They did not play close attention to security (Passwords from movies, seriously), our-sourced work into Eastern Europe, where the FSB† could recruit operatives in a day trip.
Roughly a month ago, the premier cybersecurity firm FireEye warned authorities that it had been penetrated by Russian hackers, who made off with critical tools it used to secure the facilities of corporations and governments around the world.
The victims are the most important institutional power centers in America, from the FBI to the Department of Treasury to the Department of Commerce, as well as private sector giants Cisco Systems, Intel, Nvidia, accounting giant Deloitte, California hospitals, and thousands of others. As more information comes out about what happened, the situation looks worse and worse. Russians got access to Microsoft’s source code and into the Federal agency overseeing America’s nuclear stockpile. They may have inserted code into the American electrical grid, or acquired sensitive tax information or important technical and political secrets.
And that makes this hack quite scary, even if we don’t see the effect right now. Mark Warner, one of the smarter Democratic Senators and the top Democrat on the Intelligence Committee, said “This is looking much, much worse than I first feared,” also noting “The size of it keeps expanding.” Political leaders are considering reprisals against Russia, though it’s likely they will not engage in much retaliation we can see on the surface. It’s the biggest hack since 2016, when an unidentified group stole the National Security Agency’s “crown jewels” spy tools. It is, as Wired put it, a “historic mess.”
The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the “battle space.” Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn’t manage its security problems particularly well, and another on how it is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others.
All of which brings me to what I think is the most compelling part of this story. The point of entry for this major hack was not Microsoft, but a private equity-owned IT software firm called SolarWinds. This company’s products are dominant in their niche; 425 out of the Fortune 500 use SolarWinds. As Reuters reported about the last investor call in October, the CEO told analysts that “there was not a database or an IT deployment model out there to which [they] did not provide some level of monitoring or management.” While there is competition in this market, SolarWinds does have market power. IT systems are hard to migrate from, and this lock-in effect means that customers will tolerate price hikes or quality degradation rather than change providers. And it does have a large market share; as the CEO put it, “We manage everyone’s network gear.”
SolarWinds sells a network management package called Orion, and it was through Orion that the Russians invaded these systems, putting malware into updates that the company sent to clients. Now, Russian hackers are extremely sophisticated sleuths, but it didn’t take a genius to hack this company. It’s not just that criminals traded information about how to hack SolarWinds systems; one security researcher alerted the company last year that “anyone could access SolarWinds’ update server by using the password “solarwinds123.’”
Using passwords ripped form the movie Spaceballs is one thing, but it appears that lax security practice at the company was common, systemic, and longstanding. The company puts its engineering in the hands of cheaper Eastern Europe coders, where it’s easier for Russian engineers to penetrate their product development. SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.” The executive in charge of security quit in frustration. Even after the hack, the company continued screwing up; SolarWinds didn’t even stop offering compromised software for several days after it was discovered.
And yet, not every software firm operates like SolarWinds. Most seek to make money, but few do so with such a combination of malevolence, greed, and idiocy. What makes SolarWinds different? The answer is the specific financial model that has invaded the software industry over the last fifteen years, a particularly virulent strain of recklessness typically called private equity.
In October, the Wall Street Journal profiled the man who owns SolarWinds, a Puerto Rican-born billionaire named Orlando Bravo of Thoma Bravo partners. Bravo’s PR game is solid; he was photographed beautifully, a slightly greying fit man with a blue shirt and off-white rugged pants in front of modern art, a giant vase and fireplace in the background of what is obviously a fantastically expensive apartment. Though it was mostly a puff piece of a silver fox billionaire, the article did describe Bravo’s business model.
As I put it at the time, Bravo’s business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can, and raise prices. The investment thesis is clear: power. Software companies have immense pricing power over their customers, which means they can raise prices to locked-in customers, or degrade quality (which is the same thing in terms of the economics of the firm). As Robert Smith, one of his competitors in the software PE game, put it, “Software contracts are better than first-lien debt. You realize a company will not pay the interest payment on their first lien until after they pay their software maintenance or subscription fee. We get paid our money first. Who has the better credit? He can’t run his business without our software.”
Did this acquisition spree and corporate strategy work? Well that depends on your point of view; it certainly increased accounting profits. From a different perspective, however, the answer is no. Accounting profits masked that the corporate strategy was shifting risk such that the firm enabled a hack of the FBI and U.S. nuclear facilities. And from the user and employee perspective, the strategy was also problematic. It’s a little hard to tell, but if you look at software feedback comment forums, you’ll find a good number of IT pros dislike SolarWinds, seeing the firm as a financial project based on cobbling together random products from an endless set of acquisitions. (If you are at SolarWinds or another Thoma Bravo company, or use their products, send me a note on your experiences.)
It’s not clear to me that Bravo is liable for any of the damage that he caused, but he did make one mistake. Bravo got caught engaging in what very much looks like insider trading surrounding the hack. Here’s the Financial Times on what happened:
Private equity investors sold a $315m stake in SolarWinds to one of their own longstanding financial backers shortly before the US issued an emergency warning over a “nation-state” hack of one of the software company’s products.
The transaction reduced the exposure of Silver Lake and Thoma Bravo to the stricken software company days before its share price fell as vulnerabilities were discovered in a product that is used by multiple federal agencies and almost all Fortune 500 companies.
But the trade could prove embarrassing for Menlo Park-based Silver Lake and its rival Thoma Bravo, which rank among the biggest technology-focused private equity firms in the world.
In this case, however, possible insider trading really isn’t the problem. Though I hate the phrase, the real scandal isn’t what’s illegal, it’s what is legal. Bravo degraded the quality of software, which usually just means that people have to deal with stuff that doesn’t work very well, but in this case enabled a weird increase in geopolitical tensions and an espionage victory for a foreign adversary. It’s yet another example of what national security specialist Lucas Kunce notes is the mass transformation of other people’s risk into profit, all to the detriment of American society.
There are many ways to see this massive hack. It’s a geopolitical problem, a question of cybersecurity policy, and a legally ambiguous aggressive act by a foreign power. But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.
And they are celebrated for it. If Western nations had coherent political systems, the men responsible for this mess would be dragged in front of legislative committees and grilled over the business practices putting all of us at risk. Instead, five days ago, Pitchbook just gave out their Private Equity Awards, and named their “dealmaker of the year.”
Yes, it was Orlando Bravo.
We need to change the laws to hold these guys accountable.
As it currently stands, they borrow money, and then loot the companies, and then retreat behind the bulwark of the bankruptcy courts to avoid any responsibility for what they have done.