Forgot your password?
typodupeerror
Security United States

Is Off-Shoring a National Security Threat? 319

Posted by timothy
from the never-buy-outside-your-zip-code dept.
An anonymous reader writes "Should the U.S. government hold developers more responsible for the quality of their code? One top cyber security analyst says more regulations would be a mistake. 'Any attempt to regulate software quality and security simply drives the software industry off-shore for good,' he says. 'Similarly, requiring trusted on-shore production ensures two things: (1) falling behind world progress as we aren't the only smart people and we are a minority, and (2) costs rise in a way that makes on-shore-mandated software cost-uncompetitive on the world market.'"
This discussion has been archived. No new comments can be posted.

Is Off-Shoring a National Security Threat?

Comments Filter:
  • by MrSavage (2127458) on Tuesday October 04, 2011 @11:09AM (#37599328)
    We should regulate off-shore produced code and push jobs back to the U.S. the same way we should apply tariffs to products made in China.
    • I'm from the UK, and I produce software used by US companies to provide services for their customers. Now, you can go ahead and apply tariffs to the work that I do, and that is fine with me. It's not like those US customers of ours have alternatives to choose from (we're highly specialised). All you are proposing is a tax to ensure that our US customers become less competitive than companies from Asia and Europe. If a company is no longer competitive, it quickly ceases to be viable. I'd imagine most, if not
      • by rgviza (1303161)
        -On a more practical note, where would you plan to draw a line with this tariff?
        Simple, tariff any wages paid to offshore developers doing work for US companies. These are already documented by export compliance procedure. Make the corporations pay a 700% tax on foreign wages they pay out. Then all of a sudden US workers start to look attractive again. Prevent the companies from moving out by charging them a 700% tax on goods and services they sell to US citizens.

        - If producing code cheaply outside the US i
    • by couchslug (175151) on Tuesday October 04, 2011 @02:07PM (#37601768)

      We should fucking COMPETE. We EXPORT commodities and manufactured goods which would make us vulnerable in a trade war.

      GERMANY is the fucking size of TEXAS, is the second-largest exporter in the world and has strong unions. It has "socialized medicine", a high standard of living, an excellent education system, and person-for-person is superior to most cultures on the planet.

      What's the US excuse for failure? "We need tariffs because we suck"?

      If secure code is worth having then the market will deliver it. Those who deserve secure code will PAY for it. Why should the government burden ALL of us with another UNFUNDED MANDATE?

  • by ackthpt (218170) on Tuesday October 04, 2011 @11:11AM (#37599348) Homepage Journal

    Outsourcing the CIA to China isn't a go?

  • Why would off-shoring increase the risk? It would perhaps be of importance if the risk is related to the secrecy around the development. But if you make your code safe by secrecy, then it is not safe anyway, whether you develop it on-shope or anywhere else in the world. You should always assume that secrets are leaked... Always.

    • by Arlet (29997)

      You should always assume that secrets are leaked... Always.

      No, you should always factor in the risk that secrets are leaked. It would be silly to assume that risk is 100%, because it isn't. Many successful closed-source projects prove that.

    • by haus (129916) on Tuesday October 04, 2011 @11:23AM (#37599546) Homepage Journal

      It is not about secrecy it is about quality.

      The VP at SAIC is saying that if the government demands that the software they purchase actually meets some minimum standard of quality then everyone will throw up their hands and quit. Which he feels will cause more software to be handed off to overseas developers who will do even a worse job than has already been done.

      This smells very much like GM & Ford complaining that new fuel standards will be a technical impossibility to reach just moments before one of their competitors roll out models to the showroom floor that make the grade.

    • Iran "offshored" the control software of the centrifuges on their uranium enrichment program (i.e. bought it in). Google for what happened next.
    • by Nadaka (224565) on Tuesday October 04, 2011 @11:25AM (#37599578)

      It isn't just secrecy. It is quality. In india, being a good programmer means getting promoted to management immediately. The only people left to code are those who are failures or newbies. As a result, the quality of code coming from overseas is crap and often broken. They often deliver completely broken code, or code that only works for a small subset of valid inputs, or that has terrible maintainability and performance. Every bit of that code you get back has to be thoroughly vetted and usually scrapped and rewritten from the ground up.

