Duties Stripped from Chief Information Officer;
Sources Say Management ‘Looking for Fall Guy’

(Washington, D.C) – In the wake of recent news reports showing serious breaches of the World Bank’s information security system, the Government Accountability Project (GAP) has learned from sources inside the bank, as well as from an internal Bank announcement, that duties have been stripped from the institution’s Chief Information Officer.

According to FOX News reports and internal sources, the Bank’s records, which contain sensitive financial information from borrowing and donor countries, were repeatedly and illicitly accessed over the last year. At the same time, the Bank is trying to downplay the attacks, as it positions itself to assume a prominent role in addressing the global financial crisis. This cyber-breach situation raises troubling questions about its future effectiveness in dealing with the crisis.

“Our sources inside the Bank have said management has been looking for someone to take the fall for these breaches,” said GAP International Program Director Bea Edwards. “The World Bank must ensure that its member countries’ financial records are secure. If the Bank can’t safeguard sensitive information, it can’t be trusted to help with the global financial crisis.”

Last night, Bank Manager Juan Jose Daboub sent out an announcement to bank staffers regarding new personnel addressing the security issues. Part of the message was:

At the request of President Zoellick, Van Pulley will take over responsibility for WBG information security effective immediately and until more permanent arrangements are in place.

It is unknown at this time whether current Bank Information Officer Guy de Poerck has been simply stripped of his security responsibilities, shifted to another position, or fired outright.

“This is like locking the barn door after the horse – and the key – have been stolen,” stated Edwards. “It’s is a cosmetic fix. The Bank’s information system has been breached repeatedly for months, and may need a massive overhaul.”

World Bank spokespeople have been denying for months the seriousness of the cyber-incursions. Apparently, sanctions regarding security issues were only applied belatedly to an India-based company stemming from incidents that occurred as long ago as April. At the same time, the Bank has delayed sanctioning five state-owned Chinese companies implicated in wrongdoing. In that case, the World Bank reportedly offered a deal to a reporter if he would delay publication of his story about the sanctions until after the G-20 Summit in Washington two weekends ago.

Daboub, who notified Bank staffers last night about the immediate steps to re-secure the Bank’s information systems, is no stranger to controversy. Last year, during the Paul Wolfowitz scandal, GAP released information showing that Daboub instructed a team of Bank specialists to delete all references to family planning services from a proposed assistance strategy for Madagascar, and later from the Bank’s overall Health and Nutrition Strategy.

Background

Beginning last month, independent journalist Richard Behar, writing for FOX News, reported that a vendor implicated in a bribery investigation of former Bank Vice President Mohamed Muhsin had apparently installed spyware on World Bank work stations. The ‘key-logging’ spyware would have enabled the company, Satyam Computer Systems, Ltd., to penetrate as many as 40 World Bank servers, gaining access to sensitive financial information about pending loans and contracts.

The World Bank’s statements minimizing the breaches and attacking accounts of them were plainly contradicted by internal Bank memos showing top information technology officers in a state of high alert and alarm. On Friday, November 15, another FOX News story reported that, through a World Bank connection, the spyware had also penetrated the information security system at the International Monetary Fund (IMF).

Satyam, one of India’s major information technology companies, was contracted to work at the World Bank at the behest of Muhsin in 2003. A formal investigation of Muhsin concluded in 2007 that he had been improperly influenced by Satyam: “reasonably sufficient evidence” demonstrated that Muhsin had secured as much as $100 million in contracts and purchase orders for Satyam in exchange for stock options at preferential prices.

Despite Muhsin’s banishment from the Bank, Satyam was allowed to continue working until September 2008 without penalty or effective monitoring. For five years, through the terms of both ‘anti-corruption’ presidents of the Bank, James Wolfensohn and Paul Wolfowitz, the firm operated inside the Bank with impunity. This permissiveness of improper influence is at odds with international anticorruption conventions, which the Bank routinely exhorts its borrowing countries to respect. The United Nations Convention Against Corruption criminalizes:

[T]he promise, offering or giving to a foreign public official or an official of a public international organization, directly or indirectly, of an undue advantage, for the official himself or herself or another person or entity, in order that the official act or refrain from acting in the exercise of his or her official duties, in order to obtain or retain business or other undue advantage in relation to the conduct of international business (Article 16).

The World Bank’s Public Sector Governance Group, which seeks to educate borrowing countries about fraud and corruption, has declared: “Corruption sabotages policies and programs that aim to reduce poverty, so attacking corruption is critical to the achievement of the Bank’s overarching mission of poverty reduction.” The high-minded rhetoric is squarely at odds with real practice at the institution, which has consistently renewed contracts to a vendor suspected of bribery.