Warning: Creating default object from empty value in /nfs/c03/h02/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | information technology RSS feed for this section

The BlackBerry saga

Shoot the (BlackBerry) Messenger.

India’s pushback on the BlackBerry issue, along with U.A.E. and Saudi Arabia’s stance is challenging fundamental perceptions of electronic security and global commerce.  India and the Gulf countries, contend, and not without justification that they require the ability to intercept encrypted electronic communication in the interest of national security.

India’s history as perhaps the nation most victimized by terrorism has necessitated such a stance.  The Indian government has let it be known that it will ban BlackBerry devices in the absence of such an ability (the U.A.E. expects to enforce its ban beginning October 11, if no agreement is reached). At the core of this security dilemma is the uniqueness of RIM’s BlackBerry architecture, where its encrypted emails are stored in server farms in Canada.

There are two aspects to any government’s legitimate need to access encrypted emails — surveillance under warrant, and post-incident forensics.  As far as surveillance is concerned, governments should be able to intercept and read communication that they legitimately feel threaten the integrity of the nation and the safety of its citizens.  From a post-incident forensics standpoint, physical access to the servers that contain encrypted email will allow the state to control variables, establish a chain of custody and bring about successful prosecutions.

In the U.S., the National Security Agency (NSA) has the ability to “snoop” electronic communication under court order.  During the George W Bush Administration, the NSA had the ability to intercept electronic communication without a court order in the days immediately following 9/11 (many suspect that this is an ability that the NSA retains).

India has asked to be given the ability to decrypt BlackBerry emails, if it feels they threaten its national security.  RIM has denied the request, stating that there are no master keys to decrypt BlackBerry emails.  There are two obvious fallacies with regard to this assertion.  One, knowing U.S.’s preoccupation with security,  it would have been impossible for RIM (a foreign company, for all intents and purposes) to operate commercially in the U.S., were this true.  Two, news reports indicating that the U.S. is in negotiations with India on resolving the issue makes me question why the U.S. would want to insert itself into what should rightly be negotiations between India and RIM (or Canada).

It is the legitimate right of any democratic government to intercept communication that threatens its national security, or to secure and use as evidence any information used to undermine it.  Any talk of a settlement whereby a third party or government (such as the U.S.) decrypts BlackBerry emails for India, upon request is unwelcome.  For one, it should be fundamentally unacceptable to GoI to allow custody of its citizens’ secure communication to a third country.

The government of India should therefore accept nothing short of access to RIM’s decryption keys and a server farm physically located in India.  Anything short of this will likely be a compromise of national security.  If RIM chooses to be unyielding, it is entirely their loss.  This blogger can think of a million reasons why they will be compelled to reconsider their stance.

Read full story · Comments { 5 }

Battleground Cyberspace: My article in Pragati

In this month’s Pragati, I lay out the state of India’s defense preparedness in the theater of cyberspace and argue for a sustained commitment to the proactive defense of the nation’s information assets, as well for the augmentation of India’s capabilities in conducting offensive IO operations.  Both of these can only be effective when operating under a legislative framework that is attuned to global trends in the proliferation and use of information technology in the conduct of both conventional and unconventional warfare in this Information Age.

DECEMBER 24, 2008.  Barely a month after the 26/11 attacks, a group calling itself “Whackerz Pakistan” hacks into the Indian Eastern Railways website, defacing it with a series of threats against Indian financial institutions and Indian citizens.  Earlier that year, hackers from China attacked the Ministry of External Affairs (MEA) website. Despite official denials, at least one website reported that the hackers stole login identities and passwords of several Indian diplomats.

The proliferation of information technology in India, coupled with low levels of security awareness (at personal, corporate and government levels) means that this vulnerability to attacks from hostile national and sub-national entities will only increase.  The rapid adaptation of new technologies in today’s world presents challenges that India, and other nations, will be forced to address.  Due to the nature of cyber warfare and cyber terrorism, no nation can truly be invulnerable to attacks.  Indeed, cyber attacks will continue to be weapons of choice to many, given issues of jurisdiction in bringing offenders to book, relative anonymity of operating over the Internet, and the negligible cost associated with mounting a cyber attack (and indeed, each incremental cyber attack) against a specific adversary.

Read more about it on Pragati ( PDF; 2.5 MB)

Read full story · Comments { 0 }

Satyam IT Scandal

If the global economic downturn wasn’t bad enough, incidents such as the Bernard Madoff issue, and now the Satyam scandal can’t have helped matters much in providing confidence to the already skeptical investor. India’s fourth-largest IT company admitted to “irregularities” in its books, thanks to the imaginative accounting practices of its Chairman Ramalinga Raju.

The company, which ironically received the Global Peacock Award for Excellence in Corporate Governance, first raised investors’ concerns with the apparent bid to acquire Maytas Infra, a construction company owned by Raju’s son. Once word of the proposed acquisition got out, shareholders rebelled, forcing the deal to fall through. The attempted unilateral acquisition, though, opened up a whole host of issues at Satyam with regard to systemic corporate mismanagement, which culminated in Ramalinga’s shameful admission on Wednesday.

