outsourcing-for-dummiesWhile the U.S. Government has been remarkably opaque about the recently discovered security breach at the Office of Personnel Management (OPM), we know that personal information on at least 21.5 million present, former, and prospective federal employees was lost. The Feds claim Chinese hackers are at the bottom of it, which is disputed by the Chinese government. This, to me, raises a number of questions, especially about the possible role of IT outsourcing firms and implications for organizations beyond OPM. Does IT outsourcing make your data more vulnerable? Yes, I believe it does.

It’s easy to blame the Office of Personnel Management for its own troubles. Oversight was lax. The agency failed a security audit and didn’t seem to do much in response. When shit hit the fan and it became clear that the identity of almost every living person associated in any way with Federal employment had been compromised, the agency lamely offered 18 months of identity theft screening but then didn’t have the money to pay for it. Pathetic. Both the Obama Administration and Congress are to blame, the former for mismanagement and the latter for “starving the beast” by limiting the OPM budget, pushing the agency toward cost-saving decisions that at least to some extent led to the current crisis.

And a crisis it is. The scope of this hack is mind-boggling. There are 4.5 million Federal employees yet the identities of at least 21.5 million people are involved. How can that be? Well just to give one example, every person with a federal security clearance has to file annually (this seems to vary from agency to agency — see comments below) a 120-page Standard Form 86 updating information about their every social and business contact. All of those Standard Form 86s — millions of them — were stolen. Given that we live in a world of Big Data and six degrees of separation, it’s logical to assume that with some effort nearly every U.S. adult has been compromised in some way by this theft, whether or not you know that Uncle Jim used to be a courier for the CIA.

This is way worse than Target or Home Depot, yet those stories lingered in the press for months while OPM seems already to have disappeared.

IT outsourcing comes into this story in a way that I think was for the most part missed by the press that have now moved on from the story. Root access to OPM databases was held by consultants working from China and Argentina. That doesn’t sound like a good idea to me. And as I wrote at the top, who is your IT outsourcing firm working for? Probably less for you than you think.

Two problems here come down to culture and loyalty. Say you are a U.S.-based senior employee of a large American defense contractor and you detect a security problem that looks like it might lead — or has already led — to a loss of secret data, what do you do? You raise hell of course. You sound the alarm, get everyone out of bed, and start working on a solution. Contrast this with a similar situation where instead of a senior U.S.-based employee finding the breach, it is a junior consultant working from Bangalore or Beijing? They report their findings, sure, but will they raise a ruckus? Do they even know how to raise a ruckus? And what if the person they are informing is a dolt and doesn’t understand the implications of the report? After all, the recently-departed director of OPM appears to have had no technical qualifications at all. Unsurprisingly neither did the preceding director, whose past experience included being director of the National Zoo.

I worked a few years go with a very smart engineer from India who had a successful career at Intel. This is one of those stories some will view as culturally insensitive but I don’t give a damn because it is the truth. My friend said he had worked at Intel for 18 months before he realized it was in his interest to tell the truth in meetings. I am not making this up. In India, which in this case could be a straw man for many foreign tech centers, it was viewed as smarter to tell the boss what he wanted to hear, not the truth.

Who, again, in China or Argentina, was going to sound the alarm with OPM and stake their career on it? Who in power at OPM even knew the implications of such a breach? From the early press statements by the OPM director, she didn’t appear to see the significance.

And my second point is even more important: know the allegiance of your outsourcer. The key issue with outsourcing IT is this — who does your IT staff work FOR?

Let’s look at some bad examples. In the case of Best Buy, for a long time over 99 percent of their IT department was contractors. No one looked out for the best interests of Best Buy. As a result, Best Buy didn’t adapt to changes brought by the Internet. While they like to blame Amazon it was Best Buy’s own neglect that led to their problems. Today, if it wasn’t for cell phones, Best Buy would be in serious trouble. Isn’t that where Radio Shack was a few years ago — their only money maker was cell phones? Best Buy’s inventory management, merchandising, supply chain costs, etc. are still years behind the norm. This isn’t Amazon’s fault. It is IT’s fault and happened in part because Best Buy’s IT wasn’t working for Best Buy.

In the case of Target, their intrusion was detected. An offshore team spotted the problem and reported it to Minneapolis. The folks at HQ did nothing with the information and a few weeks later Target had a crippling problem that ended up costing the company more than $1 billion.

If the IT department actually worked for you and spotted a serious problem, they wouldn’t just report the problem then forget about it. If there was no response from HQ, people in the IT department would have been calling Target’s leadership — at home, in the middle of the night, if necessary.

In other cyber thefts there were indications of pending problems weeks beforehand. New code was running on systems, large amounts of data was being copied and moved, etc. When an IT department works for your company, they usually take their jobs and responsibilities seriously. They look at the system reports. They may notice something that’s not right. They take the initiative to investigate. When your IT department does not work for you, they may be content with just issuing a report. Or they may not have the skill or experience with your applications to even spot problems. They may not have the time or permissions to investigate. They only do what they are told.

The driving force behind outsourcing and offshoring is to find the cheapest IT talent on the planet. The people hired to do this work usually do not have a college education. They are young and have no experience. They are paid $7 to $15 an hour. The background and qualification checks are superficial at best. They have some IT training, but most of what they know is taught on the job. Now imagine how easy it would be for a cyber criminal to insert himself (or herself) into an outsourcing firm. Imagine how easy it would be to bribe and compromise a worker for an outsourcing firm. Since no one at the outsourcing firm works for your business it is very easy for cyber criminals to operate unnoticed. Edward Snowden used other people’s ID’s to access and copy data. Most cyber criminals these days are smart enough to cover their tracks. Given the weak management at many outsourcing firms, if they detected a problem they’d probably fire the innocent and completely miss what was really going on.

The outsourcing and offshoring of IT makes cyber crime a lot easier.

Another aspect of this problem is that IT not really a profession. There are no educational requirements. They’ll let anyone work in the field, or manage it. To make matters worse corporations have been working hard for years to dumb down IT even more. They have been moving the work to the cheapest labor markets in the world.

Clearly most corporations don’t respect IT and don’t know the risk to their business of doing it poorly. Just as clearly many government departments know very little about IT. Anywhere these conditions exist right now, the cyber criminals are or will soon be in their systems and stealing their data.

And we appear not to care. The US government has decided shipping USA jobs offshore is okay. Corporations have decided paying less for substandard IT help is acceptable.

I can see only one solution to this problem, which is to call in the lawyers. The outsourcing companies seem so far to have evaded any responsibility for these hacks. For that matter we hardly know who they even are. What companies employed those OPM database administrators working from Argentina and China? For that matter, what outsourcing firm, if any, was working for Anthem when 80 million health records were lost? After the 2008 financial crisis, big-eight Big Four accounting firms paid billions in fines for not doing their jobs. Maybe it’s time for the outsourcers to do the same. It might make them take their work more seriously.