Battleground Cyberspace: My article in Pragati

In this month’s Pragati, I lay out the state of India’s defense preparedness in the theater of cyberspace and argue for a sustained commitment to the proactive defense of the nation’s information assets, as well for the augmentation of India’s capabilities in conducting offensive IO operations.  Both of these can only be effective when operating under a legislative framework that is attuned to global trends in the proliferation and use of information technology in the conduct of both conventional and unconventional warfare in this Information Age.

DECEMBER 24, 2008.  Barely a month after the 26/11 attacks, a group calling itself “Whackerz Pakistan” hacks into the Indian Eastern Railways website, defacing it with a series of threats against Indian financial institutions and Indian citizens.  Earlier that year, hackers from China attacked the Ministry of External Affairs (MEA) website. Despite official denials, at least one website reported that the hackers stole login identities and passwords of several Indian diplomats.

The proliferation of information technology in India, coupled with low levels of security awareness (at personal, corporate and government levels) means that this vulnerability to attacks from hostile national and sub-national entities will only increase.  The rapid adaptation of new technologies in today’s world presents challenges that India, and other nations, will be forced to address.  Due to the nature of cyber warfare and cyber terrorism, no nation can truly be invulnerable to attacks.  Indeed, cyber attacks will continue to be weapons of choice to many, given issues of jurisdiction in bringing offenders to book, relative anonymity of operating over the Internet, and the negligible cost associated with mounting a cyber attack (and indeed, each incremental cyber attack) against a specific adversary.

Read more about it on Pragati ( PDF; 2.5 MB)

Filed under: Central Asia, China, Cyber Terrorism, Cyber warfare, Defense Forces of India, India, information technology, Pakistan, Russia, Terrorism, 26/11, botnets, China, Cyber Terrorism, cyber war, Cyber warfare, estonia, georgia, gulf war, hacking, India, information technology, information technology (amendment) act, information technology act, Pakistan, Pragati, Russia, russia georgia war, United States

Satyam IT Scandal

If the global economic downturn wasn’t bad enough, incidents such as the Bernard Madoff issue, and now the Satyam scandal can’t have helped matters much in providing confidence to the already skeptical investor. India’s fourth-largest IT company admitted to “irregularities” in its books, thanks to the imaginative accounting practices of its Chairman Ramalinga Raju.

The company, which ironically received the Global Peacock Award for Excellence in Corporate Governance, first raised investors’ concerns with the apparent bid to acquire Maytas Infra, a construction company owned by Raju’s son. Once word of the proposed acquisition got out, shareholders rebelled, forcing the deal to fall through. The attempted unilateral acquisition, though, opened up a whole host of issues at Satyam with regard to systemic corporate mismanagement, which culminated in Ramalinga’s shameful admission on Wednesday.

Some people have put the whole episode down to poor corporate governance. Unfortunately, the issue is much deeper. Like everything else in India, the larger issue is archaic laws; the dilapidated securities and internal control legislation of the country is not congruent with the current business environment of India. The issue is compounded further when you consider countries like the United States, where despite the attempts to heavily regulate internal control, dramatic failures such as the Madoff scandal, or even the sub-prime mortgage scandal come to light.

In the United States, the Sarbanes-Oxley Act (“SOX”) was passed in response to the Enron and Worldcom drama of 2001. The Act’s Section-404 requires both management and an independent external auditor to assess the adequacy of the company’s internal controls over financial reporting (ICFR). In addition, a public accounting oversight body, the Public Company Accounting Oversight Board (PCAOB) was constituted. However, as of 2009, SOX has effectively run its course in terms of its usefulness.

Companies have had a few good years to understand the scope and approach of SOX audits and have taken comfort in the fact that the demands of the Act, despite the design, merely result in scratching the surface of ICFR. Despite the design, there is a fundamentally flawed bottom-up approach to ICFR that all SOX audits assume. For example, more hours are spent reviewing mundane transactional detail than investing in a robust review of the “bigger picture” and asking why company executives are doing the things that they are doing.

