Offshore Outsourcing: How to Safeguard Your Data in a Dangerous World

The mounting pressure to save money through offshore outsourcing poses a special dilemma for CIOs in the military-industrial complex.

Raytheon Aircraft is no different than most companies today.

The $2.1 billion subsidiary of the national defense contractor is exploiting outsourcing, both onshore and off, to cut costs, access skilled workers and operate more efficiently.

But unlike some companies, one false move on an outsourcing deal could cost the airplane manufacturer tens of millions of dollars, jeopardize its ability to sell to the U.S. government or even land its executives in jail. That’s because Raytheon and its subsidiaries are subject to export regulations that restrict what information can be viewed by foreign IT workers. Data that could enable another country to build a missile or military aircraft -- or even a seemingly innocuous radio -- is restricted.

Raytheon Aircraft ran into just that issue last summer, when it inked an outsourcing deal with IBM. The company gave IBM control over support and further development of its SAP system. IBM, for cost reasons, declared its intent to use subcontractors in India on the application, which contains such sensitive information as how to build the skin of a commercial jet. And that’s when Raytheon Aircraft CIO Doug Debrecht knew he had a problem on his hands. Executives at his parent company soon confirmed his intuition. They insisted that IBM not use foreign contractors until Debrecht came up with a surefire way to keep them out of Raytheon’s network.

Raytheon is not the only company dealing with this dilemma. Many in the military-industrial complex are keen to figure out a way to move IT work offshore. The federal government itself, one of the largest outsourcers in the country, must consider where the work it is sending to EDS or Lockheed Martin will ultimately wind up. And even nondefense-related companies must sort out how similar data-access situations apply to regulations like the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts. Consider the case of the clerical worker in Pakistan who threatened to post a U.S. hospital’s patient data online if she wasn’t paid more money. Any sensitive data can be dangerous in the wrong hands.

This is a new minefield for defense IT. While other parts of the business have incurred major penalties for export violations, military defense contractors have, up until now, largely dismissed the idea of using offshore talent on their systems. "If you look at my counterparts at Boeing, Raytheon and Lockheed Martin and compare us to the rest of our peers in the Fortune 500, we’re the rare breed that still does very little offshoring, and that’s all because of [International Traffic in Arms Regulations] and export regulations," says Tom Shelman, CIO for Northrop Grumman.

But as the cost pressures to exploit offshore outsourcing mount, CIOs now face a complicated conundrum: how to protect their sensitive information while enabling the global collaboration necessary to compete in today’s business environment.

"It’s a huge concern not just for government contractors but for any CIO who’s dealing with material that’s regulated, whether it’s defense or financial services or pharmaceutical companies," says Akiba Stern, partner in the New York City office of global law and consulting firm Shaw Pittman. "The companies themselves know a lot about the regulations in their industry, but the people who are doing the outsourcing don’t. And there are no actual rules for how to work the outsourcing."

The Export Police

Since World War II, the United States has been placing restrictions on the export of certain arms and related data. Today, the State Department’s Office of Defense Trade Controls administers the International Traffic in Arms Regulations, or ITAR, which require specific licenses for exporting items on the U.S. munitions list, from aircraft and ships to firearms and chemical weapons, as well as any technical data needed to make them.

The Commerce Department’s Bureau of Export Administration (BXA) ministers the Export Administration Regulations (EAR), which control the export of commercial items that could have military applications (computers, civilian aircraft, viruses for scientific research, even radios). Both ITAR and EAR prohibit the release of related data to foreign nationals (anyone not a U.S. citizen or permanent resident alien), which is why CIOs at companies like Raytheon find themselves in a fix.

The potential for trouble has only increased with the pervasiveness of offshore outsourcing, especially since companies such as India’s Tata Consultancy Services and Wipro are subcontractors to some of the largest U.S. outsourcers including CSC, EDS and IBM. Amplified sensitivity to issues of national security and terrorism have further fueled concerns, making this a hot-button issue for CIOs in regulated industries. "We’re living in a different sort of world," says Michael Daly, corporate director of IT security for Raytheon. "What was just a topic of conversation a few years ago is now top of mind."

As a result, the enforcers of export regulations are getting tough on violators. "They’ve stepped up their regulatory activity and fines, many of them in excess of $10 million," says Larry Christensen, vice president of international trade content for Vastera, a global trade technology provider, and former director of the BXA’s regulatory policy division.

Just last year, Raytheon agreed to pay $25 million in civil fines to settle charges from the Department of Justice that it tried to evade export laws in the attempted sale of sensitive radio technology to Pakistan via a Canadian subsidiary. Similarly, Lockheed Martin settled a federal lawsuit for $13 million in 2000 for providing technical advice to a Hong Kong company working on China’s commercial satellite program. Two years earlier, Boeing Satellite Systems paid $10 million for sharing rocket data with Russian and Ukrainian partners.

The escalation in fines has not been lost on the industry. And now that companies such as Raytheon and Northrop Grumman are exploring the possibility of letting foreign workers handle their systems, their CIOs are well aware of the perils if their companies’ technical data is exposed through outsourcing arrangements. "It’s a big, complicated problem," says Ron Remy, director of IT operations for Lockheed Martin Space Systems. "We deal with lots of secure information, not just our proprietary information and ITAR-regulated information, but even classified Department of Defense information."

