Is the World Bank in the middle of a security meltdown?
Over the past year, as FOX News reported three weeks ago, the bank has suffered a series of Internet attacks that penetrated at least 18 and perhaps as many as 40 of the bank's data servers. Moreover, spyware was apparently installed on computers inside the bank's treasury unit in Washington. The bank denies that sensitive data was compromised in any of the attacks.
Now, FOX News has learned, hundreds of employees of an India-based technology contractor that World Bank president Robert Zoellick ordered off the agency's property last April on security grounds are still working for the financial institution. They have been transformed in recent months into bank staffers or shifted onto the employment rolls of other contractors.
These revelations raise more questions about the safety of sensitive information at the world's largest and most influential anti-poverty lender. They also raise questions about the dependence of the bank on outside contracting help to maintain an information and communications system that is a hodgepodge of both semi-obsolete and cutting edge technologies, and far less secure than many people around the world have reason to expect.
The significance of those weaknesses is still far from clear — especially as the bank strenuously denies that any of them exist. Yet despite those denials, FOX has learned, the bank's top executives recently held secret meetings to discuss whether the institution should sever all ties with outside information technology vendors. For the time being, according to inside sources, the bank has put the process of signing new information technology contracts on hold. (A bank spokesman, who insisted on anonymity, denied both the secret meetings and the hold on contracts.)
The World Bank doles out $25 billion a year for 2,000 development projects around the world, ranging from hydro-power plants in India to highways in China, from the privatization of state enterprises in Niger to the modernization of tax-collecting systems in Bulgaria. It also manages a $70 billion investment portfolio, and owns one of the largest repositories of confidential data about the economies of its 185 member-nations, down to such minutiae as the amount of hard currency that any central bank holds in real time, meaning the current state of its accounts. That information is voluntarily handed over on the assumption that it will remain confidential.
Knowing what's inside the World Bank's databases could be worth billions to speculators, hedge funds or governments anxious to increase their leverage or even destabilize other national economies in the current financial turbulence. In short, confidence in the bank's information security system is nearly identical with confidence in the bank itself.
While the lending agency is denying that any sensitive data was compromised by the computer breaches, internal memos and testimony from inside sources suggest that it may in fact already have suffered the greatest security breach ever at a global financial institution, a series of intrusions — starting in mid-2007 — that the bank's senior technology manager in an email called "this unprecedented crisis."
That crisis has refocused attention on a World Bank vendor that in little more than five years came to dominate the bank's information systems: Satyam Computer Services — a $2 billion India-based software giant that trades on the New York Stock Exchange and claims to have more than 150 Fortune 500 companies as customers.
Since 2003, according to FOX sources, the World Bank has paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations — overseeing data that ranges from accounting and personnel records to trust funds administered for many of the world's richest nations.
But all that came to an ungainly halt last April when the Bank's president, Zoellick, according to bank insiders, told his top deputies: "I want them off the premises now." At that time, the insiders say, bank forensic investigators had concluded that one or more Satyam employees had been involved in installing sophisticated spyware on workstations inside the bank's highly-sensitive treasury unit in Washington — software that was involved in at least one of the data base security breaches.
Zoellick's order was never carried out, because his deputies convinced him that the ruling would cause internal havoc. Bank staffers have told FOX that instead, hundreds of Satyam employees remained involved in the daily operations of the bank's information systems until September 30, 2008. The reason: The bank needed to accomplish a "knowledge transfer" with a bank staff that, by all accounts, had failed to maintain the know-how to understand its own computer software without the vendor's help.
Then, according to a number of bank sources contacted by FOX News, the contract was terminated before the end of its five-year-span, with no possibility of renewal.
According to Satyam, the contract was not terminated in any way. But the bank spokesman revealed that the contract was due to expire "at the end of the year." Asked whether Satyam's contract was terminated, he said only: "As of September 30, Satyam had completed all of its work."
In a statement to the press on October 12, Satyam denied that any of its agents installed spyware on the World Bank's network and insisted that "we hold ourselves to the highest standards in the industry." And at a press conference on Oct. 17, a Satyam board director, Ram Mynampati, denied that the company had been banned from future work at the bank.