      So yes, it definitely increases risk.

      • by NevarMore (248971)

        So how is it the "good" programmers in management don't review and stop this broken code?

        • by darronb (217897)

          There's too much of it. They can't do all the work, and they have to let the crappy programmers learn. Trial by fire.

          I know a really excellent Indian programmer that's a project coordinator now over several projects. He works like a madman trying to correct and teach people, but the results are still pretty crappy because he's just one guy. Eventually, he'll burn out.

          I'd hire that single guy in a heartbeat. There might also be another one in the dozen or so on the project that doesn't do more harm than

        • You're kidding, right? Management review code?

          Even if the manager is technically astute, their job is the manage, not review code. There should be senior developers doing the reviews, but they're too busy writing code. So the sloppy mess produced by the juniors never gets reviewed.

          But even without reviews, testing should be revealing the problems caused by that sloppiness. Unfortunately, I've never heard of an offshore coding company that actually does the testing -- that's usually done in-house by

  • and some times it ends up costing more due to delays, poor code, coding to spec only and so on.

    also with outsourcing they just get the job done and move on makeing you find some one to fix the code.

  • Outsource the armed forces (worked for the Romans - for a while.) And stop requiring the use of licensed and regulated doctors, civil engineers, aircraft designers and the like. Because those professions started off unregulated.

    On the other hand, serious attention to regulating software design and deployment might eventually reduce the need for security analysts...

    • Actually outsourcing their own forces brought the romans to their downfall both the western and eastern empire.

      • Incorrect in the eastern empire. Actually, internal strife, constant infighting and bloated bureaucracy had more to do with it than using Gothic "Roman" troops.
      • by vlm (69642) on Tuesday October 04, 2011 @12:48PM (#37600790)

        Actually outsourcing their own forces brought the romans to their downfall both the western and eastern empire.

        Naah, study your history. That was an effect along the way, but hardly the cause.

        The cause was the rich people had all the money land and power. Read your Gibbon, near the end all the land in the empire was owned by only a thousand landlords and everyone else was dirt poor. Kind of like where the USA is headed. When Rome was more egalitarian, Rome the city produced 25K fighting men, which means a total army size in those days of about 75K. Back then individuals paid for their own gear when they volunteered for service...

        Once only the rich had money, the poor couldn't even volunteer to be the equivalent of cannon fodder, and the rich had to hire foreign mercenaries, at ripoff prices. Toward the end, the average Roman was so poor that the empire could barely raise 100K fighting men. You'd think an empire could raise more than 4x just one city, but they had economically destroyed themselves, so...

  • People aren't willing to pay extra for code that's actually secure so we can't pass along our costs, and you can kiss our ass if you think we're taking a pay cut just because our software killed a few hundred people.

  • First, we already have a market framework that works - people don't buy or use the crappiest code when given a choice.

    Second, you know that "disclaim all warranties" bit? If you paid for the product, the vendor cannot disclaim warranties - so you have more incentive to deal with someone local so you can sue their *** off a lot easier. Given enough lawsuits, all bugs are shallow.

    Third - the government is unable to ensure the quality of the code it already buys - how is it going to do that for everyone?

    The whole concept is dumb, the article is just troll bait - which explains why it was posted on Troll Tuesday [tt]

    • First, we already have a market framework that works - people don't buy or use the crappiest code when given a choice.

      <div class="sarcasm">Well, that explains Windows' success in the presence of alternatives perfectly.</div>

      • by tomhudson (43916)

        First, we already have a market framework that works - people don't buy or use the crappiest code when given a choice.

        <div class="sarcasm">Well, that explains Windows' success in the presence of alternatives perfectly.</div>

        People have always had alternatives ... they make the choice based on several things, including price. Back when others were running MS/DOS or PC/DOS on a 8086/8088 I was running Microware OS9. Others were running something from some company called Apple.

