by Norm Beznoska, Directory of Enterprise Security, Infiniti Systems Group

During a recent discussion with a valued friend and business associate, Don Heestand, CEO of e-Merging Technologies Group, Don posed a very interesting question, which demands an answer from every organization that outsources many of its Application Development activities to Off Shore Programming firms. “What is the difference between Imported Steel and Imported Program Code”, Don asked? Half jokingly, I answered: “Imported Steel doesn’t contain Trojan Horses, Backdoors, or Malicious Code. And Imported Steel doesn’t threaten the very security of our nations’ infrastructure, either”.

As an Information Technology professional and former MIS Director, I appreciate the fact that many North East Ohio companies have turned to Off Shore programmers and   Application Developers, in the interests of lowering costs and expediting their workflow. After all, by utilizing Off Shore programming resources, Northeast Ohio companies can eliminate the time and expense of advertising, interviewing, screening and background checks. Not to mention the burden of FICA, payroll taxes, unemployment taxes, workers compensation premiums, and health benefits normally paid to American workers. Of course, our local, state, and federal governments suffer, since these Off Shore firms don’t pay taxes or administrative costs. And, what of the potential for the destruction of American information assets stored on Off Shore systems in those countries close to going to war? And isn’t Lake Erie, not the Indian Ocean,  “off shore” to NE Ohio?

But in their rush to market, North East Ohio companies have placed themselves at great risk. They do not impose the same stringent Program Testing and Production Turnover requirements as they insist on with their own programming staffs. And what of the critical need to provide up-to-date documentation, describing which software patches and other “fixes” were applied in the Application Development life cycle? Do these companies naively believe that foreign nationals, whose comprehension of the English language and American business culture, is based largely on watching Al Jezera reruns of Southpark or the Simpsons, can write coherent documentation?

Every computer professional at some point in his or her career has accidentally caused a major error. These errors occur in every business today; often costing American companies billions of dollars a year. A one-line coding error out of hundreds of thousands of lines of code at the Bank of New York, caused a critical system to crash causing a $5 billion shortfall. The bank had to borrow the money from the Federal Reserve to cover the loss until the error was corrected. The interest on the borrowed money cost the bank $23 million!

Without even a comment about a background or security check, companies routinely place Off Shore contractors in positions of great responsibility where they can cause grave damage by inserting malicious code or conducting corporate espionage under the guise of writing program code. Of course, background checks cost money; they cause delays, and sometimes cause embarrassing information to come to light. But is the reader’s organization willing to hire or contract with somebody who later is shown to be a terrorist or an accomplice to a terrorist?  Off Shore contractors must not be given access to sensitive information, or be allowed to access critical information systems without first having gone through a background check commensurate with background checks given to regular employees. Period.

Imported Steel and mis-management has caused the demise of LTV Steel and the loss of 7,500 jobs. Its’ full impact on the city of Lorain and the entire Northeast Ohio community has yet to be felt. In today’s brain-based economy, we can ill afford another LTV Steel. Or in the words of George Santayana, “Those who cannot remember the past are condemned to repeat it”!