According to the India Times, he stated that the contract ended on September 30 "in accordance with the bank's stated policy of not continuing contracts after a stipulated period."
Yet despite those denials, FOX News has learned from insiders that Satyam has now called for an arbitration for "wrongful termination" of its contract. (In response to FOX NEWS questions, the bank spokesman said that "there are no pending or current arbitration actions involving Satyam.")
And meantime, according to bank insiders, both before and after September 30 — the day Satyam was officially supposed to leave — the bank arranged the transfer of hundreds of Satyam employees to its own staff-employment roster or those of other India-based vendors. "It was a body swap," says one well-placed insider. "Same people, different employers." According to the anonymous World Bank spokesman, only "approximately a dozen former employees have been hired by the bank or other bank suppliers."
What the body swap issue shows is how deeply the bank and Satyam had become intertwined. Indeed, there is other evidence that the bank intended its relationship with the technology firm to be long-lasting and close. In 2002, the bank moved its software development and many of its back-office operations into a new 27,000-sq-ft building on Satyam's industrial campus in Chennai, India — on land that Satyam reportedly donated to the bank for $1. (Those ties have now been cut, and the operations have been moved into a bank office in the city of Chennai.)
"With this contract, our relationship with Satyam has matured from a contractual relationship to a strategic partnership," a World Bank official, Rakesh Asthana, announced at an Indian press conference in 2003, after Satyam was granted its five-year sole-source contract by the bank. "Over the next five years, we see Satyam as a key contributor to the implementation of the World Bank's IT strategy." (Asthana is today the bank's senior technology manager.)
One of the results of that partnership was a lot of money for Satyam. While the initial contract with the bank was for $10 million — spread out over five years -- insiders say that the company was allowed to bill additionally for time and materials, and ultimately reaped more than a quarter of a billion dollars from the bank. The bank's anonymous spokesman says that any estimate of $250 million for the bank's payout to Satyam is "completely incorrect." Asked for an exact figure, he replied: "We don't discuss confidential business information."
But nothing shows how deeply interdependent the bank and Satyam had become than the fact that Satyam was allowed to continue as the bank's main information software vendor for three years — from 2005 until its final cutoff — after the company was implicated in a probe of a World Bank vice president that led to the executive's dismissal. That man — Mohamed Muhsin, the bank's chief information officer from 1997 to 2005 — was accused of purchasing preferential stock options from Satyam while awarding major contracts to the company.
By late 2005, when he was accused of improper ties with Satyam and ousted from the bank, Muhsin had about 800 information technology (IT) staffers reporting to him, as well as 600 personnel from outside contractors — most of them from Satyam. Moreover, Muhsin's annual IT budget had ballooned to more than $280 million, making it the second largest after the operational budget for the bank's Africa department.
A multi-year top-secret bank investigation, one of the most intensive probes of a top official in the institution's 64-year history, led to Muhsin being escorted from the bank's Washington headquarters in early October, 2005 — just weeks before his official retirement. And on January 8, 2007, he was banned forever from the premises and from any future work at the bank.
The relationship between Satyam and Muhsin is disclosed in a published World Bank administrative tribunal ruling dated March 18, 2008, which is buried deep on the agency's website.
Neither Muhsin nor Satyam are referred to in the tribunal decision by name. The tribunal judges refer to the bank official as "L" and the company as "X." But the records made clear, in part by the tribunal's reference to a January 24, 2006 news story that briefly cited a World Bank probe of Muhsin in the Washington Post — that "L" is Muhsin and "X" is Satyam. Bank sources have further confirmed their respective identities to FOX.
According to the tribunal record, the bank's senior management had concluded in January 2007 and again on April 17, 2007 — following what they called a "lengthy and exhaustive" probe by the bank's internal investigations unit — that Muhsin had engaged in "misconduct," a "serious conflict of interest" and a "breach" of his ethical duties by purchasing stock options from Satyam and a subsidiary firm.
"You purchased shares of stock in companies that had then current or prospective business interests in your…unit," concluded the bank's Vice President of Human Resources, according to the published records. "Further, you failed to recuse yourself from personal involvement in Bank activities involving at least one of these business entities…Moreover, there is reasonably sufficient evidence showing that you purchased some of the shares of stock under preferential terms."