        Today, i

    • I'm sometimes amused.

      We'll probably see a lot of this kind of proposal. Ultimately, it has to do with jobs. Why not bypass all the bullshit and just admit we're not willing to deal with globalization?

      Say what you want about the 'market', most of the economy is government run today... either directly or heavily regulated to the point of being government run. healthcare, education, military, law, financial...

      So why do people like yourself sit there pretending like we have a free market and ultimately hurti

    • One of my kids is a lawyer specialising in IT cases, so this is cutting off nose to spite face time...but you cannot sue people for doing bad work without an agreed concept of what constitutes good work. Some very successful parts of the world (Switzerland, Germany, Northern Italy) have traditionally relied on the concept of overseeing work by properly educated, trained and qualified people. I personally think it is better to pay them than to rely on paying lawyers.
  • Enforcing high quality secure software written in the U.S. would be bad for the U.S. Quality and security have always been bad for a company. eg. DEC and SUN It stands to reason it would be bad for the U.S.

  • by PPH (736903) on Tuesday October 04, 2011 @11:31AM (#37599654)

    ITAR [wikipedia.org] is perhaps one of the biggest hidden costs in domestic software development. Investments in s/w products that cannot realize the maximum ROI due to market restrictions force quite a bit of development overseas. If my subsidiary in India can sell my app or service anywhere in the world, but I can't do so with a domestic version, guess where I'll send the work?

    Its like when Obama was elected and all the gun nuts got paranoid about possible forthcoming regulations. Everyone ran out and stocked up on guns and ammo. Mention national security and software in the same article and more development work will get pushed overseas in a panic.

  • by WCMI92 (592436) on Tuesday October 04, 2011 @11:31AM (#37599664) Homepage

    It's a threat that will eventually bring down every company that does it. It is a cheat, a dodge used to avoid paying market rate for wages while still depending on the market you are taking the jobs away from to remain strong enough to buy your product (which is likely too expensive to sell in the off shore market where you are underpaying for labor).

    Ergo: Every company that uses offshoring depends on EVERYONE ELSE to not do the same so that there is still a market for their product. Eventually everyone will offshore in order to not get undercut in price, to the point where Americans no longer make a wage sufficient to keep the economy afloat so that there is sufficient money in the economy to allow the purchase of the offshored product.

    In other words, it's ultimately a self-destructive strategy that will end in dragging down first world markets to third world economic levels. We may already be past that critical point, looking at the perpetual recession we are in.

    • by Arlet (29997)

      Not off-shoring is also a self-destructive strategy. It's just a matter of time before foreign companies can compete on complete products.

      In the end, the only way to survive is to remain competitive with foreign workers.

      • by Duhavid (677874)

        How can that happen?

        Will BOA reduce my mortgage to numbers similar to China/India/? Will the grocery store reduce their prices? And the other stores I have to buy things from to keep alive? I can do things to reduce how much I need to live on to some degree, but there is a bottom to it all. And their bottom is lower than ours.

    • by Kjella (173770) on Tuesday October 04, 2011 @01:26PM (#37601290) Homepage

      In other words, it's ultimately a self-destructive strategy that will end in dragging down first world markets to third world economic levels. We may already be past that critical point, looking at the perpetual recession we are in.

      It's what most of that first world is built on, getting ridiculously cheap labor intensive imports from abroad while exporting expensive high tech and processed products back. Except the world isn't stupid and the world isn't standing still. As the rest of the world gets civilized, they do get educated. They too understand high tech. Americans aren't magical just because they're born in the US, the rest of the world is catching up. You can close off the borders, but that market isn't coming back. Then it'd just be the US economy, no almighty dollar which is worth so much around the world. That dollar was - is - worth so much because there's valuable things to be bought for dollars. Close off trade, take that away and you might find yourself with a third world currency bringing US wages down to match the rest of the world all the same. Either way they're starting to match the US and you can't just stick your head in the sand about that.

