{"id":175644,"date":"2021-01-03T19:14:00","date_gmt":"2021-01-04T00:14:00","guid":{"rendered":"https:\/\/www.panix.com\/~msaroff\/40years\/2021\/01\/03\/good-point\/"},"modified":"2021-01-03T19:14:00","modified_gmt":"2021-01-04T00:14:00","slug":"good-point","status":"publish","type":"post","link":"https:\/\/www.panix.com\/~msaroff\/40years\/2021\/01\/03\/good-point\/","title":{"rendered":"Good Point"},"content":{"rendered":"

<\/a>Matt Stoller makes a very good point, that the penetration of “premier” cybersecurity firm SolarWinds by hackers,*<\/sup> was a direct consequence of the private equity looting ethos<\/a>. <\/p>\n

They did not play close attention to security (Passwords from movies, seriously), our-sourced work into Eastern Europe, where the FSB\u2020<\/sup> could recruit operatives in a day trip. <\/p>\n

Security, you see, is not profitable, even if you are a cyber security firm: <\/p>\n<\/p>\n

Roughly a month ago, the premier cybersecurity firm FireEye warned authorities that it had been penetrated<\/a> by Russian hackers, who made off with critical tools it used to secure the facilities of corporations and governments around the world. <\/p>\n

The victims are the most important institutional power centers in America, from<\/a> the FBI to the Department of Treasury to the Department of Commerce, as well as private sector giants Cisco Systems, Intel, Nvidia, accounting giant Deloitte, California hospitals, and thousands of others. As more information comes out about what happened, the situation looks worse and worse. Russians got access to Microsoft\u2019s source code<\/a> and into the Federal agency overseeing America\u2019s nuclear stockpile. They may have inserted<\/a> code into the American electrical grid, or acquired sensitive tax information or important technical and political secrets.<\/p>\n

\u2026\u2026\u2026<\/p>\n

And that makes this hack quite scary, even if we don\u2019t see the effect right now. Mark Warner, one of the smarter Democratic Senators and the top Democrat on the Intelligence Committee, said \u201cThis is looking much, much worse than I first feared,\u201d also noting \u201cThe size of it keeps expanding.\u201d Political leaders are considering reprisals against Russia, though it\u2019s likely they will not engage in much retaliation we can see on the surface. It\u2019s the biggest hack since 2016, when an unidentified group stole<\/a> the National Security Agency\u2019s \u201ccrown jewels\u201d spy tools. It is, as Wired put<\/a> it, a \u201chistoric mess.\u201d<\/p>\n

\u2026\u2026\u2026. <\/p>\n

The most interesting part of the cybersecurity problem is that it isn\u2019t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the \u201cbattle space.\u201d Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn\u2019t manage its security<\/a> problems particularly well, and another on how it<\/a> is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others. <\/p>\n

\u2026\u2026\u2026<\/p>\n

All of which brings me to what I think is the most compelling part of this story. The point of entry for this major hack was not Microsoft, but a private equity-owned IT software firm called SolarWinds. This company\u2019s products are dominant in their niche; 425 out of the Fortune 500 use<\/a> SolarWinds. As Reuters reported<\/a> about the last investor call in October, the CEO told analysts that \u201cthere was not a database or an IT deployment model out there to which [they] did not provide some level of monitoring or management.\u201d While there is competition in this market, SolarWinds does have market power. IT systems are hard to migrate from, and this lock-in effect means that customers will tolerate price hikes or quality degradation rather than change providers. And it does have a large market share; as the CEO put it, \u201cWe manage everyone\u2019s network gear.\u201d<\/p>\n

SolarWinds sells a network management package called Orion, and it was through Orion that the Russians invaded these systems, putting malware into updates that the company sent to clients. Now, Russian hackers are extremely sophisticated sleuths, but it didn\u2019t take a genius<\/a> to hack this company. It\u2019s not just that criminals traded information about how to hack SolarWinds systems; one security researcher alerted the company last year that \u201canyone could access SolarWinds\u2019 update server by using the password \u201csolarwinds123<\/span><\/b>.\u2019\u201d <\/p>\n

Using passwords ripped form the movie Spaceballs<\/a> is one thing, but it appears that lax security practice at the company was common, systemic, and longstanding. The company puts its engineering in the hands of cheaper Eastern Europe coders, where it\u2019s easier for Russian engineers to penetrate their product development. SolarWinds didn\u2019t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted<\/a>, one security \u201cadviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be \u201ccatastrophic.\u201d The executive in charge of security quit in frustration. Even after the hack, the company continued screwing up; SolarWinds didn\u2019t even stop offering compromised software for several days after it was discovered. <\/p>\n

\u2026\u2026\u2026 <\/p>\n

And yet, not every software firm operates like SolarWinds. Most seek to make money, but few do so with such a combination of malevolence, greed, and idiocy. What makes SolarWinds different? The answer is the specific financial model that has invaded the software industry over the last fifteen years, a particularly virulent strain of recklessness typically called private equity.<\/p>\n

\u2026\u2026\u2026<\/p>\n

In October, the Wall Street Journal profiled<\/a> the man who owns SolarWinds, a Puerto Rican-born billionaire named Orlando Bravo of Thoma Bravo partners. Bravo\u2019s PR game is solid; he was photographed beautifully, a slightly greying fit man with a blue shirt and off-white rugged pants in front of modern art, a giant vase and fireplace in the background of what is obviously a fantastically expensive apartment. Though it was mostly a puff piece of a silver fox billionaire, the article did describe Bravo\u2019s business model.<\/p>\n

