How big a problem is the fact that a large proportion of software is written offshore, for instance?
Prior to Y2K, a lot of systems were being outsourced to Indian software engineers, largely because they are incredibly cheap compared to what you’ll pay for in Silicon Valley. It finally dawned on somebody over in Defense that this was a potential problem. You know, what you’re doing is you’re handing over a source code to working systems to an outside vendor. Second of all, nobody knew what was going to come back. As an engineer, it would be very easy for me … to put in things that a normal engineer wouldn’t necessarily know what they’re looking at, that gave me a back door or opened up a covert channel, meaning it covertly transmitted data back out. So, the National Security Agency then issued an order that defense systems could not be outsourced to outside noncleared personnel. But as far as worries about offshore stuff — is it possible to check the stuff that comes in? Well, as an example, I could sneak something into a keyboard driver that specifically was looking for your pass