The bank's management also concluded about Muhsin: "You personally intervened and advocated for the [X] company … to serve as a Bank vendor … Over the course of at least three years, you orchestrated a business relationship between the Bank and [the X company] which favored and enabled [the X company] to become the beneficiary of 32- sole-sourced contracts and/or purchase orders."
• Click here to see key excerpts of the tribunal report.
Muhsin, 65, who apparently divides his time between Maryland and his native Sri Lanka, is appealing the decision before the tribunal, and declined to respond to repeated FOX requests for an interview. Satyam and World Bank officials also decline to answer questions from FOX about the ruling and the circumstances described in the tribunal record.
Now that Satyam and the World Bank have gone their separate ways - -even if hundreds of former Satyam employees apparently haven't — the bank has another dilemma. In terms of the bank's software programs, "at bottom, we don't know what they [Satyam] know," says a senior IT staffer at the institution. "We quickly lost control of 'the code,' which is the DNA of a modern enterprise. Code is everything — your payroll, your financing, your trading operations, your network security, how you buy and sell things, how you report to your shareholders."
The bank's own information security practices apparently have not helped. Only after the latest series of security attacks did the bank circulate an internal memo in August that declared the bank's webmail would now be available to all staffers via "two-factor authentication" — a measure that most financial institutions, and many other corporations, fully instituted years ago.
In fact, U.S financial institutions have been required since 2006 to employ some form of two-factor authentication on any Internet-connected sites where someone could gain access to private consumer information.
"Two-factor" authentication means that staffers cannot log onto the bank's internal email system without providing an additional piece of security information. In the case of many corporations, that information includes a randomly-changing password number from an electronic security tag (or token). Prior to the August memo, the bank apparently had no such thing for many if not most of its employees — even those working in its highly-sensitive internal investigations unit.
Bank sources tell Fox News that the World Bank's auditor general issued an internal report in 2007 warning about the lack of such two-factor authentication, but her report was ignored.
Security experts reached by FOX expressed shock that an institution as important and sensitive as the World Bank hadn't long ago mandated a two-step log-on system. "Any global financial institution still using only simple password authentication is flirting with disaster," says Mike Haro, a senior security analyst with SOPHOS, one of the country's leading computer security companies.
That disaster may already have occurred, in the attacks that began on World Bank data bases in the summer of 2007 and according to bank insiders reached the institution's ultra-sensitive treasury data base in April 2008. The World Bank treasury manages $70 billion in assets for 25 clients, including the central banks of some countries. In addition, it runs an active bond-trading desk and does everything from currency-trading to capital markets financings.
The bank vociferously denies that any breaches of its treasury occurred.
Nonetheless, as computer security expert Haro says, "It's naïve to think that this was not a targeted attack. And the reality with this kind of security breach is that you don't know what you don't know."
One thing that is clearly unknown is just who or what company (or nation) is behind the breaches — and why. Some of the penetrations shared the same "cluster" of IP addresses in the offshore Chinese territory of Macao. While those addresses can be "spoofed" (or disguised), some bank officials, according to FOX sources, at least initially concluded that China's government was involved.
Informed of the breaches by FOX, one veteran China hand, Heritage Foundation fellow John Tkacik, a former chief of China intelligence at the State Department, says he was "initially skeptical" that China's government was behind the breaches, but that — "after looking into it, I've changed my mind."
Tkacik declines to reveal what he learned that convinced him otherwise.
Chinese cyber-espionage is a matter of growing concern in Washington circles, however. Tkacik says, "Professional intelligence experts here are aghast at the broad-spectrum and the galactic magnitudes of financial, equipment and manpower resources that the Chinese intelligence services are putting into an all-pervasive global cyber espionage campaign." America, he adds, "faces a grave vulnerability because our political leaders are timid about spreading the news in the general public."
Whoever was responsible for the bank security breaches, the issue now is whether the World Bank's credibility, as well as its security, have been damaged. And if so, whether its own response to security concerns — and the revelations about them — may be part of the problem.