Does Offshoring Threaten Combat Software?

PreacherTom writes, "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."

Inconsistency

[Flying+pig]

The UK government buys military equipment from the US which contains software which it is not permitted to review, and indeed for which it may not be allowed the latest version. And we are supposed to be about the only real international friend the US can rely on.

And this software which we are not allowed to review may have been written by offshore programmers who will know perfectly well that they are doing the job because they are cheaper, and have absolutely no patriotic investment in the US?

I wonder how many other global empires have been brought down by the desire to make a quick buck?

Re:Appeals to emotion for fun and profit

[Ana10g]

Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?

Yes and yes (good word, by the way, had to look up "suborn"). We may not have the man power here to conduct a thorough, line by line audit, but we do have legions of background investigators. And, it's currently illegal for a non-US citizen to hold a security clearance, for good reason (you cannot let the fox into the hen house, after all). It's pretty much a moot point of offshoring work requiring a clearance, as it's illegal. More important to the discussion is the use of off the shelf components in developed software. This is where it gets a little fuzzy. Certain countries can be trusted, some cannot, and, by extension, companies based in those countries are not to be trusted either. Long story short, a lot of redevelopment occurs because offshore vendors are not trusted. It's a good and a bad thing. Costs more, provides Americans with jobs that will not go overseas. Provides level of safety and security by ensuring code is developed by trustworthy people, but shorts out talented programmers overseas.

I mean, seriously, who wants to buy fire control radar components from AlQaeda.com?

Re:Appeals to emotion for fun and profit

[thermopile]

Here's why the US government is so concerned about someone hiding a trojan horse inside sensitive code: The U.S. has done it to other countries before.

Click here for a fascinating article describing how the CIA and FBI managed to sell to the Soviets some chips with bungled operations "hidden" in the chips, to be used for their shiny, new Trans-Siberian natural gas pipeline. The result was the largest non-nuclear explosion ever seen from space.

What goes around, comes around, and the government is getting nervous...

Already affecting the military

[britneys+9th+husband]

Maliciously placed software code is already weakening our military and hurting its ability to effectively fight wars. And that code was developed by Diebold right here in the USA.

Re: Background checks... was Appeals to emotion

[guacamole+rocks]

If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here? Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?

Yes, in fact we can be more confident of US code. When the US Goverment subcontracts to someone in the US, there are two dynamics in our favor...

1. The US does not have kind of economic forces that encourage the kind of high turnover that is typically seen in places like India (as an example). As a former employee of an embedded-systems company, I heard all about the rampant problems that our foreign outsourcing partners had... including competitors who would wave a few more rupees at them and they immediately flee (taking our proprietary knowledge with them).

So, how does this contribute to this discussion about hidden backdoors in Government software? The problem is that higher turnover means less incentive for the contracting company to do their due diligence on the next guy... knowing that at a significant portion of them will be gone within months. It also means an easier time for say an Iranian or Pakistani with a grudge to start working for the same company...

2. It is much easier to ensure you are getting good background checks in the US... the Feds can audit the contractors employees backgrounds... much harder to do on foreign soil.

Re:Hysterical rubbish

[XSforMe]

"Government however should promote within it's own and never send work away."

Not too long ago, I had the chance to go to a contractor convention of one of our major clients. There, I had the chance to meet our chinese counterpart and even though he seemed very energetic and enthusiastic it was apparent he was far from being on the same level than most of the contractors over there.

Later on, I asked our client what was the deal with the chinese contractor. It turns out the client won a huge government contract, but within the contract, there was a clause which stipulated that 85% of the workforce used to execute the contract had to be chinese, and if required the contractor would be in need to train such required workforce.

I guess that explains a lot on how these people are achieving such levels of productivity in such a short time.