Offshore Outsourcing: How to Safeguard Your Data in a Dangerous World

Raytheon Aircraft is no different than most companies today.

The $2.1 billion subsidiary of the national defense contractor is exploiting outsourcing, both onshore and off, to cut costs, access skilled workers and operate more efficiently.

But unlike some companies, one false move on an outsourcing deal could cost the airplane manufacturer tens of millions of dollars, jeopardize its ability to sell to the U.S. government or even land its executives in jail. That’s because Raytheon and its subsidiaries are subject to export regulations that restrict what information can be viewed by foreign IT workers. Data that could enable another country to build a missile or military aircraft — or even a seemingly innocuous radio — is restricted.

Raytheon Aircraft ran into just that issue last summer, when it inked an outsourcing deal with IBM. The company gave IBM control over support and further development of its SAP system. IBM, for cost reasons, declared its intent to use subcontractors in India on the application, which contains such sensitive information as how to build the skin of a commercial jet. And that’s when Raytheon Aircraft CIO Doug Debrecht knew he had a problem on his hands. Executives at his parent company soon confirmed his intuition. They insisted that IBM not use foreign contractors until Debrecht came up with a surefire way to keep them out of Raytheon’s network.

Raytheon is not the only company dealing with this dilemma. Many in the military-industrial complex are keen to figure out a way to move IT work offshore. The federal government itself, one of the largest outsourcers in the country, must consider where the work it is sending to EDS or Lockheed Martin will ultimately wind up. And even nondefense-related companies must sort out how similar data-access situations apply to regulations like the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts. Consider the case of the clerical worker in Pakistan who threatened to post a U.S. hospital’s patient data online if she wasn’t paid more money. Any sensitive data can be dangerous in the wrong hands.

This is a new minefield for defense IT. While other parts of the business have incurred major penalties for export violations, military defense contractors have, up until now, largely dismissed the idea of using offshore talent on their systems. “If you look at my counterparts at Boeing, Raytheon and Lockheed Martin and compare us to the rest of our peers in the Fortune 500, we’re the rare breed that still does very little offshoring, and that’s all because of [International Traffic in Arms Regulations] and export regulations,” says Tom Shelman, CIO for Northrop Grumman.

But as the cost pressures to exploit offshore outsourcing mount, CIOs now face a complicated conundrum: how to protect their sensitive information while enabling the global collaboration necessary to compete in today’s business environment.

“It’s a huge concern not just for government contractors but for any CIO who’s dealing with material that’s regulated, whether it’s defense or financial services or pharmaceutical companies,” says Akiba Stern, partner in the New York City office of global law and consulting firm Shaw Pittman. “The companies themselves know a lot about the regulations in their industry, but the people who are doing the outsourcing don’t. And there are no actual rules for how to work the outsourcing.”

The Export Police

Since World War II, the United States has been placing restrictions on the export of certain arms and related data. Today, the State Department’s Office of Defense Trade Controls administers the International Traffic in Arms Regulations, or ITAR, which require specific licenses for exporting items on the U.S. munitions list, from aircraft and ships to firearms and chemical weapons, as well as any technical data needed to make them.

The Commerce Department’s Bureau of Export Administration (BXA) ministers the Export Administration Regulations (EAR), which control the export of commercial items that could have military applications (computers, civilian aircraft, viruses for scientific research, even radios). Both ITAR and EAR prohibit the release of related data to foreign nationals (anyone not a U.S. citizen or permanent resident alien), which is why CIOs at companies like Raytheon find themselves in a fix.

The potential for trouble has only increased with the pervasiveness of offshore outsourcing, especially since companies such as India’s Tata Consultancy Services and Wipro are subcontractors to some of the largest U.S. outsourcers including CSC, EDS and IBM. Amplified sensitivity to issues of national security and terrorism have further fueled concerns, making this a hot-button issue for CIOs in regulated industries. “We’re living in a different sort of world,” says Michael Daly, corporate director of IT security for Raytheon. “What was just a topic of conversation a few years ago is now top of mind.”

