cold war, we still do not freely transfer the knowledge needed to create weapons of mass destruction to China or Russia. Why do we transfer potentially millions of terabytes of critical personal, financial and corporate information overseas? Why do we send critical system, application and imbedded software to be coded in programming sweatshops without systems or processes to positively assure us of their security?

Surely we will all migrate to a true global economy. We are at the crucible of economic history and our fate will be determined by the wisdom of decisions we and our leaders make. Globalization is not only possible, it is here and will continue to happen. But the pace of globalization should not be driven by the bottom line. We have the ability to make decisions to either dangerously speed up the pace or proceed with prudence and caution. It should be done when we are ready and assured that social, political, economic and security concerns have been fully addressed by all parties involved.

Being the one to say, “I told you so!” or “Didn’t I warn you?” means nothing to those of us who collectively see the writing on the wall. Defenders of the information outsourcing trend are not driven by strategic intent to defend the United States or the civilized world as whole. They are motivated by selfish intentions to be messiahs of the bottom line and slaves to the quarterly reports. All they care about is winning the race to the bottom.

As far as I am concerned, they can go straight to hell.