In many developed nations, offshore outsourcing posed a challenge to the national economy even while firms benefited from offshore outsourcing’s superior skills at lowering costs. This recent business model has evolved to a premium experience that has come to satisfy customer expectations with a sensible business model. Countries like India, Russia, Philippines, and Bulgaria provide professional services and solutions as economic alternatives to large corporations, and even to small-to-medium enterprises (SMEs). However, cost saving is not the only reason why most businesses are opting to outsource their professional services. Forrester Research study suggests that many of the businesses that have outsourced their services to a business in another country, have in fact achieved higher efficiencies in their processes. As well, other benefits also attributed to outsourcing include higher system availability, risk mitigation, speed of delivery, discounted power costs, reduced operational and capital expenses, regulatory compliance and environmental benefits.
But outsourcing data offshore is a double-edged sword in that, while it offers many advantages, it also poses threats to the data that is being exported and handled in the other country. These threats could be at an individual level, firm level and/or national level.
Individual level challenges are mostly related to intellectual property and data interpretations. Firm level challenges often relate to business strategies and national level challenges raise concerns related to data security and protection. While outsourcing individuals and firms’ data and services and the advantages and risks that poses is an expansive area of discussion, and thus beyond the limited scope of this paper, what is critical however, is the importance of state level strategic protection of data before technology manipulation.
In the absence of a national “data protection law” in Afghanistan, it becomes the responsibility at the organizational level to develop strategies to protect citizens’ ‘personal identifiable information’ because human data is human itself in the digital world.
In the developed world for example, many organizations do not allow multi-national onshore technology service providers to assign their offshore engineers to handle their data. These organizations generally include government agencies, hospitals, banks and some manufacturing companies. The reason being the explicit restriction of certain types of data by the country’s law or the organization’s policies. Usually when the offshore engineers or developers provide their professional services they do it using a secure virtual private network (VPN) over the internet at the comfort of their home (country). The connection might be considered secure but insecurity could arise if national data is exposed to individuals, businesses or intelligence agencies outside the country. Consider the 2009 case of a Pakistani data entry clerk, who attempted to extort money from the University of California at San Francisco’s (UCSF) Medical Center from the patients’ confidential files. The UCSF Medical Centre had outsourced the contract to an onshore (US based) company that then outsourced it to another onshore company who in turn outsourced the processing of it to Pakistan.
Unfortunately, similar practices are also the norm in many of the government offices in Afghanistan. We might still be in shock after the recent cyber-attack on government data center but aside from providing short term quick fixes to the issue, explicit strategies need to be articulated around security and privacy of national data in order to ensure confidentiality, integrity and availability.
In addition to the recent incidents and other untold stories of cyber-crime in the country, the real threat exists in the management of the IT projects given to contractors outside the country. The contractors are usually non-Afghan companies sitting outside the current boundaries of Afghanistan with access to data residing in Afghan government computers. This raises some serious questions of concern for Afghanistan’s own national security of data. For example, do we check their compliance with the legal framework in their country? Can a local Afghan contractor outsource a portion or all of the contract to a third party outside the country? Should we restrict government data to be handled inside the country by Afghan or non-Afghan contractors? Or should we restrict our data to be handled by Afghan only IT service providers entirely?
These are the kinds of questions the new government should be expecting the IT governance teams (IT management & organization top management) to account for if the Afghan State wants to ensure that its privacy and security remain confidential and secure. The multi-layer technological approach to information security is backed up with a number of similar concepts like physical security, data privacy awareness, information security strategies, organizational code of conduct and national data protection policies.
The need for coherent strategies for data protection and information security will be increasingly important for two reasons.
The first includes the adoption of technology in public, private and social life within the country and second includes the use of cloud technology, at a global level. Cloud technology applications are being used in private and public sectors because of their low capital investments, lower rates, and ease of customization and deployment.
As the telecommunication services continue to improve in the country, we will see more use of cloud based services and thus posing data and other security challenges. The need for data protection policies will not only develop citizens’ trust on public services but it will also provide comfort to foreign investments in the country.
Some might believe that it might be too early for the government to invest its already limited resources (human and capital) towards the IT sector, however it is a crucial step to take, particularly as the cost of reactive treatment will pose much greater future costs than proactive prevention.