Risk Factor

The trial of the Swiss bank UBS “rogue” trader Kweku Adoboli began in London last Friday with the prosecution claiming his trading “could quite easily have approached and even exceeded the limits of the bank's resources,” the Wall Street Journal reported. The prosecution said that at one point, Adoboli’s trading could have racked up nearly US $12 billion in losses; as it was, his trading ended up costing the bank over $2.3 billion in direct losses and another $4 billion or so in share price. It also led to the resignation of then UBS chief executive Oswald Gruebel.

The prosecution introduced an email allegedly sent from Adoboli to an accountant working in the back office for UBS when the massive losses were discovered in which he takes personal responsibility for the disastrous trades that violated bank procedures, the London Telegraph reports. However, another Telegraph story also reports that Adoboli – who pleaded not guilty to charges of fraud and falsifying records to cover up his trades – “will claim he was not acting dishonestly and that colleagues on his desk knew what he had been doing.”

Convicted former trader Jérôme Kerviel of the French bank Société Générale fame  tried to run that defense too, but without much success. In addition, there wasn’t a memo from Kerviel in which he basically says he fabricated deals, lied to colleagues, and broke the bank rules as in Adoboli’s case.

That said, Adoboli’s lawyer does have emails from Adoboli and his line manager that may cast some doubt on the claim that no one knew what Adoboli was up to. According to Reuters yesterday, when Adoboli exceeded his trading limits but also made a large sum of money for UBS, his line manager “scolded Adoboli for exceeding the desk's trading limit and told him that in future he should let [his line manager] know first.”  The lawyer also says there are emails from at least one of Adoboli’s colleagues that who knew that Adoboli was hiding trades.

It has been often noted that the definition of a “rogue” trader is one who loses the bank’s money when flouting its risk controls; when the same trader makes the bank money doing the identical thing, they are considered royalty.

As Reuters noted, “The question of how much UBS managers knew about Adoboli's trades and whether or not they condoned his breaking of internal rules in the pursuit of profit will be central to the case.”

According to prosecutors, Adoboli learned how to bypass the bank’s risk management controls when he worked the UBS back office processing trades, the WSJ reported. He took this knowledge and began applying it in 2008, after he had reached “the more lucrative and prestigious trading floor,” the Journal goes on to say. Prosecutors allege that  it all began with a legitimate trade that lost some $400 000 and Adoboli subsequently booking a false trade to hide his losses.

Interestingly, it was also in 2008 that Kerviel’s $6.1 billion trading loss was exposed, and banks everywhere, including UBS, claimed that they were improving their trading desks’ risk controls. This timing, the Journal noted, might “shed an uncomfortable light on how a relatively junior trader could have caused the largest unauthorized trading loss in U.K. history, despite the giant bank's sophisticated risk controls.” I think there are a lot of enterprise risk management folks interested in hearing about how that happened as well.

Prosecutors hinted that one reason for Adoboli’s ever growing “gambler’s mind-set” as they put it, is that he was massively in debt, despite earning over $500 000 in salary and bonuses in 2010. Apparently, he used large amounts of his earnings for personal trades that also went under in 2011.

Adoboli faces a total of 34 years in jail if convicted on all counts. The trial is expected to last for about  eight weeks.

On Friday, the U.S. Securities and Exchange Commission (SEC) announced that it had administratively fined the New York Stock Exchange (NYSE) $5 million (pdf) for allowing its private customers access to stock market information ahead of when it was available to the general public. This occurred from June 2008 to about mid-May 2010. The fine amounts to about a morning’s worth of revenue for the exchange.

The SEC stated in its settlement accord that the NYSE had violated SEC Rule 603(a) related to the regulation of national market systems (pdf), which “requires that exchanges distribute market data on terms that are ‘fair and reasonable’ and ‘not unreasonably discriminatory.’ This rule prohibits an exchange from releasing data relating to quotes and trades to its customers through proprietary feeds before it sends its quotes and trade reports for inclusion in the consolidated feeds.”

