Professor Marianne Winslett, University of Illinois at Urbana-Champaign, and Advanced Digital Sciences Center, Singapore talked today in the famous room N101 at the Australian National University in Canberra, on "Records Retention: Addressing Insider Threats to Data Integrity". She contrasted the run on the banks during the 1930s stock market crash with the recent stability of recent economic problems. She then pointed out that Enron executives falsified their corporate records, but largely got away with it and the Sarbanes-Oxley Act (SOX) introduced to combat this.
Professor Winslett showed examples of email messages between Enron executives openly arranging the fraud and suggested that people at the top feel invulnerable. SOX requires detailed records to be kept which, if done, would assist prosecution. The same applications built for SOX compliance are also being used for health providers to meet record keeping requirements.
Professor Winslett argued that IT researchers could help make compliance with laws like SOX more efficient and effective. The main treat is undetected tampering with records. Practice suggests that most fraudsters do not systematically plan in advance. So a system which prevents undetectable changes and has regular audits will be able to detect fraud. For email and documents a copy can be made. For databases which can be changed there is a "regret interval" where the database could be changed between copies are taken.
Professor Winslett discussed the use of write once, read many file stores. These are still vulnerable to attacks, such as by changing the date, restoring an old backup, or altering an index to the data.
Professor Winslett discussed the use of temporal database which keep time stamped copies of the data. Hash functions can be used to speed up integrity checks. An implementation using a modified version of the Berkeley DB showed a 10% penalty. A less severe "audit helper" function would only impose only a 1% overhead.
Professor Winslett pointed out that a trustworthy system does not protect against fake business transactions, such as fake purchase orders.
It seems to me that with increasing use of B2B it should be simpler to detect gross fraud by one company. Assuming organisations are no colluding, it would be difficult for the transactions are with legitimate organisations are legitimate, it will be difficult for one organisation to fake its internal records for long, as these would not match what was going in and out. Combined with logging of large transactions and a random sample of smaller ones, this should be enough to deter and detect gross fraud, at a cost far lower than full logging.
Ultimately we need trustworthy people. A simple solution is to have a copy of the company's records outside the control of the company executive. One way is to have IT and records management staff who are instilled with a sense of professionalism backed up law. Another would be to have the auditors take a real time copy of the records, on their own systems outside the control of the company.
ps: After this talk I attended a discussion of how to provide a repository of learning modules. Many of the issues were similar: how do we record in a relai9ble way recorded what is done over time. How can we say reliably who did what, when?