Some people have put the whole episode down to poor corporate governance. Unfortunately, the issue is much deeper. Like everything else in India, the larger issue is archaic laws; the dilapidated securities and internal control legislation of the country is not congruent with the current business environment of India. The issue is compounded further when you consider countries like the United States, where despite the attempts to heavily regulate internal control, dramatic failures such as the Madoff scandal, or even the sub-prime mortgage scandal come to light.

In the United States, the Sarbanes-Oxley Act (“SOX”) was passed in response to the Enron and Worldcom drama of 2001. The Act’s Section-404 requires both management and an independent external auditor to assess the adequacy of the company’s internal controls over financial reporting (ICFR). In addition, a public accounting oversight body, the Public Company Accounting Oversight Board (PCAOB) was constituted. However, as of 2009, SOX has effectively run its course in terms of its usefulness.

Companies have had a few good years to understand the scope and approach of SOX audits and have taken comfort in the fact that the demands of the Act, despite the design, merely result in scratching the surface of ICFR. Despite the design, there is a fundamentally flawed bottom-up approach to ICFR that all SOX audits assume. For example, more hours are spent reviewing mundane transactional detail than investing in a robust review of the “bigger picture” and asking why company executives are doing the things that they are doing.

Most “white collar” crime is committed by corporate executives, and not, for example, by staff accountants or system administrators. Corporate fraud uncovered by the United States Department of Justice (DoJ) indicted 214 CEOs and Presidents, 53 CFOs, 23 Corporate Councils and Attorneys and 129 VPs, in 1,236 cases registered since 2002. Fraud can occur with the marriage of — (a) Opportunity, (b) Motive, and (c) Means. Usually, these three elements fall either directly or indirectly within the purview of corporate executives. Corporate executives didn’t get where they got by boiling potatoes; they’re sharp, know their businesses inside out, and are driven to excel. The intrinsic flaw in public auditing is the relationship between the auditor’s independence in assuring the accuracy of their client’s books, and the dependence on the client for revenue. An imbalance in this relationship creates scenarios such as Arthur Andersen’s willful connivance in cooking up Enron’s books in 2001.

So where does India proceed from here? Clearly, investor confidence will be down, both at home and abroad (Satyam trades on the New York Stock Exchange). Lack of investor confidence may very well translate into reluctance to invest in India’s growth — negatively impacting Foreign Direct Investment (FDI) and an already slowing economy. Despite the drawbacks of legislation like SOX (as described above), regulation of internal control must be standardized in India. If the 2008 financial crisis has proved one thing conclusively, it is that companies and people operating in a capitalist and/or entrepreneurship friendly environment will look out for their own interests; the capitalist system, by design, is anti-self regulation. India needs to look into the following areas:

  • Developing robust legislation to regulate publicly traded companies in India, including the regulation of internal control, corporate governance, independence and financial disclosure requirements;
  • The creation of a federal body, separate from, but reporting to the Securities and Exchange Board of India (SEBI), that will enforce the legislation described above;
  • Auditor independence (I find it hard to believe that PricewaterhouseCoopers genuinely had no idea that Satyam was cooking its books); public auditors should not be allowed to provide consulting or advisory services to companies on whose books they issue opinions;
  • The constitution of an independent Audit Committee to review the company’s state of affairs; the requirement of having an independent Internal Audit department that reports only and directly to the Audit Committee;
  • A national whistle-blower program to report instances of possible corporate fraud to the newly constituted federal body;
  • A requirement of full disclosure of any business interests held by executives’, their spouses, and immediate family;
  • A comprehensive review of the company’s corporate governance as part of audits and investigations, assessing the reasonableness of significant corporate decisions (asking the question “why” instead of regular checklist auditing);
  • Stringent penalties for committing corporate fraud (e.g., holding executives personally liable), and a body to investigate and adjudicate over fraud cases.

At the end of the day, the Satyam saga is a tragic multi-point failure of a government that doesn’t sufficiently regulate publicly traded companies, of an Executive Board that didn’t probe suspicious transactions (why does an IT firm need to acquire a construction company?), of lower level management and staff who wouldn’t notify authorities of irregular accounting practices, and of auditors who chose to turn a blind eye to obvious accounting irregularities.

Adopting the recommendations above will not completely solve India’s problems (indeed the pressure to report significant revenue increases in a rapidly developing economy such as India’s will remain and will bare fruit to more ingenious accounting practices), but should be looked at as a good starting point. The central government, in trying to ensure investor confidence and tackle other cases of corporate fraud, must show that it is serious about providing a clean and transparent business environment and that it still upholds that timeless credo of the Nation — Satyam eva jayate — Truth alone Triumphs.

Read full story · Comments { 3 }