However, during the period in question, the NYSE allowed customers of its proprietary feeds to receive information from milliseconds to sometimes several seconds ahead of the general public.  An article in the LA Times quoted a trader as saying that allowing this to happen was akin to letting those NYSE customer to see “who won a horse race and being able to bet before everyone else.”

Why did this happen? The SEC said that the NYSE’s internal system’s architecture (pdf) was designed in such a way that allowed its proprietary customers a faster path to the real-time market data than the public. Making matters worse, the SEC said, was a “software issue” in the early to mid-2010 period that slowed down information getting to the public when trading volume was very high.

The SEC also stated that the NYSE did not “systematically monitor its data feeds to ensure they complied with Rule 603(a)” even though the exchange was aware that there could be a 603(a) rule violation as early as in 2009. It wasn’t until early 2010 that the exchange decided that it had better fix its compliance issues, which finally were in 2011.

The NYSE, which didn't admit or deny the SEC's allegations, put the blame on the popular corporate excuse of late: “technology issues." In a statement, NYSE CEO Duncan Niederauer said that, “NYSE Euronext is committed to the highest standards of integrity and accountability.  The timing differentials stemmed from technology issues, not from intentional wrongdoing by the exchange or any of its personnel.”

Maybe not intentional wrong doing, but it looks suspiciously like callous indifference to the public investor at the very least.

The NYSE statement also notes that the SEC hasn’t claimed that the “NYSE data delays caused any investor harm,” but that’s most likely because it is impossible to figure out what the exact harm was and to whom, rather than an indication of no harm being felt by some public investors using the NYSE information.

A former SEC litigator is quoted in the Wall Street Journal saying that although the fine wasn’t large, it was “meant to send a message” to all the exchanges that they need to be fair and non-discriminatory in their business practices.

If that was the intent, it’s likely to have the same effect as telling a teenager to clean up his or her room.

—We’ve been warned for years: Our online behavior puts us at risk for having our accounts emptied, our data misused, and our identities stolen. But as an Albany, N.Y. Times Union article reports, court documents unsealed on 13 September in a U.S. federal court show that some computer users have absolutely no hope of avoiding becoming the victims of hackers. The evidence, presented in a computer fraud case filed by Microsoft against Chinese Web domain 3322.org, revealed that brand new computers, right out of the box, are sometimes infected with malware. The instant the machines are turned on for the first time, the software directs the computer to attack websites and steal money and information.

How could this happen? According to the Times Union, an investigation by a team of Microsoft researchers in China revealed that in the interests of greater profitability, “less reputable computer manufacturers and retailers may use counterfeit copies of popular software products"—particularly the operating system—"to build machines more cheaply.” The bogus software contains the malware within itself. Maintaining a tight rein on the supply chain, says the article, “is nearly impossible, especially in less regulated markets such as China, and that leaves openings for cybercriminals” who embed the malicious code into counterfeit versions of Microsoft’s Windows. Cybercriminals "are out to get you," Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, told PC World. "They will do whatever it takes. If the supply chain is how they're going on get on [computers], that's what they're going to do," said Boscovich

—On 12 September, a group of Cambridge University researchers presented a paper at a cryptography conference in Belgium wherein they report a serious vulnerability arising from the way cash machines authenticate transactions before dispensing money. Surprisingly, the flaw concerns the supposedly more secure cards that contain microchips, as opposed to old-fashioned ones that use magnetic strips.

Europay, MasterCard, and Visa, the firms behind the eponymous EMV chip-and-pin standard developed to put a stop to fraudulent transactions, put so much trust in its efficacy that when a chip-and-pin card is used to conduct a transaction, the cardholder is on the hook for the charges unless he or she can prove beyond a doubt that they did not present the card and did not authorize the purchase. There have been an increasing number of incidents where victims of credit card fraud had their requests for refunds refused by the issuing banks on the grounds that there is no way to explain the card having been authenticated without the cardholder’s involvement. 

