Sending cybersecurity work offshore isn’t just a bad idea for individual organizations; it can be a security issue.
Facing a severe shortage of qualified cybersecurity workers—the InfoSec unemployment rate is expected to be zero until at least 2021—many organizations have no choice but to outsource at least some of their cybersecurity functions. Security services are the fastest-growing segment of the cybersecurity market, and security outsourcing spending is expected to reach $18.5 billion in 2018, an 11 percent bump from 2017.
Outsourcing enterprise cybersecurity services to a reputable, U.S.-based cybersecurity firm is a great way for organizations to save money and get immediate access to expertise they do not possess in-house. But retaining an offshore provider or a U.S.-based security firm that sends work offshore can be a risky proposition.
Who’s In Your Network?
Organizations on tight budgets may find offshore security firms’ bargain-basement prices quite enticing, but sending security work overseas means that you have no idea what—or who—you are paying for. It is logistically impossible to properly vet offshore contractors, especially when multiple layers of subcontractors are involved. Your organization’s data security could be placed into the hands of entry-level security analysts with no education and very little training. Meanwhile, differences in international laws mean that businesses have little or no recourse if a breach occurs due to a mistake or an act of sabotage by the employee of an offshore contractor.
This lack of quality control, oversight and legal recourse is also a breeding ground for foreign cyberespionage—which means that sending security work offshore not only poses risks to private organizations, but also threats to national security.
The ‘Modern Cold War’ Is Being Fought Online
From accusations of Russian interference in the 2016 U.S. presidential election to the revelation that North Korea was behind the WannaCry attacks, many of the top cybersecurity headlines of 2017 read like they came straight out of a James Bond film or an episode of “Mr. Robot.” Even the cybersecurity industry itself was not left unscathed, as a respected multinational security and antivirus software firm was rocked by accusations of aiding and abetting Russian spies.
Last September, the U.S. Department of Homeland Security issued a binding directive prohibiting federal agencies from using Kaspersky Lab antivirus products, citing concerns that the Moscow-based company could be using its software to mine classified information for the Russian government. In December, the Kaspersky ban was codified into law after President Trump signed the National Defense Authorization Act. While Kaspersky denies having any ties with the Russian government, the company has admitted that on multiple occasions its servers downloaded confidential materials from NSA computers after its antivirus software flagged them as containing malicious code. (Kaspersky claims it deleted the files the moment it realized what they were.)
The threat foreign hacking poses to U.S. interests is so grave that just prior to Christmas 2017, the White House released a strategy document calling for stronger cyberdefenses against a number of countries known to be engaging in cyberattacks against the United States, including Russia, Iran, China and North Korea.
Private-Sector Companies, Universities Also at Risk
Government agencies are not the only ones being targeted by foreign cyberspies. The 2017 Verizon Data Breach Report found that cyberespionage was, by far, the top data security threat facing the manufacturing industry. Ninety percent of the time, cyberspies are after company secrets, such as product prototypes and proprietary software code, and nearly all of the attacks are being launched not by competitors but by state-sponsored actors seeking to steal cutting-edge technologies for use in their home countries. For this same reason, Verizon noted, American universities are in the crosshairs of foreign spy agencies that want to get their hands on high-tech research data.
Security is Everyone’s Responsibility
In a recent press briefing, the White House commended private-sector tech firms, mentioning Facebook and Microsoft by name, for their role in combating cyberattack attempts by North Korea by patching systems and shutting down accounts identified as belonging to hackers. The briefing called for greater levels of cyber-collaboration and information-sharing between the private and public sectors to combat nation-state hacking and protect U.S. interests and critical infrastructure.
In an increasingly connected world where hackers often breach one organization’s network to use as a back door into their real target, a vulnerability in one organization’s network puts everyone’s network at risk. Additionally, as the White House briefing mentioned, many critical services such as banking, communications and health care are provided by the private sector, making the security of private networks just as important as the security of government systems.
The first step to keeping America secure is for U.S. enterprises to accept that offshoring cybersecurity work is dangerous and ban the practice. Organizations should do business only with reputable, U.S.-based security companies that hire only experienced, well-vetted, U.S.-based employees.