As a result, the enforcers of export regulations are getting tough on violators. “They’ve stepped up their regulatory activity and fines, many of them in excess of $10 million,” says Larry Christensen, vice president of international trade content for Vastera, a global trade technology provider, and former director of the BXA’s regulatory policy division.

Just last year, Raytheon agreed to pay $25 million in civil fines to settle charges from the Department of Justice that it tried to evade export laws in the attempted sale of sensitive radio technology to Pakistan via a Canadian subsidiary. Similarly, Lockheed Martin settled a federal lawsuit for $13 million in 2000 for providing technical advice to a Hong Kong company working on China’s commercial satellite program. Two years earlier, Boeing Satellite Systems paid $10 million for sharing rocket data with Russian and Ukrainian partners.

The escalation in fines has not been lost on the industry. And now that companies such as Raytheon and Northrop Grumman are exploring the possibility of letting foreign workers handle their systems, their CIOs are well aware of the perils if their companies’ technical data is exposed through outsourcing arrangements. “It’s a big, complicated problem,” says Ron Remy, director of IT operations for Lockheed Martin Space Systems. “We deal with lots of secure information, not just our proprietary information and ITAR-regulated information, but even classified Department of Defense information.”

Among the systems currently off-limits to offshore outsourcing at Lockheed Martin: ERP systems, which contain the material requirements for developing and defining the company’s products, and the engineering systems used to design its products including space-based telecommunications and missile systems.

Testing the Offshore Waters

Generally, IT service providers such as IBM disclose to their clients what subcontractors, if any, they plan to use on an outsourced project. But CIOs are ultimately responsible for making sure the arrangements for systems access are fail-safe. If a company violates export regulations as a result of its outsourcer subcontracting to a supplier in China or India, you can bet it won’t be the outsourcer that pays. “If there’s a regulation that you’re responsible for and your outsourcer doesn’t comply, you have to deal with the damage,” Shaw Pittman’s Stern says.

Multimillion-dollar fines, experts say, would be just the beginning. “In government contracting, the damage to reputation is almost always worse because you’re dealing with something that’s perceived to be a national security issue,” says Ed Hansen, another Shaw Pittman partner. “When that hits the newspapers, it looks really bad.” Violators can lose their ability to sell to the U.S. government, and ultimately, to export at all.

And it doesn’t stop there. “We’ve even seen a willingness to seek criminal indictments,” Christensen says. “And corporations don’t go to jail; people go to jail.” In 2001, criminal charges were brought (and eventually dropped) against a McDonnell Douglas executive for conspiring to sell machine tools used to make jetliners to China. Though it hasn’t yet happened to a CIO, the possibility of up to 10 years in prison for an export violation is not one that any IT executive wants to consider.

Even so, Northrop Grumman, which in response to ITAR and EAR worries took back in-house work that was previously being done in India for TRW (which it acquired in 2002), is now testing the offshore waters. “What if our shareholders look at the enormous cost of IT at our corporation and benchmark us against other Fortune 100 companies not bound by ITAR? We can’t afford to be the ones that don’t do it,” says Northrop Grumman’s Shelman. He is currently conducting two pilots in India — one for an ongoing project involving PeopleSoft support and another for a one-time project involving Web development — to determine if offshoring is doable.

“There are two different issues you have to address depending on your level of paranoia,” says Rapheal Holder, who is overseeing the pilots as vice president of shared services for Northrop Grumman. “There’s how you’re going to review code prior to introducing it back into your production environment, and how you address the need to give foreign nationals access to the production environment and live, potentially sensitive data.”

Holder says it’s been a painstaking process; the company has had to methodically go through each system to identify what data controls need to be put in place, how to provide the offshore workers with access to the live production environment, and ultimately how to inspect code created by the foreign workers. “It’s a slow process of peeling the onion,” says Holder.