The weak link that can let a hacker clone the so-called “chip-and-pin” credit and bank cards stems from the fact that, as the Cambridge researchers showed, the EMV scheme has, in too many cases, not been carried out as planned. The authentication process, as originally envisioned, was supposed to depend on the issuing bank to generate a random number for every unique transaction. In practice, where saving money often trumps security, it was left to point-of-sale terminals or cash machines to generate the number. The researchers discovered to their horror that in half the machines they looked at, the supposedly random numbers were generated by counters or timestamps and were, therefore, not random at all. This makes it all too easy for a hacker. “If you can predict [the number], you can record everything you need from momentary access to a chip card and play it back and impersonate the card at a future date and location,” said Mike Bond, one of the Cambridge researchers, in a blog post. “You can as good as clone the chip.”

—According to a Business Standard article published on 12 September, security firm Norton has released a report saying that over the past year, more than half of adults in India who have Internet access have been the victims of cybercrime. The report, based on computer user surveys, notes that cybercriminals have adjusted their tactics to now focus on such increasingly popular computing avenues as mobile devices and social networks. All told, the losses suffered by the 42 million Indians who were affected by cybercrimes in the last 12 months were US $8 billion.

Market maker Knight Capital Group announced this week that it is taking steps to improve its operational risk management after an electronic trading glitch in August cost it $440 million in about 45 minutes. It initially blamed “old dormant software.” The losses forced the firm sell more than 70 percent of its preferred stock for $400 million in order to stay in business.

The Wall Street Journal reported that Knight’s CEO Thomas Joyce will be appointing a chief risk officer to oversee both market credit and operational risk issues. In addition, Joyce said that the firm hired IBM in late August to investigate its software development practices and processes and report its findings to the board later this autumn.

The WSJ article was more cloudy than clear when it came to the cause of the glitch. Joyce was reported as saying that the trading glitch was caused by an “undetected bug” in old software that allowed other software to generate trading orders unrestricted by volume caps.  The bug was apparently triggered when Knight’s new electronic trading software was installed improperly.

To say the least, this explanation is a bit bizarre. A latent bug in what once was operational software was triggered by a poor installation of new operational software? IBM will earn its money if its report explains how that happened.

Joyce, saying he was “deeply embarrassed” by the episode, then blamed it all on the company’s IT group. According to the Journal, Joyce said, “People do stupid things… A small team of people made a grievous mistake.” Joyce later went on to call them “knuckleheads.”

Maybe before top management blames internal IT "knuckleheads,' they should be looking inward. I wonder how much pressure Joyce—who has been an “unapologetic advocate” of automated trading—and his management team placed on the company's IT group to hurry up and get that new trading software installed. I also wonder how open Joyce would have been to his IT group telling him that they needed more testing time. I suspect not much.

The SEC has tried to keep rogue algorithms from creating havoc by mandating “circuit breakers” to halt sudden and inexplicable spikes in a stock’s price, but as this case showed, that isn't sufficient. In an attempt to forestall more regulatory oversight, the stock exchanges and the market markers are now looking at the possibility of installing “speed bumps” that “would stop all orders from one market maker at an exchange if the situation called for it, and also possibly across multiple exchanges,” a Money News article yesterday reported. In addition, they are discussing the creation of a “kill switch” to “shut down order flow” when a trading algorithm begins to go rogue.

Joyce is not enamored with market kill switches, however, since they might shut down all of a firm’s trading when only one trading area is being affected, he says. I find this an interesting position to take as there was no effective kill switch in the company’s own software to turn off the errant trading that almost sunk his firm. If there had been a market kill switch, he might have still been "deeply embarrassed" but the firm also may have lost a lot less money.

Joyce went on to say that he expects the debacle to eventually make the company smarter and stronger. Given that Knight Capital’s stock closed yesterday at $2.62, the lowest it has been since the bailout (and down from $10.33 before the glitch), investors seem to think it won't be soon.

