February 2004 Mfg.Trust
Mfg.Trust is a monthly feature of the
NCMS InfraGard Manufacturing Industry Association
Infrastructure assurance for manufacturers
Powered by NCMS.
This month – Unseen Dangers in Offshore IT Outsourcing?
Due Diligence Demanded
Editor's Preface:
This month’s article focuses on the potential for inadequate security
surrounding the booming offshore outsourcing trend. Over half of the
Fortune 500 companies send billions of dollars overseas to pay for
outsourced software development and business processing in low-wage
countries like the Philippines, China, and India. The driving force is
the pursuit of instant price advantages through “globalizing
production.” However, rising security risks for customers, corporate
stakeholders, and U.S. national security are often overlooked.
To examine the issue, read on. We are indebted to Tom Cocchiarella and
Rob Ramer for the material for this month’s article. Tom Cocchiarella
has served as the FBI’s InfraGard Delegate for the Minnesota Chapter
since 2001, and is a Sr. Director for Architecture and Technology for
one of Minnesota’s largest health care organizations. Rob Ramer is the
founder of TerraFirma Security, a St. Paul based company that
specializes in outsourcing risk mitigation and has offices in Bombay,
India and Singapore.
As always, our Resources Section at
http://trust.ncms.org contains a rich set of links for further
reading.
Editor
UNSEEN DANGERS IN OFFSHORE IT OUTSOURCING?
Overview
In August 2002, an FBI sting operation in New Delhi recovered stolen
source code from a developer who had been fired by his Bombay software
outsourcing employer. Now, a court in India will have to decide if any
charges can be brought to prevent theft of intellectual property from a
U.S. client. Currently, India does not recognize trade theft.
From phone operators who answer questions about US citizen’s Visa
accounts, to programmers who maintain computer operations for U.S. based
Airlines - IT workers a half-world away are directly involved in our
daily lives. Railroads, power companies, and defense contractors
regularly use global outsourcing to cut costs and deliver services to
their clients. A network of software development centers, data
operations centers, and business-processing centers stretch around the
globe, located in countries including China, Vietnam, Russia, India,
Ireland and Spain. This scenario has become part of today’s global
economy; one driven by modern global economics that realistically cannot
be changed.
We do believe attention is needed concerning the increased risk of
criminal attacks against our critical infrastructures via these offshore
centers. This is important, because U.S. laws do not govern these
offshore operations, nor are they operated under generally accepted
American business standards.
Computer Services Outsourcing
Computer offshore outsourcing itself often increases network
vulnerabilities because a client American company is directly linked to
a network it no longer has control over. (Offshore data links are often
routed through a web of service providers, meaning that neither the
outsourcing client nor the outsourcing vendor knows the actual path of
the data.) System design information is often transmitted via
unprotected email or discussed over open voice networks. This provides
an opportunity for “observers” to learn about proprietary data, gather
information on internal networks, or obtain code of new software systems
being designed for a client company.
Unauthorized “hacker” access to software (designs and code) could, with
malicious intent and relative ease, create blackouts, cause air or rail
accidents, system shutdowns, or interfere with U.S. computer and
communications systems. Yet, American defense and government contractors
routinely outsource software development in order to reduce costs.
The Environment Overseas
A St. Paul based Security Auditing/Consulting Company spent the last
year evaluating various data centers in India. They identified serious
vulnerabilities in facilities in India and in the data links to the
networks of major Twin Cities corporations. Vulnerabilities uncovered
included: confidential data being transmitted unencrypted, the absence
of back-ups, and poor physical security at various India based data
centers.
U.S. corporations that outsource IT functionality overseas should
realize that they remain legally responsible in the U.S. for any losses
or consumer damages from the failure of outsourced systems. In addition,
U.S. companies they may find they have little legal redress in the
outsourced host country, either due to inadequate cyber statutes, or
possibly to corruptible legal structures in some host countries.
What Can Be Done?
There are very specific actions a company can take to mitigate risks:
* Federal financial regulators have taken action to warn banks against
various outsourcing risks. The Office of the Comptroller of Currency and
other Federal agencies has issued guidance that emphasizes simple
obligations: due diligence, active management of security issues, and
repeated third party audits.
* BITS, a technology exchange group related to the Financial Services
Roundtable (see Resources Page), has
developed a systematic framework for assessing and managing IT
outsourcing risks (see http://www.bitsinfo.org/serviceproviders.html).
* The Federal government, through the National Infrastructure Protection
Center (NIPC) and InfraGard (a private/government FBI partnership
organization dedicated to fighting cyber and physical threats against
the nations Critical Infrastructures), has also taken notice of this
issue. (see www.infragard.org)
We believe the U.S. government and private industry must both take much
stronger and proactive leadership on this issue. The Government should
lead in their own sectors – defense, intelligence, space, and the
regulation of some critical infrastructure providers.
Privately owned organizations must pro-actively manage security of their
outsource providers, and conduct regular security assessments using
security firms based within their own country.
An estimated 85 percent of America’s critical infrastructure is owned by
private, non-government businesses. Since our U.S. critical
infrastructure is increasingly dependent on global IT systems, it is up
to our government and corporations to take steps to insure that any
offshore outsourcing is secure.
Conclusion
We must do more to protect our critical assets from cyber attacks. It
is up to both government and industry to protect the computer systems
that drive our critical infrastructures. The steps outlined by financial
regulators are applicable to all outsourcing:
* perform due diligence for security on the outsourcer,
* provide constant and active management that includes accountability
for reporting and redressing security vulnerabilities, and
* demand regular third-party security audits
LINKS
TerraFirma Security Inc.
Full text article by Rob Ramer and Tom Cocchiarella
http://www.tfsecurity.com/unseendangers.html
If you liked Mfg.Trust, please forward it to a colleague in your company!
Fell free to direct questions and comments to
johns@sheridansolutions.com
To request your own FREE subscription to Mfg.Trust, send email to
philc@ncms.org
To unsubscribe, please send an email to
listserv@listserv.ncms.org
and insert the words "unsubscribe mfgtrust", without the quotes, in the
BODY of the message. This is a moderated list.
| Please check out these related sites | ||
|
|
|
|
|
Copyright 2004 |
||
