As I’ve mentioned before, outsourcing source code does indeed pose the possibility of cyber-sabotage: Some computer programmer in Pakistan or Russia might sneak some harmful code into a program that will run on many American computers (including perhaps Defense Department computers).
This problem, though, can arise even without the outsourcing of source code, and while such outsourcing may increase the risk of the problem somewhat, I’m not sure that it increases the risk that dramatically. Among other things, consider: Wouldn’t outsourcing object code be even more dangerous than outsourcing source code?
After all, if some U.S. company outsources the writing of computer program source code to a foreign company, at least the U.S. company can try to examine all the foreign-written source code to see if there are problems in it. This is far from a perfect solution, and I’m not sure to what extent U.S. companies really methodically do this (though I suspect that they try, in order to prevent inadvertent bugs, not just maliciously included ones). But at least it’s much easier than trying to decompile the object code and check that.
OK, some might say — we should prevent American companies from outsourcing object code as well as from outsourcing source code. But “outsourcing object code” happens every time an American organization buys a program written by a foreign company to run on its computers. To prevent the outsourcing of object code, we have to demand that American companies (or at least critical infrastructure companies or critical government computers) stop buying off-the-shelf code written overseas. That would cause huge losses for American consumers, and will also quite understandably annoy our trading partners. Insisting that American law not discriminate against foreign-producer computer programs is not a newfangled free trade invention — it is, to my knowledge, the application of longstanding free trade principles.
So I do think we need to worry about cyber-sabotage. But trying to deal with it by focusing chiefly on outsourced source code would, I think, miss a huge range of risks that are at least as serious, and probably more serious.
Comments are closed.