General Motors confirmed over the weekend that it would be temporarily halting the U. S. sales of eight of its 2013 model year cars including the Buick Verano sedan, Cadillac XTS and ATS sports sedans, Chevrolet Cruze, Equinox, and GMC Terrain crossovers, and the Volt hybrid because it discovered a software issue in its popular OnStar in-vehicle security, communications, and diagnostics system. According to Reuters, when an OnStar equipped vehicle is involved in a collision where the airbags do not deploy, the OnStar system fails to send out the requisite alert to an OnStar operator triggering a call to the vehicle to check whether the driver and passengers are okay or need assistance. OnStar does work as designed when a collision involving the deployment of airbags occurs, Reuters says.

Approximately 60 000 vehicles, most of which are already in dealer lots, are affected. Each car will require about 30 minutes of the dealer’s time to get the software fixed; GM expects the issue to be fully taken care of in about a week.  Because problems with automotive electronics are becoming the biggest complaint of new car buyers, it isn’t surprising that GM would halt the sales of its new model cars for a week or so. Five years ago, I doubt GM would have taken such an action.

GM also announced last week that it “is hiring software developers, project managers, database experts, business analysts and other information technology professionals to staff the first of several new IT Innovation Centers in the United States. The centers are intended to drive breakthrough ideas into GM vehicles and business processes globally.” The hiring, which may reach 10 000 according to a story in ComputerWorld, is part of a GM plan to “rebalance [its] employment model over the next three years so that the majority of [its] IT work is done by GM employees focused on extending new capabilities that further enable [the] business,” the company said.

In other words, GM, which currently outsources 90 percent of its IT work, is starting the process to bring that work back inside its corporate structure. The automaker began outsourcing its IT operations to EDS (and others) beginning in the late 1980s. GM originally bought EDS for US $2.55 billion in 1984; HP then acquired it from GM in 2008 for $13.8 billion.  Early this year, HP wrote off $8 billion against its EDS acquisition, acknowledging that it was pretty much the failure it was predicted to end up being.

The first GM innovation center will be located in Austin, Texas, where the company is looking to immediately hire 500 IT folks. Why Austin? GM says that is where the skills it requires reside. It is reported that GM is talking with several other cities about opening innovation centers, but won't reveal which cities these are.

—On 4 September, the New York Times reported that members of a hacking group known as AntiSec posted information online that it says is evidence that the government regularly uses cellular handsets as tracking devices. The file AntiSec uploaded contains a million unique device identifiers (UDIDs) for Apple iPhone, iPad, and iPod Touch devices, plus phone numbers and other personal data on the owners of these devices. AntiSec, a joining of forces between the hacker collectives known as Anonymous and LulzSec, says it obtained the information—which it claims is but a small sample of the 12 million UDIDs it has in its possession—by hacking into the computer of an FBI agent who is a member of the bureau’s Cyber Action Team.

The FBI quickly responded with a statement saying that “At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data”—which is an extremely artful way of avoiding making an admission or denial. Apple immediately chimed in with a denial that it has been helping the government spy on its customers. Security experts said that the released information wouldn’t necessarily put the Apple customers at risk. But according to the Times article, a security researcher from New Zealand showed last year that the 40-character UDIDs, in combination with other data, could be used to discover the device owners’ user names, e-mail, addresses, and Facebook profiles, and to track their locations. Still, despite the FBI’s and Apple’s protestations that they haven’t the foggiest notion of how this could have happened, the data has been shown to be legitimate. 

—Feeling confident that your laptop secured by a fingerprint reader will discourage thieves from taking your machine—or at least keep them from gaining access to sensitive data? Ars Technica reported on 4 September that Elcomsoft, a Russian developer of password-cracking software, has pinpointed a weakness in fingerprint reading software used by Dell, Sony, IBM/Lenovo, and 13 other computer makers. It turns out that the software in question, UPEK Protector Suite, makes computers less secure than if they didn’t require a finger swipe. When the software is activated, it automatically writes Windows account passwords to a registry and encrypts them with a relatively weak key. According to an advisory issued by Elcomsoft, a hacker with physical access to a laptop running the UPEK software could acquire passwords to all user accounts on a machine in a matter of minutes. By contrast, a machine not running the fingerprint-reading software leaves hackers with access only to one-way password hashes; if they’re based on a strong password, brute force cracking could take years.