Among the systems currently off-limits to offshore outsourcing at Lockheed Martin: ERP systems, which contain the material requirements for developing and defining the company’s products, and the engineering systems used to design its products including space-based telecommunications and missile systems.

Testing the Offshore Waters

Generally, IT service providers such as IBM disclose to their clients what subcontractors, if any, they plan to use on an outsourced project. But CIOs are ultimately responsible for making sure the arrangements for systems access are fail-safe. If a company violates export regulations as a result of its outsourcer subcontracting to a supplier in China or India, you can bet it won’t be the outsourcer that pays. "If there’s a regulation that you’re responsible for and your outsourcer doesn’t comply, you have to deal with the damage," Shaw Pittman’s Stern says.

Multimillion-dollar fines, experts say, would be just the beginning. "In government contracting, the damage to reputation is almost always worse because you’re dealing with something that’s perceived to be a national security issue," says Ed Hansen, another Shaw Pittman partner. "When that hits the newspapers, it looks really bad." Violators can lose their ability to sell to the U.S. government, and ultimately, to export at all.

And it doesn’t stop there. "We’ve even seen a willingness to seek criminal indictments," Christensen says. "And corporations don’t go to jail; people go to jail." In 2001, criminal charges were brought (and eventually dropped) against a McDonnell Douglas executive for conspiring to sell machine tools used to make jetliners to China. Though it hasn’t yet happened to a CIO, the possibility of up to 10 years in prison for an export violation is not one that any IT executive wants to consider.

Even so, Northrop Grumman, which in response to ITAR and EAR worries took back in-house work that was previously being done in India for TRW (which it acquired in 2002), is now testing the offshore waters. "What if our shareholders look at the enormous cost of IT at our corporation and benchmark us against other Fortune 100 companies not bound by ITAR? We can’t afford to be the ones that don’t do it," says Northrop Grumman’s Shelman. He is currently conducting two pilots in India -- one for an ongoing project involving PeopleSoft support and another for a one-time project involving Web development -- to determine if offshoring is doable.

"There are two different issues you have to address depending on your level of paranoia," says Rapheal Holder, who is overseeing the pilots as vice president of shared services for Northrop Grumman. "There’s how you’re going to review code prior to introducing it back into your production environment, and how you address the need to give foreign nationals access to the production environment and live, potentially sensitive data."

Holder says it’s been a painstaking process; the company has had to methodically go through each system to identify what data controls need to be put in place, how to provide the offshore workers with access to the live production environment, and ultimately how to inspect code created by the foreign workers. "It’s a slow process of peeling the onion," says Holder.

Shelman says Northrop Grumman will complete the pilot projects in India and will be able to give a yea or nay to offshore outsourcing in the 2005 IT budget. The company may enter an offshore engagement, but only if it has pinpointed all the controls required to meet export requirements, identified the infrastructure required and can still foresee significant cost savings.

Salvaging a Done Deal

When IBM and Raytheon initially discussed their outsourcing deal, IBM executives tried to assure Raytheon CIO Debrecht that subcontracting to foreign workers would not pose a problem. "They said, ’Oh we’ve done this before, and we know how to work through these issues,’" he recalls.

That wasn’t good enough for Debrecht, and he knew it certainly would not satisfy executives at Raytheon headquarters. "Raytheon is very sensitive to such issues, just like any defense company is. You read in the paper that this contractor violated this or that export law and was fined millions of dollars," Debrecht says. "I don’t want to be the one to have to go to the CEO and say, Yeah, that was because of me."

Not surprisingly, the initial reaction of top Raytheon executives to IBM’s plan to offshore some of the SAP deal was negative. "The easy answer for Raytheon was to just say, No, don’t let them into the systems," Debrecht says.

Unfortunately for Raytheon Aircraft, the SAP outsourcing was part of a larger supply chain transformation contract with IBM. The proposed project required a host of changes to the SAP system, and IBM needed control of the application to make them in a timely fashion, says Debrecht. And that meant access to the production servers.

Debrecht had gone through similar issues on other projects, but those were relatively simple application development situations. The foreign nationals could do the programming work on development servers, where live data was replaced by dummy data, and they never set foot in the production environment stateside.

That’s how Boeing, for example, has been able to outsource some programming to Russian outsourcer Luxoft for the past four years. Boeing has an internal committee that determines what projects can be sent to Russia. It then identifies export-regulated sensitive data (such as diagrams for an airplane wing), eliminates it from the application, inserts dummy data in its place, and ships it off to Moscow where developers don’t need to see the sensitive data to do their work.

When it comes to ongoing systems support, like IBM’s work for Raytheon Aircraft, where access to the real data is necessary, things get more complicated. "You have to put limits on what people have access to, create audit trails, know who has what passwords," Shaw Pittman’s Stern says. "It’s a whole regime that has to be put in place."

Raytheon decided the time and money needed to make the project work was worth it, particularly since Raytheon CIO Rebecca Rhoads would like to see the company take full advantage of offshore outsourcing. So for the time being, IBM has agreed not to use foreign nationals on the SAP account for up to two years, until Raytheon Aircraft solves the problem of making offshoring secure.

Related:
1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 19th annual State of the CIO study