When tech support goes global, are federal networks compromised?

Moving tech support overseas has lowered costs for manufacturers and customers, but creates several security questions for government agencies. Force 3's CTO Chris Knotts offers his take and a possible solution.

Over the past decade, a majority of IT manufacturers have offshored their technical support, moving from the United States into countries all over the world.

This globalization allows manufacturers to take advantage of significant cost savings, expanded talent pools, and the 24-hour efficiency of a follow-the-sun business model.

For most general enterprise consumers, gaining this added efficiency and cost savings in exchange for a slight language barrier has proven to be a fair tradeoff. In this way, the globalization of technical support should be embraced as a way to provide more efficient and lower cost support to consumers in a commercial environment.
But for a federal agency, the issues that come along with offshored technical support can be much more concerning than a language barrier. There is the potential for significant security problems when federal workers, even in military and civilian environments, share sensitive information about their IT infrastructure with unknown, non-U.S. citizen support technicians.
Comparing Network and Facility Security

Federal agencies have strict policies for unknown citizens entering their buildings. At Force 3, our customer mandated security policy prohibits the entrance of non-U.S. citizens into our building unless they are tightly controlled, contained to one room, or escorted from place to place.
Extend that situation into a technology support scenario: Suppose you are a federal agency employee calling your server manufacturer for general support. The engineer on the other end of the phone may ask for server names, passwords, IP addresses, or other sensitive information to help solve the problem.

In the case of network troubleshooting, it is standard protocol for the support engineer to request configuration files or even remote access to the equipment so that they can actually go into the system to investigate the problem.

In that case, you have an unknown individual with direct, intimate access to sensitive information and federal infrastructure.
In this context, the security risk of allowing someone who is completely unknown to you and holding no position of trust to access sensitive infrastructure becomes clear, but it happens every day.

We need to become as vigilant with our IT environments as we are with our physical environments.
An Issue of Trust

As a critical point of information gathering, technical support carries a risk for all federal agencies. Even those not operating in a classified environment need to be concerned about the information they share about their systems, and with whom.

It is possible that hackers interested in carrying out cyber attacks on U.S. government systems are gaining access or information in this way.

Unfortunately, with most standard support contracts, there is currently no real way of knowing if the person on the other end of the telephone is in a position of trust. Do they have any security clearance? Have they been through any kind of security or background check? Are they a U.S. citizen?
As we have seen recently, it is more often thousands of small cuts into our networks that disclose top secret information rather than one big, bold, coordinated attack. It is possible that non-citizen access to government IT environments provides the opportunity for adversaries to gather the information necessary to carry out these types of attacks.

This is an area that needs attention from the government to aid in the prevention of cyber attacks on our systems.
The Role of Government

The government needs to establish policies for the way that technical support is delivered to federal agencies to protect against these threats. The same logic that puts strict requirements into place for our physical government facilities should be followed for our IT environments. 
Guidelines stating that support must be delivered by U.S. citizens could be implemented to further protect federal agencies.

In our market, we have begun to see indications that some federal agencies are considering a move to U.S.-only support. With our defense customers, we have even discussed guidelines that would prevent them from entering into contracts with manufacturers whose support is provided by non-U.S. citizens.

In order to meet such requirements, government agencies would need to move to specialized offerings, which generally cost quite a bit more from the manufacturer.
Emerging Solutions

Many of our customers in federal agency environments have come out and said, “We need a different solution,” in response to offshored technical support.

Security and affordability are the keys. With their Partner Support Service, Cisco is taking a leadership role among manufacturers in addressing this need.

They are working to enable certified partners to provide support for their equipment to their customers. These types of partnerships are progressive in the public space for helping their customers lower costs. By putting support in the hands of trusted partners, manufacturers can help to provide federal customers with options that suit their unique needs—including secure support from cleared U.S. citizens.

While globalized technology product support provides manufacturers and general enterprise consumers with many important benefits, it presents a potential security threat for the sensitive infrastructures of our government agencies.

At this time of consolidation and uncertainty, it is vital that we implement policies and provide federal agencies with options that support both their critical infrastructure and their budget.