  • An not only "national security" (never understood that particular US fetish), but a threat to data and software security in any environment. But so is outsourcing in the first place. Off-Shoring just makes the connection between customer and service-provider even more remote. The more remote this connection is, the less loyalty and less perception (and often reality) of the risk of repercussions. Add a cultural gap to make matters worse. And an often high fluctuation.

    Incidentally, from what I have seen, Out

    • by vlm (69642)

      Not that I assume the 100 developers were on this full-time

      Unless you had your own guys looking over their shoulder, how do you know that? Look up "overbilling fraud".

      So.. we'll work for 1/20 their wages... We could bill honestly and make 1/20th their profits, a nice honest sum. But... what if we billed them ten times over? Faked the whole thing? We'll make 10 times 1/20th equals half their profit, much better. Whoo hoo! We can't get caught because we're private contractors and you shouldn't be directly supervising us and we're on the other side of the planet

  • The US Patent system will already drive companies off shore for good.
  • If it is used in the US, a US dipomatic site (which is technically US soil), or a US military base (also technically US soil) mandate software quality. No matter where it is made. The US is such a large market it would force other countries to do this.

    This next paragraph sort of expands on the Subratik's post.

    And has anyone considered that competing with countries with cheap labor and resources, e.g. China, is a recipe for disaster for the US? There are two approaches, go cheap like China because you can or

  • Well, it seems that a lot of corporate managers have bought into the notion that software inherently sucks. But it doesn't have to be that way. What if the US were to establish itself as the place to go for -quality software-, software that worked and that US companies stood behind? There are probably many comparisons with other industries; the auto industry comes to mind with German and Swedish cars recognized for higher quality engineering at a higher price. (That's not to denigrate the substantial qua

  • by ErichTheRed (39327) on Tuesday October 04, 2011 @12:01PM (#37600032)

    During the banking crisis, people in the US and the UK heard this a lot about the financial sector -- if you regulate them too much, they'll just move somewhere without regulations. I think there's some truth to that, but I can't imagine every company loves the idea of operating in a completely unregulated environment.

    One of the things I'm all for is professionalism in the IT world. Computers have been around for a long time, and now they're 100% vital to peoples' daily lives. It's time to start thinking about a couple of things:

    - Separating the design and deployment portions of the IT landscape

    - Making the design part a real branch of the engineering profession, with a set of educational standards

    - Making the deployment part a skilled trade, with the necessary apprenticeships and career progression to attract new hires

    Having a professional body would allow us to stand up to employers who demand that the schedule be crunched once again to meet an arbitrary date. No one tells a licensed PE who is liable for work they sign off on that they just lost a week of design time because someone said so...PEs are aware that they could lose their license or be sued out of existence. Currently, software isn't considered infrastructure, and so projects aren't run like bridge construction...they're arbitrary, and not grounded in reality.

    The problem is that the field of IT is very broad. You have systems guys like me, network guys, software developers, deployment experts, hardware engineers -- it's all over the map. One thing I don't like about the current state of our profession is a lack of training standards. We leave a lot of training up to vendors like Microsoft, Cisco, Oracle, IBM, etc. who have a vested interest in selling product and training a generation of newbies to use their technology. You also have a lot of independent IT people who have no desire to associate with a larger body of professionals, and wouldn't want the responsibility that professional status gives them. Even with the liability, I would be happy to be the equivalent of a PE because (a) I do good work, and (b) I'm well aware of what I don't know, and ask other professionals for help when needed. Other people in our field want nothing to do with this...they like the idea of being a cowboy coder or cowboy sysadmin and flying by the seat of their pants. Professionalism would also mean slowing down, realizing what works in terms of systems design, not trying to reinvent things every 6 months, etc. The laws of physics and properties of fluid dynamics don't change much -- techniques are introduced gradually in other branches of engineering. In our world, it's "new programming language", "new design pattern", "new OS", "new hardware design" every few years, and often it's just a rehash of what's come before.

    The other problem, and the one that this article addresses, is that other countries are probably not willing to commit to playing by the same rules if we adopted them. In fact, there would be a huge uptick in business at "Joe's Code Shack" because they would promise unreasonably short turnaround times and just throw labor at the problem. It's not really a national security issue -- the root cause is that no one is willing to pay for proper engineering work and they just want things faster and faster for less money.