—Ars Technica reports that the U.S. Department of Homeland Security has issued a notice to power utilities, railroad companies, and other large industrial firms there, warning them of a feature/flaw in a widely used line of mission-critical network routers. The GarrettCom routers, hardened against dust and extremes in temperature and moisture, each contain a so-called “factory account” with a default password; anyone able to figure out the password would have greatly enhanced access and control privileges. DHS is concerned that even a user authenticated as “guest”—in a worst-case scenario, a terrorist or a disgruntled former employee—could have the power to sabotage a power plant or a rail system. The vulnerability was discovered by Justin W. Clarke, a self-schooled expert in industrial control system security. Clarke, who told Ars Technica that he bought one of the routers on eBay for US $12 and noticed the undocumented account during his analysis of the way the router works, found the same type of account with a default password in switches made by GarrettCom rival RuggedCom. A cursory search turned up nine such devices connected to the Internet with U.S.-based IP addresses.

The U.S. Federal Aviation Administration’s En Route Automation Modernization (ERAM) program, which started ten years ago at an estimated cost of $2.1 billion, was scheduled to go into full operations last year. However, the modernization effort ran into major software and system difficulties (pdf) as outlined by the Department of Transportation Inspector General Calvin Scovel in late 2010. To address the myriad of problems, the FAA decided by early 2011 to add another US $300 million and three years to the modernization effort. This amount, and schedule, change was at the low end of the range the IG said the effort might take; Scovel estimated it might need three additional years and another $200 million more than what the FAA predicted.  

With this difference in mind, I was struck by something in a recent Bloomberg News article on the status of the Federal Aviation Administration’s (FAA) En Route Automation Modernization (ERAM) program that was published just before the holiday weekend and thereby didn’t garner much notice. ERAM is the replacement for the 45-year-old En Route Host computer and backup system (pdf) used at 20 FAA Air Route Traffic Control Centers across the U.S. and is, the FAA states with an odd mix of literary flourish and anacronyms, “the heart of the Next Generation Air Transportation System (NextGen) and the pulse of the National Airspace System (NAS).”

In the article, Michael Huerta, acting chief of the FAA, says that ERAM is now on schedule and budget and that he feels “very good about where we are.”  Additionally, Jim Ullmann, regional vice president for the National Air Traffic Controllers Association (NATCA) union, which has been critical of ERAM in the past, now supports Huerta’s position.

That’s great news, right?

Yet, there was also this statement in the article: “Even after Huerta’s assessment, Calvin Scovel ... is sticking with his view expressed last October that there may be more cost overruns and delays, his spokesman, David Wonnenberg, said in an interview.”

Huh?

Last October, testifying before the House Subcommittee on Aviation, Scovel outlined then-existing problems with ERAM  (pdf) that, if the FAA's and NATCA’s current assessments are to be believed, have been generally addressed. So why is Scovel still holding to his previous pessimistic opinion?

One clue might be found in an April 2012 IG report on the risks to NextGen (pdf) that notes that Scovel has been performing a new audit of ERAM, to be published in the next few months. Perhaps Scovel's next depiction of the ERAM program won't be as pretty as the one the FAA and NATCA have been painting.

Checking the U. S. government IT dashboard, the Transportation Department's CIO shows ERAM has made significant progress since the beginning of the year, but, as of August 31st, he still rates ERAM as a medium risk for the fifth month in a row in both cost and schedule (it was high risk at the end of 2011). That's surprisingly, given the FAA chief’s comments, which would lead you expect at least a better rating of moderately low risk.

Scouting around the web for more information, I came across this blog by an anonymous veteran En Route Center controller by the name of George who, at least as of June, was claiming that from his personal experience ERAM was still buggy and barely ready for prime time.  

