All Tech Considered
3:48 pm
Wed February 26, 2014

With Tech Outsourcing, The Internet Can Be 'A Scary Place'

Originally published on Thu February 27, 2014 11:08 am

When you hear the word outsourcing, you might think of threats to American jobs. To cyber experts, there's another threat: to our data.

This week, thousands of the industry's leading minds from around the world are discussing the Internet and security at their annual powwow in San Francisco, the RSA Conference. These topics matter more and more to us non-experts, especially as people become the victims of cybercrime.

Many of the people at this conference are talking about the underlying causes of that crime and one word keeps coming up: outsourcing.

"You get what you pay for," says Andy Ellis, chief security officer with Akamai Technologies. "If you move it to somewhere that's a lower cost, there's a reason it's lower cost ... . Sometimes it's because you aren't getting as skilled personnel."

Outsourcing isn't just for big manufacturers. Online companies are using outside vendors, too — for their websites, mobile apps and accounting. The downside isn't just a poorly made T-shirt — it's data theft with untold consequences.

While many of the cybersecurity business people at the conference disagree on the merits of outsourcing, they agree it's a big security problem. The decision to cut costs can backfire on the consumer, says Dwayne Melancon, chief technology officer at Tripwire, an IT security firm.

"You provide information to a company and all of a sudden it gets compromised because of a weak link to a third-party contractor," he says. "It's your problem. It's not the company's problems."

In the recent payment card breach at Target, hackers reportedly used stolen credentials from an air-conditioning company that was working for the giant retailer.

We need to pay more attention to this trend, says Chris Coleman, a security analyst with Lookingglass Cyber Solutions. Coleman audited about 20 subcontractors that big banks hire. He found something startling.

"A hundred percent of third parties showed signs of compromise or indicators of threats," Coleman says. Was that a surprising percentage?

"No," Coleman says. "Our global cyber landscape is a scary place."

While weak links are everywhere, Coleman saw one that stood out with the foreign servicers. Many of them used computers infected with an old worm called Conficker. It's curable and not harmful in itself, but it's also a signal for criminals looking for weak entry points.

"It was more predominantly coming out of networks that were in the foreign markets," he says. "The U.K. for sure, India and Southeast Asia."

However, when John Stewart, chief security officer at Cisco, travels to China, people there want to know how he's protecting their information from high-risk Americans.

"It really depends on where you're sitting, what you think the risk is," he says.

There's a lot of data security distrust, especially after the recent revelations about domestic spying by the National Security Agency. But Stewart notes that the U.S. is better at building trust in one key respect: It have laws that require companies to tell police about breaches.

He remembers participating in a panel in another country where someone said that all the data theft is coming from the U.S. Stewart pushed back.

"How do you know we're creating the problems?" Stewart said he asked the man. "We're the only ones transparently telling you that we created the problems."

Stewart says if everyone shared details on data breaches the way they shared the data itself, cyberspace would be a lot less scary.

Copyright 2014 KQED Public Media. To see more, visit http://www.kqed.org.

Transcript

MELISSA BLOCK, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block.

AUDIE CORNISH, HOST:

And I'm Audie Cornish.

When a massive security breach was confirmed by Target, there was no doubt it would impact the company's bottom-line. Today, we got an initial idea of how much it could hurt. Target announced its profits during the crucial holiday quarter fell 46 percent from the previous year. The breach put the personal data of tens of millions of customers into the hands of criminals.

BLOCK: Target says it's already spent $61 million dealing with the fallout from the theft, though insurance will cover most of that. Cyber attacks on Target and other retailers have made Americans much more aware of the risks to their personal data, online and at stores.

CORNISH: We're going to learn more about the underlying causes of cyber crime by going now to San Francisco, where thousands of experts have gathered for an Internet security conference.

AARTI SHAHANI, BYLINE: Aarti Shahani, of member station KQED, went to the conference and kept hearing the word outsourcing.

I say outsourcing and maybe you think: threat to American jobs. But here at the Moscone Convention Center, outsourcing means a different kind of threat: To our data.

ANDY ELLIS: You get what you pay for is something that people do have to acknowledge.

SHAHANI: Andy Ellis is chief security officer with Akamai Technologies.

ELLIS: And certainly if you move it to somewhere that's a lower cost, there's a reason it's lower cost. Sometimes it is cheaper there, so people don't need as much. But sometimes it is because you aren't getting as skilled personnel.

SHAHANI: Just like the big manufacturers outsourced, online companies do, too, for their websites, mobile apps, accounting. But the downside isn't just a poorly made T-shirt. It's data theft with untold consequences.

Now just about every person in this room is selling a security service. While they disagree on the merits of outsourcing, they agree it's a big security problem. Dwayne Melancon, with Tripwire, says the decision to cut costs can backfire on the consumer.

DEWAYNE MELANCON: You provide information to a company. And all of a sudden it gets compromised because of a weak link to a third-party contractor, it's your problem. It's not the company's problems.

(SOUNDBITE OF A NEWS CLIP)

UNIDENTIFIED MAN: It is our top story this morning, the theft of payment card information at Target...

SHAHANI: That recent high-profile breach happened because hackers stole information from a third-party vendor, an air-conditioning company in the U.S.

Security analyst Chris Coleman, with Lookingglass, says we need to pay more attention to this trend. He just did an audit of about 20 subcontractors that big banks hire and he got a breathtaking finding.

CHRIS COLEMAN: A hundred percent of third-parties showed signs of compromise or indicators of threat.

SHAHANI: A hundred percent?

COLEMAN: A hundred percent.

SHAHANI: Is that surprising?

COLEMAN: No. Our global cyber landscape is a very scary place.

SHAHANI: While weak links are everywhere, Coleman saw one that stood out with the foreign servicers. Lots of them used computers that are infected with an old worm. It's curable and not harmful in itself, but it's also a signal for criminals looking to find entry points.

COLEMAN: It was more predominantly coming out of networks that were in the foreign markets. I know the U.K. for sure, India and Southeast Asia.

JOHN STEWART: When I go to China, they want to know: Well, how are you protecting, like, our information from the U.S. people that are high risk? How do you wall that garden?

SHAHANI: John Stewart is chief security officer at CISCO.

STEWART: So it really depends on where you're sitting what you think the risk is.

SHAHANI: There's a lot of distrust about data security, especially after the NSA revelations. But Stewart notes the U.S. is better at building trust in one key respect: We have laws that make companies tell police when a breach has happened. He remembers being on a panel in another country and some guy said all the data theft is coming from the USA. Stewart pushed back.

STEWART: Well does this country have mandatory disclosure law? And there was no. And I said, well, then how do you know we're the only ones creating the problems? We're the only ones that are transparently telling you that we created the problems.

SHAHANI: Stewart says if everyone shared details on data breaches, the way they shared the data itself, cyberspace would be a lot less scary.

For NPR News, I'm Aarti Shahani in San Francisco. Transcript provided by NPR, Copyright NPR.