Our branches of the Federal Government have been these past two weeks, as well as the Chinese government half way around the world. First came the U.S. Supreme Court ruling on Sarbanes-Oxley. Then a U.S. Senate committee passes a bill giving great power over the Internet to the U.S. President. And finally, Google adheres to the censorship policy of the Chinese government and agrees to redirect traffic that the Chinese government wants to censor. With all these developments, what are the implications to enterprise IT?
In response to the collapse of Enron, Worldcom, and other corporations, the US Congress passed the Sarbanes-Oxley Act of 2002 to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. As stated by Tech Target, "the act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. Specifically, the Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years."
What is the concern with the recent ruling? At stake was that the entire Sarbanes-Oxley Act would be nullified. Instead the court struck down only part: where the Act says the SEC needs good cause to remove board members. The court said the SEC has the power to remove board members at will. As summarized by Chief Justice Roberts writing for the majority "The consequence is that the Board may continue to function as before, but its members may be removed at will by the Commission."
Bottom line for enterprise IT: No response or change in behavior is needed. IT will continue to play a significant role in storing and maintaining the integrity of corporate data. As always, IT will be vigilant in finding cost-effective ways to satisfy the requirements in the Sarbanes-Oxley legislation which remain in tact and not affected by the U.S. Supreme Court ruling.
The” Internet Kill Switch”
Just a few days ago, the Senate Committee on Homeland Security & Governmental Affairs approved the Protecting Cyberspace as a National Asset Act of 2010 (PCNAA), including the much talked about “Internet Kill Switch”. Many are concerned that this new bill gives the U.S. President the power to shut down the Internet for up to 120 days, without Congressional approval, in response to a cyberattack. Questions arise such as what constitutes a cyberattack? What specifically is the critical infrastructure the government can regulate? And, can the Internet really ever be turned off?
As noted in Network World, "the Internet is the biggest distributed communications system mankind has ever created. The Net interprets control as damage and routes around it.
This new bill also establishes a White House Office for Cyberspace Policy and a National Center for Cybersecurity and Communications, creating a new bureaucratic body that simply may not be able to address security as fast and as well as the private sector. As mentioned in Tech World, “Cybersecurity technologies and services thrive on competition. To be sure, law enforcement has a crucial role in punishing intrusions on private networks and infrastructure. But government must coexist with, rather than crowd out, private sector security technologies."
Bottom line for enterprise IT: This bill has the potential to greatly affect enterprise organizations should the government regulate the Internet in response to a cyberattack. Should the “Internet Kill Switch” be approved by Congress, its implications are still to be determined. For example, will critical infrastructure include private networks such as banking, utilities, traffic control and especially telecommunications? Would services like VoIP, unified communications, and video conferencing be affected? Enterprises are advised to stay tuned.
Chinese Censorship and Google
On the other side of the world, the Chinese government continues to make censorship demands on Google, and Google finally conceded. As stated by Google, “We currently automatically redirect everyone using Google.cn to Google.com.hk, our Hong Kong search engine. This redirect offers unfiltered search in simplified Chinese. However, it’s clear from conversations we have had with Chinese government officials that they find the redirect unacceptable—and that if we continue redirecting users our Internet Content Provider license will not be renewed. Without an ICP license, we can’t operate a commercial website like Google.cn—so Google would effectively go dark in China.”
It can be argued that Google is balancing the demands of the Chinese government and those of its customers, so the company can remain in the China market which is poised for extreme growth and where profits are to be made. One can also argue that enterprises should draw the line and withdraw from a market when a regulation conflicts with core values such as those censoring free speech and communication. It’s not black and white.
Bottom line for enterprise IT: The impact of the Google and Chinese relationship minimally affects U.S. companies except for those China-based employees of U.S. multi-national companies. These employees could be affected if they use Google services, but the affect will be negligible.
Based on the developments this past week, the biggest implications are in examining how enterprises will allow access to and protect information in a world where governments impose censorship and other forms of Internet control.