The blogger also made an interesting argument that “both the FAA and NATCA have too much political capital at stake with ERAM to be impartial with respect to the project.” He argues that in the past, NATCA could be critical of ERAM because the FAA didn’t desire controller input, but now that it is a partner with the FAA, NATCA has to be shall we say, more circumspect with its criticism. The Bloomberg article, similarly notes that with the settlement of a labor dispute three years ago, "[c]ontrollers and the FAA now have an 'unheard of' level of collaboration."

So, we apparently have a Goldilocks situation where the FAA and NATCA are all smiles about ERAM’s current state, the DOT IG is still frowning, and the DOT CIO and the anonymous NATCA controller are somewhere in the pursed-lips middle.

Maybe someone in the Risk Factor readership can shed some insight as to which bear is right?

Oscar Wilde once defined a cynic as someone who knows the price of everything but the value of nothing. Ulster Bank chief executive Jim Brown has put a cynical price on the inconvenience his 600 000 customers suffered from the bank's IT system outage that denied them access to their accounts for at least six weeks.

After inexplicably delaying for over a month, Ulster Bank finally announced its long promised and “simple” customer compensation plan (pdf) last Friday. Wilde would have surely questioned the bank's earnestness.

First, the plan states that personal customers “who visited and transacted at a branch during the period of the incident (19 June–18 July 2012) more frequently than in the equivalent period before the incident (19 May – 18 June 2012)” would receive a whopping €25 for their effort. Those who didn’t visit their branch more often during the time period (or spent their time calling the help lines instead) get nothing; the same is apparently true for those folks who aren’t customers of Ulster Bank but got caught up in the IT meltdown because their funds had to be processed by the bank’s systems.

The mid-July cutoff is as cynical as the compensation amount. It was only in late August that Ulster Bank management declared the bank’s operations were finally back to “business as usual,” and even then many customers were still having problems. The compensation period only covers the time when the IT system wasn’t working—the “inconvenience” of the aftermath doesn’t figure into the calculation. I suspect customers visited Ulster Bank branches a lot more after the 18th of July to try to straighten out their accounts than during the period when it was well known the bank’s IT systems were still on the fritz.

The bank went on to say, as before, that “all fees, charges and debit interest charged in error and correcting any credit interest owed as a result of this incident” will be refunded. However, it admitted it may take another six weeks for the refunds to finally show up on customer accounts.

In addition, personal and small and medium enterprise (SME) customers who incurred out of pocket expenses will get an inconvenience fee amounting up to 20 percent of their proven expenses up to €600 (that is, for a maximum payment of €120). Personal and SME customers will also see a minor 3-month interest rate boost to their accounts, and a likewise short waiver of some account fees.

Interestingly, the bank has been quiet on what it is doing to compensate large enterprise customers.

For customers worried about their credit being affected by the prolonged outage and not being able to pay their bills on time, the bank will help them get a credit report. However, you have to give your details to a bank staff member who will then send it to the Irish Credit Bureau. Customers should not expect to be compensated for their time spent doing this, or for the time needed straightening out their credit if it indeed got hosed.

And as a final "have a nice day," the bank closed the letter with a reminder that the additional payment of 20 percent on top of out of pocket expenses and the automatic one-off payment of €25 “are treated by the Revenue Commissioners as capital receipts and may, depending on your personal circumstances, be taxable.”

As I said, reaction hasn’t been exactly one of dancing in the streets.  Customers and politicians alike called the plan “underwhelming,” “too little too late,” “miserly,”  “an insult”—well, you get the picture.  CEO Brown, however, seems genuinely puzzled by the outcry. He defended the plan, telling the Independent, “I'm happy with it. I think it goes far enough.” He also indicated that the bank’s compensation expenses may reach €100 million, up from the original estimate of €35 million currently set aside. From his perspective, the bank is no doubt bending over backwards to put a fair value on its customers' troubles.

The total cost of the outage may go a little bit higher now that the consulting company PWC has been selected by Ulster Bank’s parent company RBS Group to investigate the cause of the outage and to ensure that all RBS Group banks (RBS and NatWest are the others) have contingency plans in place to deal with potential outages in the future.

