There is an interesting story in today’s Wall Street Journal’s about the U.S. Defense Department taking a contractor to task for having code written by Russians, in Russia, even storing the code on Russian servers. I can’ tell you the number of times I have seen similar things without much action taken by the government agency involved. This time, there was something done about it.
This was a classified contract, that should have had a clause in it requiring the developers to be U.S. Citizens, and, usually to have a National Agency Check to make sure they are not wanted felons. We need more of these kinds of clauses and lots more enforcement of their requirements. Should we have foreign nationals doing risk assessments of U.S. computer systems? Should we have risk assessments of our critical infrastructure or National Command Authority being done by foreign nationals? You would think this would never be an issue, but I have seen all of these and more.
There were vendors subcontracting to Chinese, Russian, Indian, Israeli and French (just as examples) companies for programming of software used in national defense systems. There were vendors employing foreign nationals who were authorized to work in the U.S. but not authorized to work on these kinds of programs. There were contractors set up in the U.S. as front companies with authorized workers, or post office boxes as offices, who then sent all the work to another country to actually be done. Each of those was competing with a U.S. company for work, and taking jobs they had no business getting away from people who should have gotten them, and putting our security at risk.
Part of the problem is government contracting agencies who have their heads somewhere they shouldn’t be and aren’t paying attention to subcontracting below the second tier. They have not even looked at some of the contractors to see if they have the capability to perform on these contracts. Then, they have to write contracts and clauses that pertain to who the work must be done by. Then, the Industrial Security people have to enforce those clauses. We cannot have a contractor using Russian contractors in Russia to write code. We know that. But, at the same time, we should know what has to be done to prevent that kind of things from happening over and over. Our contracting agencies need to wake up and do their job.
No comments:
Post a Comment