The 'Offshore' IT services market has grown extraordinarily fast in the global market in the past few years. Since the 1980's, offshore outsourcing has become a major facet of the business world. An increasing number of organizations have turned to offshore outsourcing of application development and maintenance as a means to reduce the cost of information technology.
Definition: Offshore IT outsourcing is the practice of sub-contracting to a third-party company the performance of certain application development, maintenance and support function to a country other than the one where the primary organization resides.
In a report issued by Datamonitor, the current market is estimated at more than $10 billion USD annually. Some industry analyst estimate worldwide spending on IT services delivered by offshore companies will exceed $75 billion USD within three to five years.
According to Gartner, the leading offshore outsourcing countries by region are listed below.
Americas: Argentina, Brazil, Canada, Chile, Costa Rica, Mexico and Uruguay
Asia/Pacific: Australia, China, India, Malaysia, New Zealand, Pakistan, the Philippines, Singapore, Sri Lanka and Vietnam
Europe, the Middle East and Africa: The Czech Republic, Hungary, Ireland, Israel, Northern Ireland, Poland, Romania, Russia, Slovakia, South Africa, Spain, Turkey and Ukraine
Large organizations see this as a huge opportunity for costs savings. Many experts view IT offshore outsourcing as a potential threat to the domestic job market in the technical world and have asked the government for protective measures or at least closer scrutiny of existing trade practices. There is another threat that IT offshore outsourcing poses, the threat of covert espionage, backdoors and remotely accessible exploits.
Security and privacy concerns are now the biggest issue for companies considering outsourcing their IT projects to companies offshore. These concerns included, but are not limited to -- fraud, backdoors, data theft, extortion and espionage and are the major components of offshore security risks that are now a major area of concern for outsourcers and our national security alike. Moreover, the unauthorized use of proprietary technology is another facet of security concern. Most clients and outsourcers come together to integrate safeguards into their systems. New laws are being enacted regularly with regards to IT security and data theft. These laws have given some degree of protection to outsourcing software development. Many organizations find comfort now that these laws have been enacted. That being said, security loopholes exist and are addressed when they are identified. Not only that, but in the world of cyber conflict, terrorists, extremist groups, hackers in general and rogue nation states do not make a habit of following the law.
In a random survey of technology professionals with a combined 250+ years of experience, the following insight was gleaned.
1. The current approach to code reviews, walk-thrus, testing, validation and acceptance reviews of software development that was outsourced would be extremely unlikely to detect the existence of back doors, trap doors or any other type of exploit.
2. The detailed testing, code review and walk-thrus required for a high degree of confidence that no malicious code has been embedded within the application
Below are the major influencing factors that came up during the data collection discussion.
1.Organizations that outsource application development have little if any control or oversight of the personnel assigned and working on the software development.
2. The size and complexity of current applications do not allow code reviews and analysis to a granular level that would ensure there are no back-doors or exploits.
3. The current state of automated testing and validation tools has very limited capabilities for detecting back-doors or exploits.
Below are some interesting facts and figures that were discovered during this analysis.
Fact: The software and services revenues of India are expected to hit $50 billion USD by the end of 2008
Fact: The three most common offshore outsourcing functions are software development, software maintenance and help desk support.
Given the current cyber threat environment, extra security measures must be taken to protect the information infrastructure of the nation, our government and our corporations. Failure to take such measures and address this threat results in a huge risk and liability. According to Ed Maggio, Professor of Criminal Justice at the New York Institute of Technology and an Advisor to Spy-Ops, "Organizations can outsource the work, but they cannot outsource their liability to ensure the integrity of the software produced." Even with the added security testing and validation, you cannot be 100% sure the delivered software contains no malicious code.
So the only question that remains is, given the added cost of security testing and validation coupled with the remaining risk of undetected malicious code, do you really save anything by using offshore outsourcing for software development? Finally, for those skeptics out there, to think that our enemies have not thought of and may have actually placed covert assets in major development centers around the globe is short sighted and endangers our national security and the economic health and prosperity of our country and businesses.
