Wednesday, November 7, 2007

The H1-B and security?

Allow me to explain.

This news story getting front-(virtual)-page coverage on ComputerWorld , is extremely interesting, and at the same time boring, old news. For years now, we've been debating how the H1-B visa is taking away jobs from US-based workers. Whether you agree with it or not, let's address the issue from a different angle. I would like to turn your attention to how this affects security, and the viability of a company.

Let's assume for one minute that Company A (some big-pharma company) is hiring H1-B "contractors" from off-shore. Let's further assume that they're effectively vetting their employees because they understand the value of knowing everything about the people you hire to help stem insider security threats. Now, maybe I'm reaching a bit here, but here is how I see a company effectively vetting their employees:
  1. Employment history check (calling previous employees)
  2. Criminal background check
  3. Drug testing
  4. Credit check
  5. Extensive background check (military-grade) for those who work in security or super-secret labs making the next wonder-drug
Again, let's not look at whether these H1-B candidates take away jobs from US citizens, but let's address security. All of the above checks can be run against a candidate from the United States, but how many of these things can you effectively check against, for example, someone from China? You can only get the employment history that their contracting agency gives you, and have to assume they're not just making things up (really, do you trust them?). You also have absolutely no way of doing a criminal background check (save for InterPol, which if they show up on you've done something wrong), maybe you can ask them to submit for a drug test, but certainly they'll have no verifiable credit history or extensive background check available.

What does that mean to you, the hiring manager at Company A? It means you're hiring a threat. Period. It doesn't matter how you try to word-smith your contracts, the fact is you're hiring an unknown, and in security unknown equals threat. If you don't know what's in the box, odds are you're not stupid enough to allow it into your perimeter. But - the fact is, we allow contractors we haven't fully vetted into our environment all the time. We then give them access as system administrators, customer service representatives, database administrators, researchers, lab assistants and many, many other sensitive positions.

So let me summarize. The article is interesting in that it brings back up an old debate which has raged on for years and will likely not be settled by you or I, but rather by greedy politicians who cede positions and votes to lobby groups headed up by Oracle, Microsoft, and other greed-based organizations who's goal it is to hire the absolute cheapest labor, period. But that's not the point. The point is that we're allowing threats into our environment, nae, we're asking for threats to come into our environments. That's a security issue. That we need to raise.


Anonymous said...

Outsourcing security is publishing your company's intellectual property on the front page of the NYT where OBL and his "talibuddies" get their news!

Anonymous said...

Robert O. Carr
Chairman and Chief Executive Officer
Heartland Payment Systems
Should be held personally liable for the ruin and destruction he caused tens of thousands of people because he wanted to save a dollar using the H-1B program.
The design they accepted had major flaws.
After the recent judgement on court cases, companies that use H-1B (like Citi Group announced in Feb 2009) should have open disclosure so citizens can close accounts for thier safety.
Meanwhile, CEO's that took huge personal bonus for frauding its customers should be held personally responsible.