Monday's Financial Times reported that on 22 August the U.K. government’s Financial Services Authority sent a letter to the chairman and boards of the nine largest banks and building societies asking them to “explicitly detail efforts” to avoid problems like that which hit the RBS Group, as well as to provide “the names of senior managers who could be held personally responsible if information technology systems go awry.”

There may well be more than a couple of U.K. bank CIO positions opening up soon. Interested? Make sure the job includes superb executive liability insurance.

Adding pressure on the banks, the FT noted, is the Parliament’s Treasury Select Committee, which will also be looking into the issue and wants to be convinced “that such a failure cannot happen again.”

I bet the banks are thinking that's a lot of government oversight for only 25 euros worth of customer inconvenience.

For the past several years I have covered the on-going payroll system problems at Australia’s Queensland Health Service which saw an estimated A$6.19 million (fixed price) IT project morph into one that will likely end up costing over A$530 million to get right. The debacle, which helped spur the defeat of Queensland’s long-ruling Labor government earlier this year, also unsurprisingly prompted an audit of Queensland’s governmental IT projects by the incoming LNP-led government.

This week, LNP’s Information Technology Minister, Ros Bates, announced that the audit has so far uncovered 997 governmental IT applications that should have been replaced long ago but haven't been.  In many cases, replacement plans for these obsolete systems don’t even exist.

In a story in the Brisbane Times, Bates compared the state of Queensland’s government IT to a “1972 Ford Falcon” clunker, in terms of the need for daily repair. However, many of its obsolete legacy systems are mission critical, and could “melt down” at any time with disastrous effects. The audit report estimates that getting  Queensland's IT back up to acceptable standards will cost at least A$3.6 billion and as much as A$6 billion. The challenge is going to be how to reach an agreeable level of acceptable IT risk since the government, already facing a nearly A$100 billion deficit, “cannot afford” the sums identified by the audit.

Bates says that as part of its efforts to solve the IT mess the government will “be going out to the market and looking for solutions from the market.” Well, she may want to first read Auditor General for Scotland Caroline Gardner’s audit (pdf), published last week. It found “significant weaknesses” in three major IT government projects that involved major IT systems upgrades (and market solutions) totaling some £130 million; each had business cases the audit termed, with typical UK understatement, of “variable quality.”

As reported by UK Press Association, the three projects reviewed were “the Crown Office and Procurator Fiscal Service (COPFS), Registers of Scotland (the body responsible for compiling and maintaining registers relating to property and other legal documents), and Disclosure Scotland, which provides information about the criminal record of those applying for certain jobs.”

According to the audit and the UKPA story, a £10 million project to improve COPFS case management was originally slated to start in August 2009 and to be completed by June 2011. However, warnings arose soon after the business case was approved that the project was much more complicated than estimated and therefore would cost significantly more than budgeted. So after spending £2.3 million but before anything of substance was created, the project was terminated, and all the costs written off.

The audit also reported that in 2004 the Registers of Scotland signed a ten year, £66 million agreement with telecom company BT to maintain and update its IT systems. However, for six years there was no formal peer review of the project's overall status. Now, with the contract's cost reaching £112 million (including having to write off two projects at a cost of £6.7 million) due in part to incorrect strategic assumptions in the original business case and subsequent poor contract management and oversight, the government has belatedly decided to terminate the contract 20 months early. How much the government will pay BT for early contract termination is still under negotiation.

In Disclosure Scotland’s case, its IT project was supposed to cost £31 million, running from June 2009 to May 2011. However, when it went live in February 2011, the “system experienced significant problems and did not perform as required,” meaning the old system had to be kept in operation. One reason for the difficulties was traced back to the business case which did not make it clear who in government was in charge of the program; the IT supplier viewed its client as being the government of Scotland, because that's who signed the contract, not Disclosure Scotland’s management team. This in turn helped create “different views of risks and [the] priorities” for managing them, which eventually led to system development issues. The project has cost £19 million so far, as payments to the supplier have been held up until the system is put right, which is planned to be by the end of this year. The legacy system it is meant to replace is expected to be finally shut down next year.