Shelman says Northrop Grumman will complete the pilot projects in India and will be able to give a yea or nay to offshore outsourcing in the 2005 IT budget. The company may enter an offshore engagement, but only if it has pinpointed all the controls required to meet export requirements, identified the infrastructure required and can still foresee significant cost savings.

Salvaging a Done Deal

When IBM and Raytheon initially discussed their outsourcing deal, IBM executives tried to assure Raytheon CIO Debrecht that subcontracting to foreign workers would not pose a problem. “They said, ’Oh we’ve done this before, and we know how to work through these issues,’” he recalls.

That wasn’t good enough for Debrecht, and he knew it certainly would not satisfy executives at Raytheon headquarters. “Raytheon is very sensitive to such issues, just like any defense company is. You read in the paper that this contractor violated this or that export law and was fined millions of dollars,” Debrecht says. “I don’t want to be the one to have to go to the CEO and say, Yeah, that was because of me.”

Not surprisingly, the initial reaction of top Raytheon executives to IBM’s plan to offshore some of the SAP deal was negative. “The easy answer for Raytheon was to just say, No, don’t let them into the systems,” Debrecht says.

Unfortunately for Raytheon Aircraft, the SAP outsourcing was part of a larger supply chain transformation contract with IBM. The proposed project required a host of changes to the SAP system, and IBM needed control of the application to make them in a timely fashion, says Debrecht. And that meant access to the production servers.

Debrecht had gone through similar issues on other projects, but those were relatively simple application development situations. The foreign nationals could do the programming work on development servers, where live data was replaced by dummy data, and they never set foot in the production environment stateside.

That’s how Boeing, for example, has been able to outsource some programming to Russian outsourcer Luxoft for the past four years. Boeing has an internal committee that determines what projects can be sent to Russia. It then identifies export-regulated sensitive data (such as diagrams for an airplane wing), eliminates it from the application, inserts dummy data in its place, and ships it off to Moscow where developers don’t need to see the sensitive data to do their work.

When it comes to ongoing systems support, like IBM’s work for Raytheon Aircraft, where access to the real data is necessary, things get more complicated. “You have to put limits on what people have access to, create audit trails, know who has what passwords,” Shaw Pittman’s Stern says. “It’s a whole regime that has to be put in place.”

Raytheon decided the time and money needed to make the project work was worth it, particularly since Raytheon CIO Rebecca Rhoads would like to see the company take full advantage of offshore outsourcing. So for the time being, IBM has agreed not to use foreign nationals on the SAP account for up to two years, until Raytheon Aircraft solves the problem of making offshoring secure.

“The biggest challenge is server access, particularly when you have technical data that is controlled by state or commerce,” says Vastera’s Christensen. “Not every IT department knows how to handle that well. And there are always drawbacks to controlling data access. Separate servers can result in hard feelings on the part of those locked out — encryption which may not be all that good.”

It wasn’t that Raytheon lacked a way to control access to its live data before. After all, the company operates in 76 countries and collaborates with partners around the world. The U.S. Navy’s DDX Destroyer, a high-tech $2.9 billion warship Raytheon is developing the electronics and weapons systems for, involves no less than 81 discrete companies worldwide.

But up until now, Raytheon has had to build secure collaborative environments from scratch on a case-by-case basis. That meant assessing requirements, figuring out appropriate security standards, determining how to label data and creating an Integrated Digital Environment (IDE) for data sharing specific to the needs of each project.

The goal now is to streamline and, as much as possible, automate how federally regulated data is handled, reducing the time and money it takes to set up a new infrastructure every time the company wants to let outsiders into certain areas. “In the past, it was very manual, writing down logs, making sure the appropriate federal licenses were maintained, and installing firewalls to keep non-U.S. Raytheon separate from U.S. Raytheon,” Daly explains. “It’s very frustrating because as a business what we need are canned solutions for this that can just plug and play. We just can’t spend six months to a year to build a collaborative environment each time we need it.”

