Get the security bug out of software exports

“The primary objective of FDA’s India Office, which opened in New Delhi in 2008, is to ensure that food and medical products exported from India to the US are safe, of good quality, and are effective.” The US accounts for approximately a quarter of India’s pharmaceutical exports, consuming some $4 billion worth of medicines from India in 2013-14. Lifting quality of exports also helps India to improve quality of domestic medical supply; the FDA’s initiative is thus a win-win for both nations.

Perhaps, the powers that be in both these nations could also consider a similar model for the Indian software industry. The US accounts for over 60 per cent of India’s software exports, with the market generating over $30 billion in export revenues for India in 2013-14 (computer services, excluding ITES/BPO services — IT-enabled services/business process outsourcing).

Who can deny that today’s internet dependent economies demand the same level of safety from software that humans expect from medicines? However, when the world is focused on mitigating the deadly and hugely expensive episodes of cyber attacks, the US seeks to impose controls on exports of cyber security products and services by implementing the Wassenaar changes. To recall, in December 2013, the Wassenaar Arrangement extended its reach to the cyber world.

Whatever the intentions of this extension, it might end up as an instance of cutting the nose to spite the face. For in the cyber world, offensive tools used by Black Hat hackers, criminal and mafia groups and state-backed groups also double up as vital defensive tools.

It was unsurprising then that the US technology sector vociferously opposed the proposals of the US Department of Commerce- Bureau of Industry and Security - for the implementation of the Wassenaar changes. The Department has since committed to drafting new rules to replace/amend the earlier draft.

Setting up FDA type software security offices in key countries exporting software to the US might well benefit the US more than imposing controls on exports of cyber security products. While the Wassenaar Arrangement might have worked in the physical world, will it work in the borderless cyber world? Will a country like Russia, a leading global supplier of cyber security software and tools, implement rules to accommodate the Wassenaar changes?

And especially at a time when it is facing economic headwinds and under sanctions from the US and the EU? It does not seem to be in Russia’s interest at all, given its enormous strengths in the cyber security area and the huge market for such products.

Interestingly, according to The Economist , Israel now earns more from exports of internet security products than from arms sales. The recent attack on iOS (Apple) app store suggests that hackers may have also found a new way of compromising the internet – by infecting machines of software developers writing legitimate programmes and apps. Developers are a huge and logical target for hackers.

With apps and software for users in the US increasingly being developed all around the world (the apps in the Apple attack were developed in China), vigilance at the development stage becomes a strategic imperative for the US.

The breach of computer systems at credit bureau and consumer data broker Experian North America exposed about 15 million Social Security numbers and other data on people who applied for financing from wireless provider T-Mobile USA.

According to Experian, the compromise of an internal server exposed names, dates of birth, addresses, social security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment. The vulnerability in the internal server could have well come from source code developed by firms outside the US or from use of data centres in other countries.

While such suppliers may well have local software security compliance certification, the quality of certification is suspect. Most auditors are helpless in the battle against highly skilled and criminally minded hackers, and may not be even aware of vulnerabilities that exist in software code.

Compliance certification is more of a box ticking nature. As such, the US should adopt the FDA model for the software sector and a country like India which is a large exporter of software to the US, would be an ideal location to pilot the onshore software policeman model.

This will help to get special cyber security talent on board. Unlike medicines, cyber security testing and inspections need unconventional talent.

The writer is Founder, Cyber Security & Privacy Foundation

COMMENT NOW