A story in the BBC summarized the findings of the Scottish IT audit in this way, saying that it found “ ‘weaknesses in financial control and progress reporting,’ claimed that ‘risk management was inadequate’ and the findings of independent reviews were ‘not always acted on.’ ”

All of which should serve as a warning to the government of Queensland as it tries to sort out its own IT messes.

Evasion techniques that let cybercrooks bypass companies' antivirus software, firewalls, intrusion prevention systems, and other first lines of defense are becoming more prevalent, says a CSO.com article citing a study released on 29 August. The study, from FireEye, a security vendor focused on advanced persistent threats, says that in the first half of 2012, the incidence of advanced malware successfully evading signature-based detection such as blacklisting technology and AV software was 225-percent as great as for the previous six-month period. One such evasion tactic, says FireEye, is the use of "throwaway" domains in spearphishing e-mails, in order to keep technologies that rely on domain reputation analysis from sniffing out the sender’s intentions. According to CSO.com, the number of domains used fewer than 10 times rose 45 percent from the second half of 2011. "These numbers make clear that cybercriminals are changing their malware more quickly, and reproducing malware and morphing it in an automated fashion," the report said.

On 29 August, Computerworld reported that hackers have added two new zero-day exploits that take advantage of Java vulnerabilities to Blackhole, a veritable Swiss Army knife of exploits. Blackhole is designed to try each of its malware tools until it finds one that will work against a particular computer. The head of research at security firm Websense said that by that morning, his team had found more than 100 unique domains serving the Java exploit. He predicted that numerous sites would be successfully attacked using these new exploits over the next few days. According to Computerworld, Michael Coates, director of security assurance at Mozilla, maker of the Firefox Web browser, is urging Firefox users to disable the browser's Java plug-in because Oracle has not issued fixes. Others, including the United States Computer Emergency Readiness Team, seconded Mozilla’s suggestion or recommended uninstalling Java entirely.

What is the global economic impact of cybercrime? A NetworkWorld article reports that U.S. government officials including the president have parroted reports pegging the figure at US $1 trillion. But in a recent ProPublica report, several security experts and analysts call that trillion-dollar-cybercrime estimate grossly inflated. They remind the public that any estimate from a security vendor should be taken with a grain of salt. It is understood that IT security firms stand to gain from an atmosphere where the perceived security risks and costs are greater. "I don't beat them up for it," Jason Healey, director of the Atlantic Council’s Cyber Statecraft Initiative, told NetworkWorld. "Experts have long had trouble agreeing on estimates that are within even two orders of magnitude of each other," says Healey. Why? For one, industry reports are not peer reviewed the way articles in academic and professional journals are. And even the most even-handed reports suffer from the fact that, as the authors of a cybercrime assessment done at the behest of the UK Ministry of Defense noted in the paper, "There are over 100 different sources of data on cybercrime, yet the available statistics are still insufficient and fragmented; they suffer from under- and over-reporting.”

SecurityWeek reported this week that Toyota has filed a lawsuit against an ex-contractor for sabotaging the company’s supplier network and downloading confidential information. According to Toyota’s court filing, Ibrahimshah Shahulhameed, who was working for the automaker at a facility in Kentucky, gained access to the company’s online supplier network after he was fired on 23 August; he spent that night downloading trade secrets and other proprietary information then sabotaging the network. Toyota’s computer security officials told SecurityWeek that they weren’t immediately sure how much damage Shahulhameed had done; his sabotage efforts were seemingly meant to cover his tracks. For a moment, Toyota officials were afraid that Shahulhameed, who SecurityWeek says is in the United States on an H-1B visa, would escape punishment for his actions. After he was released on $2500 bond, he told corporate investigators that he was planning on returning to his native India. But he subsequently agreed not to travel during the court proceedings.