The offshore exodus of software programming over the past half-decade has slashed costs, eliminated tens of thousands of American jobs, and given rise to a huge industry in India. Now a debate has begun about whether the globalization of software is a serious threat to national security. Until now, the discussion has primarily been situated deep in the corridors of the Pentagon and limited to members of an obscure volunteer advisory board. But in the coming weeks, this could emerge as a hot-button security issue.
As combat becomes increasingly high-tech, Pentagon officials worry that "accidental defects" or "maliciously placed code" buried within a computer program could compromise the security of the Defense Dept. network and, ultimately, hurt its ability to fight wars, says Pentagon spokesman Maj. Patrick Ryder. A task force of the Defense Science Board is in the final stages of preparing a recommendation on how to deal with the fact that some of the software the military buys is produced offshore. While task force deliberations are secret, the conversations between its members and outside technology and security experts are raising concerns among tech industry groups here and abroad.
National security issues concerning the offshore development of software have been raised in the past. In 2001, foreign software companies and programs developed overseas were flagged as a bigger potential threat than domestic hackers when the Defense Security Service noticed a surge in "suspicious attempts" by foreign hackers to gain access to U.S. computer systems. Approximately one-third of those attacks were sponsored in some capacity by foreign governments, according to the Government Accountability Office. "We recognize that there are real threats," says Phil Bond, chief executive of the Information Technology Assn. of America (ITAA), a tech lobbying group. "We want government to deal with this in a smart way, and we're concerned they might do it wrong."
Custom-Made Would Be Costly
The worry is that the Pentagon might enact policies forcing tech suppliers to break off pieces of their global supply chains, making it difficult to deliver the most advanced products at affordable prices. These days, computer builders, chipmakers, software publishers, and tech-services outfits all tap inexpensive programming talent in foreign countries—sometimes assembling Lego-like chunks of code from different sources. This includes not just software for computers and networks but, in some cases, programs for military aircraft, missile guidance, and battlefield management systems. Industry advocates are concerned that efforts to fence out security threats could bring a return to the days when too much of the stuff the Pentagon bought was custom-made—a practice that gave rise, infamously, to $600 toilet seats.
It's not clear yet if the worst fears of the industry will be realized. William Schneider Jr., the chairman of the Defense Science Board, tells BusinessWeek that while he hasn't seen the task force's conclusions, he's confident that the recommendations won't be draconian. They'll affect only the technologies where security is paramount. "Most of the software DOD uses has elements that are written overseas, and that isn't a problem," says Schneider. "The problem is in ultrasensitive defense applications where they are mission-critical and you want a high degree of confidence that nothing's wrong with the software that has been written overseas."
Clear and Present Concern
Concerns about cybersecurity are frighteningly real. Just three weeks ago, the Commerce Dept. revealed that attacks by Chinese hackers forced one of its bureaus to cut off Internet access and discard virus-infected computers. It was the second such major attack on U.S. government computers since July. This threat of hostiles sabotaging networks or opening secret back doors for spying is what motivated the U.S.-China Economic and Security Review Commission in April to recommend a change in how the State Dept. used some of the PCs it bought from Lenovo Group, the PC giant that started in China. "It's clearly a legitimate and present security concern," says Larry M. Wortzel, the commission's chairman.
Yet Wortzel is also among those who recognize the potential pitfalls in overreacting. There are no easy solutions to lowering risk, since pieces of software made by foreigners are embedded throughout computing equipment and software packages—whether they're sold by U.S. companies or not. Also, there's no assurance that software programs written by Americans will be secure, either. Americans can be hackers and spies, too. "With networks, often it's the inside threat that gets you," says Paul G. Kaminsky, a member of the Defense Science Board who, like Schneider, is not on the Pentagon's software task force.
Some U.S.-Only Projects
There are some security measures that would stop short of banning offshore programming from a significant number of Pentagon projects. James A. Lewis, an analyst at the Center for Strategic & International Studies, who is writing a report on the issue for the ITAA, says he will likely recommend that the Pentagon define secretive and mission-critical types of projects where all of the programming must be done by U.S.-approved programmers. He also advocates the government use more advanced computer networking technology that can monitor itself for suspicious activities.
The Pentagon has stepped up its vendor screening and software testing in recent years, but the GAO says it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. And it's next to impossible to monitor all software developers, forcing the Pentagon to look for other solutions. "One of the possible conclusions is that very sensitive software would be written differently vs. the commercial software that DOD uses extensively," says the Defense Science Board's Schneider. The DOD is "not going to write the next version of Vista. We're happy to use Microsoft."