WAR & PEACE IN CYBERSPACE 4 In the East, there is a legend, repeated in several cultures, with different twists, about a wise man who many vil- lagers thought was just a fool. Wherever he went, whatever befell him, he would simply shrug and say, “Maybe a blessing, maybe a curse.” His behaviour perplexed the villagers. But, in time, the wisdom within his foolish- ness was revealed over and over again. For example, one day the wise man was given a strong, swift horse. The vil- lagers congratulated him. But he sim- ply shrugged his shoulder and said, “maybe a blessing, maybe a curse.” Then, the magnificent horse disap- peared. The villagers attempted to con- sole him. But he just said, “maybe a blessing, maybe a curse.” Then, the horse returned with a herd of strong, swift horses. Surely this turn of events would evoke a more celebratory response from the fool? No, “maybe a blessing, maybe a curse.” Then, his only son was thrown by one of the horses and broke his hip. The villagers were amazed, “Well, how did he know…it was, indeed, a curse.” But the villagers were really baffled when the man shrug again, and said, “maybe a blessing, maybe a curse.” Then, the war came. All of the villagers’ sons went off to die in battle, except of course for the fool whose only son’s hip had been broken. “Maybe a blessing, maybe a curse.” If you are responsible for cyber security in a corporate environment then you are familiar with how it feels to have your wisdom mistaken for foolishness. You also understand how something that can look and feel like a blessing can turn into its opposite and vice versa. When it comes to the impact of Sarbanes-Oxley (aka SOX), nothing has changed. Maybe it’s a blessing, maybe it’s a curse—in other words, probably a bit of both. Let’s take a look. The blessing of SOX (maybe) In mid-2001, Enron was an energy trad- ing, natural gas, and electric utilities company, listed as the seventh largest company in the US. But by the end of year, when its unscrupulous accounting techniques were revealed, Enron went bankrupt, decimating personal retire- ment plans, causing huge losses to state pension funds and resulting in the demise of Arthur Andersen, one of the big five global accounting firms. The Enron scandal also led to sweeping crim- inal investigations that cast a huge shad- ow of political scandal over the Bush administration. Some “argue” that Ken“Kenny Boy” Lay, the man at the top of the ENRON pyramid scheme, was both a big contributor to Bush’s political campaigns and the mastermind behind Enron’s “success.” The public’s attention was taken away from the ENRON scandel by the smoke billowing from the horrific terrorist attack on the World Trade Center in New York on 11 September. But lo and behold, Enron was just the first paroxysm in a series of paroxysms that undermined investor confidence in the financial system itself, for example: Tyco Tyco International Ltd., a conglomerate with business in the areas of electronic components, health care, fire safety, security, and fluid control was plunged into crisis when its former chairman and chief executive Dennis Kozlowski and former chief financial officer Mark H. Swartz, were accused of the theft of US $600 million from the company. During their trial in March 2004, they contend- ed the board of directors authorized it as compensation. After a 2001 re-trial, both men were convicted on 29 of 30 counts against them and sentenced to up to 25 years in prison. WorldCom WorldCom, built mostly on mergers and acquisitions, was the second largest long distance phone company in the U.S. In 2002, an internal audit discovered that US$3.8 billion had been “miscounted,” and the US Securities and Exchange Commission (SEC) opened an investiga- tion. WorldCom filed for Chapter 11 bankruptcy protection in the largest such filing in the history of the United States. Within a few weeks, an additional $3.3 billion in improper accounting since 1999 was announced. By the end of 2003, it was estimated that the compa- ny's assets had been inflated by around $12 billion. In 2005, Worldcom founder and former CEO, Bernard Ebbers was found guilty on charges of fraud and conspiracy and sentenced to 25 years in prison. But this unprecedented series of corpo- rate governance scandals isn’t limited to US high rollers and their bean counters: Royal Ahold In February 2003, Royal Ahold of the Netherlands, the world’s third-largest gro- cer, a global empire that once comprised Sarbanes-Oxley: maybe a blessing, maybe a curse Richard Power and Dario Forte Sarbanes-Oxley can bring benefits and heartache to IT security managers. This article demonstrates the advantages and the headaches that the legislation can cause. Computer Fraud & Security September 2005 Dario Forte Richard Power