Does Offshoring Threaten Combat Software?

PreacherTom writes, "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."

Appeals to emotion for fun and profit

[Control+Group]

"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
Blaming "offshoring" is a neat wave of the bloody shirt, but I don't think it's relevant to the problem. Take the word "offshoring" out of that quote, and replace it with "outsourcing." Does it still make sense? Let's see:

"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that outsourcing presents too great a risk."

Looks like it does.

If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?

Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?

It's not that I do think that offshored code is trustworthy, it's that I don't think "onshored" code is. And if we can't trust either, what does offshoring have to do with anything?

Re:Appeals to emotion for fun and profit

[Ana10g]

Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?

Yes and yes (good word, by the way, had to look up "suborn"). We may not have the man power here to conduct a thorough, line by line audit, but we do have legions of background investigators. And, it's currently illegal for a non-US citizen to hold a security clearance, for good reason (you cannot let the fox into the hen house, after all). It's pretty much a moot point of offshoring work requiring a clearance, as it's illegal. More important to the discussion is the use of off the shelf components in developed software. This is where it gets a little fuzzy. Certain countries can be trusted, some cannot, and, by extension, companies based in those countries are not to be trusted either. Long story short, a lot of redevelopment occurs because offshore vendors are not trusted. It's a good and a bad thing. Costs more, provides Americans with jobs that will not go overseas. Provides level of safety and security by ensuring code is developed by trustworthy people, but shorts out talented programmers overseas.

I mean, seriously, who wants to buy fire control radar components from AlQaeda.com?

Inconsistency

[Flying+pig]

The UK government buys military equipment from the US which contains software which it is not permitted to review, and indeed for which it may not be allowed the latest version. And we are supposed to be about the only real international friend the US can rely on.

And this software which we are not allowed to review may have been written by offshore programmers who will know perfectly well that they are doing the job because they are cheaper, and have absolutely no patriotic investment in the US?

I wonder how many other global empires have been brought down by the desire to make a quick buck?

Already affecting the military

[britneys+9th+husband]

Maliciously placed software code is already weakening our military and hurting its ability to effectively fight wars. And that code was developed by Diebold right here in the USA.