Why risk it?

Japan's defence agency has pulled the plug on a new network linking army bases, after discovering that the software was written by members of a doomsday cult. Scary, huh? It gets scarier: five contract software companies run by members of the Aum Shinri Kyo ("supreme truth") cult also wrote code for government agencies overseeing education, construction, the post office and the telephone system - as well as for hundreds of corporate customers.

Maybe that Aum name sounds familiar. In 1995, Aum members released nerve gas in a Tokyo subway, killing 12 people and injuring thousands more. Japanese authorities are afraid Aum programmers installed back doors or sabotage triggers in the contract software. The cult itself now says it has cleaned up its act and renounced law-breaking. But why take that chance? Japan isn't alone in worrying about contractors. In the US, the Federal Aviation Administration is running after-the-fact background checks on dozens of Chinese, Pakistani, Ukrainian, British and Ethiopian programmers who worked on the FAA's Y2K fixes. None of the foreign programmers have been accused of doing anything wrong - but, the agency figures, why take a chance? And after the latest round of Web site attacks, some security gurus are saying that no one should hire reformed hackers for any IT work. We shouldn't take the chance, they say, when we know these kids have histories of break-ins, back doors and bad behaviour.

Are things really that bad? Yes. The more we outsource, the less we know about the people who'll get elbow-deep into our systems. They could be terrorists, industrial spies or crackers who plan to shut us down, steal our secrets or use our computers to launch attacks. We just don't know.

Is there an answer? Yeah, but no one's going to like it much. We're outsourcing that work to save time and money. And the only way to protect ourselves is to spend - what else? - time and money. We'll have to spend time checking code we get from contractors. And grilling application service providers on their security standards and procedures. And drilling down to make sure subcontractors get the same hard stares as the big names who got the original contracts. We may have to spend money on serious background checks for some contract workers - remember, real bad guys will lie on resumes and arrange for fake references.

We'll probably have to pay for insurance to make sure any losses due to dirty dealing are covered. Not prime-contractor performance bonds, but real insurance - if something goes horribly wrong, we want to make sure somebody with deep pockets will pay to make it right. Yes, we should have been doing this all along. Some IT shops have been. But most of us slid into outsourcing a little at a time: a quick fix when a project went awry; some extra help launching a Web store or even picking up an ongoing deal when we took over work the marketing or human resources department started.

Now we're outsourcing all kinds of things - systems development, applications, network management, maybe even the help desk. And we haven't got the oversight procedures in place to make sure the people who do our work for us are who we think and are doing what we want - and not walking away with any proprietary knowledge. And now the brass will scream when we ask for a bigger budget to look over those outsourcers' shoulders. When they do, point out that farming out IT work is still cheaper than doing it all ourselves.