I'm torn between horror and admiration at this story: the software developer who outsourced his job to China.
As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.OMG. Words do not suffice.
On the one hand, this is useful information for his employer; instead of paying Bob $200K+ and providing physical office space for him, they could just pay the Chinese $50K and have them deliver their work electronically. On the other hand, can you imagine the attraction for the Chinese Ministry of State Security of having full access to the network of a major "U.S. critical infrastructure company"?
Had I been the boss of this company, I would have called Bob into my office and congratulated him on his entrepreneurial spirit. I would then have clubbed him over the head, fed his body to pigs, pulled the plug on my entire network, rebuilt it from the ground up with new hardware and software, and given the CIA, NSA and FBI full access to the original network to do with what they wanted. I would also have given my HR department and Bob's management chain 48 hours to respond to the accusation that they were completely ineffectual in assessing and supervising the performance of personnel, and fired anyone unable to produce a reasonable excuse.
This just goes to show that your security is only as good as your least trustworthy and most ingenious employee.