Attack model: where e-procurement is mostly abused and how it is dealt with
I continue to talk about how electronic trading is arranged and purchases in general in our beautiful country.
Today, let's talk not about the theft (they have already been spoken about here ), but about other inventive violations.
First you need to understand the concept of what participants need:
- Suppliers want to sell their goods. Better is more expensive, but if it doesn't cost more, then at least at a price that allows you to make money.
- 44-FZ government customers want to buy what they need, not what they can sell, creatively interpreting TK. And do not sit down.
- Corporate customers of the 223-FZ want to show the effectiveness of reducing prices from the average market (we have an average of about 15%, but sometimes there is a 30% reduction in a number of purchases).
These conflicts spawn a series of attacks on each other. Let's look at some of them.
Fraud with initial price
In general, the customer must set the starting price for the auction (in fact - a reduction, but this is called the auction). Its effectiveness as a purchaser depends on how much the suppliers will lower this price. In an ideal world, his task, on the one hand, is to attract the maximum of participants, on the other hand, to insure against unscrupulous suppliers. The more rigidly the TK or requirements are formulated, the fewer the participants will be. The smaller the requirements for the participant - the higher the risk of someone not very reliable, not able to fulfill the contract, but able to win the procurement procedure.
The violation is that, since efficiency is considered to be in reducing the price from the initial to the final (contract price), the purchaser may increase the starting price. For this he can be punished.
Someone resorts to design estimates according to the example of 44-ФЗ: they look at what price they bought at a year ago. But they mainly use market monitoring: this is a non-binding procedure.
If you put the price higher - all the stories about overcharging will arrive, the participants will contact the FAS. Because overstating the initial price is an instrument of corruption. If someone overestimates the price, then the suppliers make their standard reduction, but it turns out the real price plus delta for the “pullback”. Therefore, the initial prices are closely monitored.
By the example of this, one can see how an ecosystem works (or should work) very logically, and that this work requires quite unobvious, at first glance, mechanisms.
Until recently, government procurement supervised the Ministry of Economic Development. As they say, the ministry has not coped with the task of effectively reforming the procurement sphere. For example, the government’s order for the full electronicization of public procurement was carried out for four years. As a result, the Ministry of Finance is currently engaged in everything. The Federal Treasury is responsible for the ENI . The FAS is following the correctness - a service with which we most often as a platform and are in contact. Everyone complains about each other. Suppliers are to the customer, the customer is to the suppliers, and all these complaints are addressed by the FAS.
The practice there is very different: from discriminatory conditions to cartel collusion.
Cartel collusion is when participants quickly looked around, realized that their five companies were from one market in the competition, and agreed to put up a certain price and did not fall below. The netting procedures are different; it can even be five affiliated companies from one founder (through a complex chain of command). Naturally, it is forbidden to do this, so the direction of the IB on the same construction market has a number of features aimed at the fastest possible destruction of all records in the case of a “mask show”.
Ecosystem protection is open: if the sixth and seventh companies come, it will be more difficult for the participants to come to an agreement. Or the seventh company can file a complaint, having understood the scheme of the others.
Discriminatory conditions are the opposite story, when TK is formed not to achieve a result, but to cut off unwanted participants, so that only the right one reaches the final.
"Sharpening" technical specifications
On the one hand, a diligent customer wants to check the supplier and accurately describe the criteria for the result. On the other hand, an unscrupulous may want one particular supplier to win.
By law, the second is prohibited. FAS will come and insert all the first number.
For example, it is impossible to specify specific brands, so an important part of the formulation of the TK is a consultation with a lawyer to determine whether everything is correct. At the dawn of bidding in 2012, the bike became the TK for the purchase of a car, which offered to get any car, but the requirements included a round emblem divided into four sectors, two blue and two gray.
In practice, now the customer often goes to his trusted supplier, asks to make a TK, he is (if not stupid, then he writes about himself, dear), then the customer changes some of the points, checks with a lawyer and publishes. It turns out correctly.
I must say that the customer can not always formulate the TK itself correctly. For example, there was a competition for A4 postcards. Then the line of thought: "A4 is the format obtained by folding the A2 in half." It is logical: 4 to 2 divide - it will turn out 2. They were explained then that there is another A3.
The requirements may overstate the required availability of equipment (for example, when builders need 10 excavators on a balance sheet to carry out the work), staff experience, and licenses. We regularly see contests with the requirements of licenses for electrics almost under power lines for screwing in light bulbs. Participants with this discrepancy may complain to the FAS, and there they will bring the competition in order.
Failures of procedures
Sometimes trades try to deliberately disrupt. For example, to release a kamikaze company, which will reduce the price at the auction to the limit, so that other participants can not oppose anything. By the time of signing the contract, it will already be drained-absorbed in a tent near the metro, and then it will be necessary either to sign with the second participant, or to play the procedure again. There are many beneficiaries.
Another way to disrupt the purchase is to arrange a DoS or DDoS attack on the electronic platform. During these hacker attacks, the attackers flood the trading system and the site of the site with such a huge number of requests from different IP addresses that the servers become inaccessible to users. Systems hang, and bidders can not submit their bids or price offers.
The funny thing is that we can’t actually put a standard DDoS protection, because by law we must be responsible for each transaction: we must allow each user to the site, and any accidentally cut off transaction will be against the law. Therefore, it is necessary to develop their own methods of protection. About this, too, will tell separately later.
A selection of special cases
And finally, there are several cases that are well-known in our field, and almost all of them have become tales.
To the same federal customer constantly came the same office, which dragged the auction down. Then this company was rejected for violations in the documentation, but it brought the bidding to such a low price that even the second participant, who, if the first one were to be thrown out, would have had a chance to conclude a contract, refused such a chance. And the state customer - with money, but without a supplier and under the threat of disruption of an important federal project. They wanted one frustrated kamikaze of one thing - to knock out money for the "non-disruption" of the procurement procedure.
Another popular trend is professional complainers. Not those who really stand up for competition in their industry, the purity of the purchasing ecosystem, etc., but real fraudsters. Such complainants disrupt the procedures not even during the auction, but at the stage of publication of notices on their conduct. On the sidelines, I heard that they were afraid of them even in the regional divisions of the FAS, because these insolent people write just a huge number of threatening letters to both customers and suppliers. In their letters to customers, they write that they have found irregularities in the documentation and require certain actions, they intimidate suppliers in other ways, and the FAS itself writes complaints to those and others. And the purchase is canceled or dramatically delayed.
So remember: almost all abuses kill openness. We are here on Habré, in particular, for the sake of openness.