A New Kind of Knowledge Management

Debrecht has tapped several Raytheon officials for help in designing the automated solution to permit IBM’s offshore subcontractors to work on the SAP system, including executives in corporate governance, IT security, HR and the legal department’s import and export division. Daly also sent two of his employees to Raytheon Aircraft’s headquarters in Wichita, Kan., to help Debrecht devise a security plan.

“The situation requires that Raytheon have a multilevel program for managing outsourcing and federal export regulations,” Daly explains. “We need a means of labeling the data that everyone understands. We need a program for identifying the status of a [U.S. person or foreign national]. And we need to put in an infrastructure that allows those parties to participate while controlling what they have access to.”

In essence, Daly says, Raytheon needs a very intricate form of knowledge management, which does not yet exist commercially.

First, Debrecht and his team determined what the Indian workers will be able to look at in the SAP system and what they won’t, in accordance with Raytheon’s internal rules for export compliance. They can view what’s called a “piece part” of an aircraft — anything from a nut or bolt to a tire or piece of sheet metal, for example — as long as they don’t know how it is assembled. If they had access to the materials information and the recipes for putting them together, that would be a problem.

That phase complete, “it’s now a matter of figuring out how we can separate out all the non-ITAR, non-EAR data and let them support the things that are OK for them to see,” Debrecht says. This phase two is sticky because the SAP production server is ultimately linked to the larger Raytheon network. “If we let them into our production network, a person with the right skills could hack into other areas within Raytheon,” he says.

Debrecht plans to use a secure ID setup with two-factor authentication to automatically determine who can get into the network. SAP will monitor what transactions an Indian professional can run, what tables he can modify and so forth. Raytheon would administer the system, but IBM would use it to enable its offshore subcontractors to work on the SAP system. But in order to protect the rest of the network, Debrecht must go further; Raytheon is working on a next-generation security system in conjunction with Microsoft and Cisco. But in the near term, Debrecht sees a potential solution in what he calls a terminal DMZ server. One step removed from the real network, it duplicates the information the worker needs from the network without providing actual access to the network.

Phase three, says Debrecht, will be figuring out a secure way to let foreign nationals onto the actual production equipment, giving them access to only the live data they are permitted to see. “That’s the final end state,” says Debrecht. “At that point there will be a separation of data, a lockdown of sensitive data, security profiles for every worker determining their level of access, and networkwide security that will prevent foreign workers from leaving the production system and getting on to the [Raytheon] network.”

Once Debrecht figures out how to make that work, he’ll hire an outside security corporation to come in and try to break the new system. If it fails, Debrecht may succeed in enabling IBM to use its offshore facilities on the project. Of course, IBM must then comply with all the new processes and systems Raytheon Aircraft puts in place. If not, says Debrecht, IBM will have violated the initial contract, and the deal may end prematurely. “But they probably have too much at stake, as do we, to give up,” Debrecht predicts.

Debrecht hopes to have a secure method in place within six months that allows IBM to employ Indian subcontractors. If he does, the opportunities for sending information technology work offshore could increase dramatically. “We don’t do a lot of design or development outsourcing. But we’re talking about breaking new ground here,” he says. “This could open up other opportunities within the corporation.”

Ultimately, the question for companies such as Raytheon, Lockheed Martin and Northrop Grumman will be where to draw the line. Shelman could see sending HR systems, financial and even manufacturing systems offshore eventually, though he says he’d keep engineering design systems stateside. Business process outsourcing — such as data entry or accounting, whereby the provider manages the network in addition to business functions performed on that network — done by foreign nationals, for example, is also unlikely. “There’s no way to avoid using real data with BPO, and you have to ensure that your outsourcer is as careful about the data as you are,” Stern says.

But then again, maybe it’s possible.

“Once we’re able to crack the code and we’re able to do this in some kind of repeatable manner,” Debrecht says, “who knows what else we can do.”