    I think that a lot of specialized industries are starting to figure out what they can offshore and what just doesn't work when it comes back. I do systems integration work, and I have seen first-hand the disasters that come back from the "code monkeys" when there are no specs and bad oversight. It's not a cost savings if you have to hire a US contractor at 4x the rate of an FTE to wade through the mess and make it maintainable. One problem is that a lot of industries see IT is "grunt work" coding that people don't necessarily notice when it's done poorly. Anyone working for a large multinational who offshores development is probably well versed in things like internal web applications that crash

    • Making the design part a real branch of the engineering profession,...

      There is nothing special about engineering education that makes it "better" than a computer science degree from another department at a university. In fact, if you shift the courses to engineering, students will end up wasting their time on a lot of physics and math classes required for basic engineering that are completely useless for programming.

      The other problem is that engineering is standardized. There are "rules" for how to con

    • by vlm (69642)

      I can't imagine every company loves the idea of operating in a completely unregulated environment

      One of the most important features of regulation is to keep the big corps big and grind the small ones out of profitability... I can't see a big slow lumbering dilbertian horror of a company loving the idea of not having regulation expenses to crush their smaller competitors.

  • The companies selling the product should be responsible, not some unknown worker. If they are not in the USA then they have some other company that imported the product to make it available for sale and they are responsible.
    After all with the recent cases of tainted products coming from China no-one worried about the person making the item it was the fault of the company importing it that had legal problems.
  • It is more than software, it is everything that is traded. It makes the landscape of Mad Max look pleasantly tranquil.

    I really question the motives that allow America's wealth to be drained in one way or another to the amount of a Billion dollars a week to other countries. I question the motive of the statement, "Manufacture or Service it in <country />, to maintain an competitive Edge." The wealthy are not investing in America. They then should have no tax breaks. And their parent companies co
  • I know that often these kinds of analyses can be right: imposing too many restrictions can hurt an industry.

    However, sometimes these things just turn into hopeless naysaying. The government can't create any law or regulation without someone complaining that it will destroy the economy. Yes, having laws against lead-based paint in children's toys probably hurts some profits, causes some economic efficiency and "hurts the economy" in some ways. Sometimes that kind of economic efficiency isn't the most imp

  • after the last 30 years here in this country (US) let me be the first to say... Doh!
  • Going around asking "Is X a National Security Threat" is the biggest security threat of them all. In fact, the very concept of National Security is a security threat.

  • by jafac (1449) on Tuesday October 04, 2011 @12:39PM (#37600680) Homepage

    Yes. This is a national security threat. By definition. You can't have it both ways. Sorry globalists. You can't bully and exploit third-world labor, and then trust them with your proprietary industrial secrets. They will steal them from you, and turn around and use them against you. Period.

    The only exception - I guess, is that muslims probably will not use complex interest-derived financial instruments to enslave you, since usury is against islamic law. Straight-up slavery, is not though. So keep on bleeding your own economy until they come over here and take-over. They will be happy to enslave your sons and daughters.

  • by It doesn't come easy (695416) * on Tuesday October 04, 2011 @12:43PM (#37600730) Journal
    The fix is to require that all businesses that are global to meet the requirements for ALL countries that are impacted by the business. For example, if software development is moved to India then the business must comply with the regulations for BOTH countries. And for the chain of businesses involved, each would have to comply. Example, if Company A in the US hires Company B in England, who hires Company C in India, to do the work then all three companies must comply with the regulations in the US, England, and India for the product involved. A requirement like this would help countries like India raise their standards of living and reduce shifting of jobs from rich countries to poor countries simply for the sake of profit. The same should apply to all products (example, electronics produced in China), not just software.
  • ...an awful example of gerundification. "Off-shoring" ? What a horrible word. It probably shouldn't have a hyphen, either, as that could lead to even more confusion over its intended meaning.

If I'd known computer science was going to be like this, I'd never have given up being a rock 'n' roll star. -- G. Hirst

Working...