\u2026\u2026\u2026<\/p>\n

As I put it at the<\/a> time, Bravo\u2019s business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can, and raise prices. The investment thesis is clear: power. Software companies have immense pricing power over their customers, which means they can raise prices to locked-in customers, or degrade quality (which is the same thing in terms of the economics of the firm). As Robert Smith, one of his competitors in the software PE game, put it, \u201cSoftware contracts are better than first-lien debt. You realize a company will not pay the interest payment on their first lien until after they pay their software maintenance or subscription fee. We get paid our money first. Who has the better credit? He can\u2019t run his business without our software.\u201d<\/p>\n

\u2026\u2026\u2026<\/p>\n

Did this acquisition spree and corporate strategy work? Well that depends on your point of view; it certainly increased accounting profits. From a different perspective, however, the answer is no. Accounting profits masked that the corporate strategy was shifting risk such that the firm enabled a hack of the FBI and U.S. nuclear facilities. And from the user and employee perspective, the strategy was also problematic. It\u2019s a little hard to tell, but if you look at software feedback comment forums, you\u2019ll find a good number of IT pros dislike<\/a> SolarWinds, seeing the firm as a financial project based on cobbling together random products from an endless set of acquisitions. (If you are at SolarWinds or another Thoma Bravo company, or use their products, send me a note on your experiences.) <\/p>\n

\u2026\u2026\u2026 <\/p>\n

It\u2019s not clear to me that Bravo is liable for any of the damage that he caused, but he did make one mistake. Bravo got caught engaging in what very much looks like insider trading surrounding the hack. Here\u2019s the Financial Times<\/a> on what happened:<\/p>\n

Private equity investors sold a $315m stake in SolarWinds to one of their own longstanding financial backers shortly before the US issued an emergency warning over a \u201cnation-state\u201d hack of one of the software company\u2019s products. <\/p>\n

The transaction reduced the exposure of Silver Lake and Thoma Bravo to the stricken software company days before its share price fell as vulnerabilities were discovered in a product that is used by multiple federal agencies and almost all Fortune 500 companies. <\/p>\n

But the trade could prove embarrassing for Menlo Park-based Silver Lake and its rival Thoma Bravo, which rank among the biggest technology-focused private equity firms in the world. <\/p><\/blockquote>\n

\u2026\u2026\u2026<\/p>\n

In this case, however, possible insider trading really isn\u2019t the problem. Though I hate the phrase, the real scandal isn\u2019t what\u2019s illegal, it\u2019s what is legal. Bravo degraded the quality of software, which usually just means that people have to deal with stuff that doesn\u2019t work very well, but in this case enabled a weird increase in geopolitical tensions and an espionage victory for a foreign adversary. It\u2019s yet another example of what national security specialist Lucas Kunce notes<\/a> is the mass transformation of other people\u2019s risk into profit, all to the detriment of American society.<\/p>\n

\u2026\u2026\u2026<\/p>\n

There are many ways to see this massive hack. It\u2019s a geopolitical problem, a question of cybersecurity policy, and a legally ambiguous aggressive act by a foreign power. But in some ways it\u2019s not that complex; the problem isn\u2019t that Russians are good at hacking and U.S. defenses are weak, it\u2019s that financiers in America make more money by sabotaging key infrastructure than by building it.<\/p>\n

And they are celebrated for it. If Western nations had coherent political systems, the men responsible for this mess would be dragged in front of legislative committees and grilled over the business practices putting all of us at risk. Instead, five days ago, Pitchbook just gave out their Private Equity Awards, and named<\/a> their \u201cdealmaker of the year.\u201d <\/p>\n

Yes, it was Orlando Bravo.<\/span><\/p><\/blockquote>\n

We need to change the laws to hold these guys accountable. <\/p>\n

As it currently stands, they borrow money, and then loot the companies, and then retreat behind the bulwark of the bankruptcy courts to avoid any responsibility for what they have done.<\/p>\n

*<\/sup>According to “Knowledgeable Sources”, Russia, but no one is willing to go on the record, so YMMV.<\/span>
\u2020<\/sup>Again, no one is willing to go on the record as to whether this was the FSB, or the GRU, or maybe it was the fault of those damn Eskimos<\/span>.\u2021<\/sup>
\u2021<\/sup>The line is from Judgement at Nuremberg<\/a><\/i>. It’s a great movie. Spencer Tracy, Marlene Dietrich, Burt Lancaster, Richard Widmark, Maximilian Schell, Judy Garland, Montgomery Clift, and a very young William Shatner. (Widmark says the line about the Eskimos.)<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Matt Stoller makes a very good point, that the penetration of “premier” cybersecurity firm SolarWinds by hackers,* was a direct consequence of the private equity looting ethos. They did not play close attention to security (Passwords from movies, seriously), our-sourced work into Eastern Europe, where the FSB\u2020 could recruit operatives in a day trip. Security, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[365,368,364,588,575,578,541,533],"class_list":["post-175644","post","type-post","status-publish","format-standard","hentry","tag-business","tag-corruption","tag-evil","tag-fail","tag-fraud","tag-incompetence","tag-security","tag-software"],"_links":{"self":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/175644"}],"collection":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/comments?post=175644"}],"version-history":[{"count":0,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/posts\/175644\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/media?parent=175644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/categories?post=175644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.panix.com\/~msaroff\/40years\/wp-json\/wp\/v2\/tags?post=175644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}