Most “white collar” crime is committed by corporate executives, and not, for example, by staff accountants or system administrators. Corporate fraud uncovered by the United States Department of Justice (DoJ) indicted 214 CEOs and Presidents, 53 CFOs, 23 Corporate Councils and Attorneys and 129 VPs, in 1,236 cases registered since 2002. Fraud can occur with the marriage of — (a) Opportunity, (b) Motive, and (c) Means. Usually, these three elements fall either directly or indirectly within the purview of corporate executives. Corporate executives didn’t get where they got by boiling potatoes; they’re sharp, know their businesses inside out, and are driven to excel. The intrinsic flaw in public auditing is the relationship between the auditor’s independence in assuring the accuracy of their client’s books, and the dependence on the client for revenue. An imbalance in this relationship creates scenarios such as Arthur Andersen’s willful connivance in cooking up Enron’s books in 2001.

So where does India proceed from here? Clearly, investor confidence will be down, both at home and abroad (Satyam trades on the New York Stock Exchange). Lack of investor confidence may very well translate into reluctance to invest in India’s growth — negatively impacting Foreign Direct Investment (FDI) and an already slowing economy. Despite the drawbacks of legislation like SOX (as described above), regulation of internal control must be standardized in India. If the 2008 financial crisis has proved one thing conclusively, it is that companies and people operating in a capitalist and/or entrepreneurship friendly environment will look out for their own interests; the capitalist system, by design, is anti-self regulation. India needs to look into the following areas:

• Developing robust legislation to regulate publicly traded companies in India, including the regulation of internal control, corporate governance, independence and financial disclosure requirements;

• The creation of a federal body, separate from, but reporting to the Securities and Exchange Board of India (SEBI), that will enforce the legislation described above;
• Auditor independence (I find it hard to believe that PricewaterhouseCoopers genuinely had no idea that Satyam was cooking its books); public auditors should not be allowed to provide consulting or advisory services to companies on whose books they issue opinions;
• The constitution of an independent Audit Committee to review the company’s state of affairs; the requirement of having an independent Internal Audit department that reports only and directly to the Audit Committee;
• A national whistle-blower program to report instances of possible corporate fraud to the newly constituted federal body;
• A requirement of full disclosure of any business interests held by executives’, their spouses, and immediate family;
• A comprehensive review of the company’s corporate governance as part of audits and investigations, assessing the reasonableness of significant corporate decisions (asking the question “why” instead of regular checklist auditing);
• Stringent penalties for committing corporate fraud (e.g., holding executives personally liable), and a body to investigate and adjudicate over fraud cases.

At the end of the day, the Satyam saga is a tragic multi-point failure of a government that doesn’t sufficiently regulate publicly traded companies, of an Executive Board that didn’t probe suspicious transactions (why does an IT firm need to acquire a construction company?), of lower level management and staff who wouldn’t notify authorities of irregular accounting practices, and of auditors who chose to turn a blind eye to obvious accounting irregularities.

Adopting the recommendations above will not completely solve India’s problems (indeed the pressure to report significant revenue increases in a rapidly developing economy such as India’s will remain and will bare fruit to more ingenious accounting practices), but should be looked at as a good starting point. The central government, in trying to ensure investor confidence and tackle other cases of corporate fraud, must show that it is serious about providing a clean and transparent business environment and that it still upholds that timeless credo of the Nation — Satyam eva jayate — Truth alone Triumphs.

Filed under: Business, corporate fraud, corporate governance, economics, India, information technology, internal control, Politics, sarbanes oxley, satyam, sebi, securities and exchange board of india, Technology, World, arthur andersen, audit committee, auditing, bernard madoff, corporate governance, enron, executive board, fraud, hyderabad, independence, India, internal audit, internal control, it scandal, maytas infra, new york stock exchange, nyse, pcaob, pricewaterhousecoopers, public company accounting oversight board, pwc, ramalinga raju, sarbanes oxley, satyam, sebi, sec, section 404, securities, securities and exchange board of india, sox, whistle blower, worldcom