Software and IT outsourcing, the risks to the United States and Europe.

Cart before Horse


There is an interesting article in The Diplomat that discusses some pro and con views on outsourcing software development, e.g. Outside the US and in their article they hint on outside of Europe as well.  In my blog I am going to review some of these points, some that were omitted from the article, and then circle back to both with the aspect of IT Outsourcing which was overlooked entierly by the proposed legislation and the article, and how sophomoric such an omission would be given the intent of said legislation.  


It's really an interesting argument that has  two extremes.  One is that of security and thus code quality and integrity.  The other is economics; in short how much more profit can one make by outsourcing to cheaper labor. 


I will start with a brief on the quality / security as that is really the focus of the article that prompted my blog posting.  Here we argue that legislation should be passed, or not passed depending on your views, that dictates code development standards and quality assurance.  Why?  Two reasons really, and we have already mentioned them.  The first concern is security of course.  We don’t necessarily want code developed in countries that aren’t friendly to us, but are clearly cheaper to hire programming armies to knock out development faster and cheaper.  Apparently we fear they may insert back doors, Trojans, worms, malware, spying tools, etc.  I am not sure where we get this fear from, other than we have done it ourselves of course.  Second is the quality we tend to get by outsourcing to 2nd and 3rd world countries doesn’t come close to the quality of code produced by more, arguably, skilled programmers in places like the US and Europe. This may result in unintentional vulnerabilities and security issues within said code.  After all, this is how most exploitation inside of applications comes about. Weather it is cross-site-scripting or buffer overflows, it is poor programming and QC work that sends this into the wild.



Historically speaking, the second of those arguments has been proven true by countless companies that have outsourced internal software development.  I’m not saying you can’t develop quality code in countries such as India, China, etc. But you can only do so with formalized education and continuing education, and not with mass instruction on basic code syntax and then throwing thousands of people at a problem.  You just don’t get quality from quantity.  And the “cost savings” model really is challenged by this argument.  In doing this right, you add so much operational overhead that there is no longer a cost savings.  You have to rework code, QC it with better programmers who might take more time to QC than they would have to write it to begin with, etc.  It’s actually a strong argument for keeping things “on shore.”


As for the detection and removal of malicious code that could compromise the critical infrastructure of the United States, well you don’t get to have that if you outsourced your development to nations that don’t always like you.  (If even at all.)  You can pass legislation, which hopefully would create local jobs to QC and debug code to look for such things, but this fights the cost savings aspects of outsourcing and you will indubitably not pass such legislation.


Then there is the other end of the extreme, that is the side of loosing jobs and competitive edge in our own country to save a few dollars today while at the same time building the market and talent in another country.  We are brain draining ourselves by not having sufficient work for our highly educated by outsourcing it to countries that don’t require the same level of education for the same job, and of course we end up with many unemployed people who have very specific skills and no jobs for them to fill.  As discussed in the first few paragraphs, we also tend to get lower quality work and expose ourselves to undo risk.  It’s a catch-22 and yet there are strong arguments on the pro side for outsourcing.


These are mostly related to the higher (much) costs for salaries of coders in the US/Europe as compared to having several people for that amount of money in say, India.  Scalability is another issue. In software development it is common to increase staffing and then peel off headcount as a project is completed.  This isn’t good, but it is how things have to happen for a business to remain profitable.  This also means severance packages; you erode the potential workforce willing to work for you by doing this, etc.  Maybe the solution if you have to pass legislation is that you pass some that dictates that companies should learn to better scale and manage projects so this practice comes to an end.  Just spit balling; take it or leave it. 


The article stipulates that there is a hope that through such legislation there would be a real incentive for companies to take security “seriously.”  To be honest, and realize this is my field, security will at most be taken as seriously as E&O insurance.  Good security means “nothing happened” and when nothing happens, people wonder why they pay for it and will argue that nothing happened because nothing happened, not because you stopped things from becoming “something happened.”


Then there is the bit in the middle.  Here we find that security concerns are balanced with risk.  For instance, if it is critical software used by the government there are mandates that all persons working on it are US Citizens.  Brilliant, but those jobs are few and far between.   We have concerns over the undermining of the future of the economy due to removing ourselves from the future workforce.  E.g. software development and IT work in this case, and of course there is always the worry about quality of goods and what that risk is to not only the critical infrastructure by the public as a whole.  Let’s keep in mind that good software and knowing how to use modern appliances is just as critical to my own personal security around wealth and liberty as is the doors on my home, or the safety deposit box I put my critical documents inside of for safe keeping.


Then there is my personal spin on this article, that of outsourcing IT/IS yet desiring legislation on code security.  Great, so the code is secure but you still have a double-digit percentage of system administrators, network engineers, etc. having full access to US and European companies but are citizens and employees of foreign countries.  I don’t need to program a backdoor into code I am developing for you when you let me control your edge routers and VPN concentrators.  You already gave me the keys to the kingdom; I don’t need to build a tunnel under the wall.  Personally I think legislation around coding to guard against malicious intent is putting the cart in front of the horse with regard to the bigger picture. 


Do I feel outsourcing is dangerous, well yes under circumstances where it is not contained, controlled and audited.  But that goes for everything.  Do I feel that it is a danger to the overall economy if we allow unchecked and unrestricted outsourcing.  Yes, without hesitation I answer that “yes.”  Would I be in favor of legislation that controlled how much a US business could outsource, what it could outsource, etc. under the guise of National Security (both financial and operational) yes, but it should be thought out and written with the assistance of experts in the field otherwise we will end up with something that looks like SoX and we don’t need more open-ended legislation in the technology area that is so vague it’s left up to interpretation by those not trained in the technical arts. 


We do stand on the edge of something big, where thought and leadership have to be presented to prevent us destroying our future.  IT and IS jobs will be the main stay in the future, there is no way around it unless we all decide to cash-out and go live on a ranch and tend to our cattle.  There needs to be assurances that jobs will exist and that there are protections in place to ensure job creation and stability in our own countries.  Those shouldn’t come through subsidies, like keeping farming or corn a staple, but instead should be done from the standpoints of security for not just infrastructure but that of the future viability of our economy.   .