Imagine an average day in the life of the U.S. banking system: customers coming and going, deposits and withdrawals being made, payments being processed. All of a sudden, a software crash brings everything to a screeching halt.
Two hours later, banks across the country begin switching to back-up systems. After four hours, installed backups aren't functioning. Eight hours later, banks begin to process payments by hand. Unfortunately, banks are unable to process the 250-plus million non-cash items that, according to a recent Federal Reserve study, pass through the U.S. banking system each business day. The U.S. payment system has stopped working.
How could this happen? A bug, planted in one or several software products' code, coordinated to come out of hibernation at a specific date and time, has infected all or part of the U.S. payment system. How did it get there? It was planted, months or even years ago, by developers in a Third World country who helped create the software. The debate over the outsourcing of software development has raged for years. Recent incidents of compromised consumer data have increased the level of scrutiny on vendors who outsource. However, the potential for much larger, and more consequential, security violations has, so far, gone unnoticed.
Placing the stability of the U.S. payment system-or other key industries-in the hands of off-shore software developers in unstable, even highly volatile countries, is both unsafe and unwise. Banks have a responsibility to both their customers and our nation to ensure their software is safe.
However, some banks do not know where the software they are purchasing was made. Why? Because they forgot to ask one simple question: "Where was this software made?" Outsourcers in India, China and elsewhere have spent much energy over the last several years upgrading and publicizing their security procedures. Often, we see images of razor-wired fences, armed guards, surveillance and other pricy measures employed by these foreign institutions. What we do not see, however, are the employees inside. Due to high employee turnover, hiring practices in these countries are far less sophisticated than in the U.S. In fact, it is exponentially easier to become employed in India, Pakistan or China than in the U.S. For example, in India, the employee-screening process typically consists of verifying a person's education, address and a few personal references-the same process used by most U.S. fast-food restaurants.
In the U.S., software developers are typically put through a much more rigorous screening that includes a criminal background check, drug screening, fingerprint matching against an FBI database and a review of personal credit history. Many banks require this as part of a contractual agreement. However, many RFPs do not question who developed the code and frequently mention nothing of the hiring processes used by offshore developers who may have been contracted to develop the software. Not only are these Third World hiring practices years behind the U.S., they will not be catching up any time soon. In July, the president of India's National Association of Software and Service Cos. announced that the group is "considering" adding information regarding criminal convictions to its proposed database of IT professionals. If criminal information was added, including criminal background, photos and fingerprinting, such data would not be available for another two years, according India's Economic Times. When this database becomes available in September, it will include data on every four IT professionals and can be accessed only with the prospective employee's permission. According to NASSCOM, 800,000 developers were working in India alone between 2003 and 2004.
In addition, it is possible that a development project, sent overseas by a U.S. technology vendor, could be subcontracted to yet another developer in another country. It is common practice for a bank to ask its technology vendors to guarantee the quality of their products. However, neither the financial institution nor the vendor can guarantee that the software does not contain Trojan horses, viruses or other dangerous code. Outsourcing will remain a popular trend. The number of software developers working in the Third World will continue to increase. Criminals and terrorists will grow more and more determined. Solving this problem will not be easy. However, any solution must begin with banks asking the question: "Where was this software made?"
