77 Comments
Jan 5, 2021Liked by Matt Stoller

First, great read. Not only did you manage to consolidate most of the decent reporting on this matter (you should also know about the Bloomberg Article and the Bloomberg Opinion Piece published recently: https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack https://www.bloomberg.com/opinion/articles/2020-12-21/solarwinds-hack-biden-must-act-after-suspected-russian-cyberattack); you also managed to finally start to get at the fact that this fiasco is the result of very, very, very poor corporate governance.

So, please, consider starting to point to the fact that if our current oversight and regulatory controls had operated correctly, at least shareholders would have been alerted to the fact that there were enterprise risk management problems at SolarWinds in February of 2020, which is the date of the latest audited financial statements published by the company. PwC signed the opinion, which is unqualified with respect to information system security risk that we now know pervaded the company. And, since we know that the fact that the company engaged in very poor information system security risk management practices, PwC should have known about the problem before it issued its last two opinions on the company's financial position and results of operations.

What I am getting at is that I really appreciate folks like you who report on these matters, but I really wish you would start to point fingers at the Elites who sit in fancy offices of audit/assurance/consulting firms, and who make decisions to give people like Orlando Bravo a pass on a daily basis.

Our public company oversight processes are at best corrupt, and we really need someone like you, someone who can write engagingly, and who can tell a story coherently, to always make sure that he includes the entire cast of enablers who help people like Orlando Bravo to accomplish his crimes. And I use the word "crimes" intentionally, because my understanding of the Sarbanes-Oxley Act of 2002 leads me to believe that if Mr. Bravo was aware of the bad management practices of the man he had running that company, he is equally accountable as the CEO and CFO, and should be prosecuted.

We have to start to treat white collar criminals just like we do their drug-cartel counterparts. Corruption is corruption, and always should be treated as a crime that eventually leads to death and destruction for countless numbers of people. To accomplish that, we have to reform the way our systems of oversight function. Holding the public accounting firms responsible for audits of public companies is one way to start us down that road.

Thanks for the article. Thanks for caring about these things. Those of us who work in the field of information system security compliance, enterprise risk management, and business continuity planning need people like you to help us move the needle towards good corporate governance. Much appreciated.

Expand full comment

Matt, one of your best, if not the best, newsletter so far. Great read. Private equity looks scarier than ever now.

Expand full comment
Jan 5, 2021Liked by Matt Stoller

Insider trading is widespread common practice. Only the little guy suckers and outsiders (like Martha Stewart) get caught.

It’s time for western countries to each form their own national software agency focusing on providing software for the nation’s critical entities. For-profit software companies can never be trusted to protect a nation.

Also, how many disasters does it take before we hold software engineers and software firms to the same standards and accountability as engineers in other fields like civil and aeronautics engineering?

Expand full comment

This was a very good read.

Expand full comment
Jan 4, 2021Liked by Matt Stoller

Matt, you are right on regarding security at PE-owned companies. As a cybersecurity consultant who has done security assessments for many large organizations. the PE-owned companies' security programs are cut to the bone. Functions like cybersecurity and contingency/disaster recovery planning aren't needed to "keep the lights on." So big companies (including food companies) that are PE-owned are hanging by a thread. If anything bad happens (a hack or a natural disaster), the customers are holding the bag.

Expand full comment
Jan 3, 2021Liked by Matt Stoller

RSR research (research consultancy covering business drivers influencing retailer's software purchases) has a couple of interesting posts on private equity* and vulture capitalism around recent retailer failures in the UK and US.

(*And asset stripping entrepreneurs acquiring companies with their own assets and then performing dividend recapitalization. See "Damaged Goods" by Oliver Shah and related business biographies).

Expand full comment
Jan 3, 2021Liked by Matt Stoller

Thanks for you work, regarding Mr Thompson and "intelligence" we may need a new word. Any malformed mind can focus on a gnats eyeball, "profit," and show some level of registering "brain" wave.

Expand full comment
Jan 3, 2021Liked by Matt Stoller

Amazing newsletter Matt, congratulations!

Expand full comment

Excellent post, Matt. The massive incompetence of Solarwinds is just stunning, if not unexpected.

However, I have a bone to pick with you. As a veteran of Naked Capitalism you know the importance of providing evidence for your assertions. Please provide links to actual evidence of Russia being responsible for the Solarwinds hack. As far as I can tell, there is none, other than the statements of "anonymous intelligence officials familiar with the situation" and the Mighty Wurlitzer that is the mainstream media.

Hope it's a healthy and safe 2021 for you and yours.

John Zelnicker

Expand full comment

Hey Matt.

Thanks for another very well researched and highly informative article, I hope I’m not repeating something anyone else has already said as I haven’t read the other comments.

This is obviously a piece about monopolization and not so much about geo politics, but 5 times you claim the hack was perpetrated by Russian hackers, not suspected Russian hackers and not a suspected nation state, or sophisticated hacking group - all of which are very possible unless you have seen evidence that no publication has printed so far... if so please share.

I’m not suggesting a Russian government unit/department/team didn’t or couldn’t do the hack, I’m just not clear on why you wrote it 5 times in the affirmative when every report you linked either dances around it - Reuters, or provides zero evidence WSJ & NYT, while introducing the suspicion in headline/sub, before going on to say it in the affirmative later in the report in contemporary cynical msm fashion.

You exhaustively research the monopolization elements, and show great skepticism of the FT view on corporate behavior, but accept the NYT & WSJs lazy affirmations of guilt with no deterministic evidence. In fact in all reports I’ve read people keep saying it’s to early to tell how big, what was taken, when it started, if it’s still going and how good they were at covering their tracks etc etc. Yet they are 100% sure it’s the Russians, but we can’t tell you how we know -

I just thought this was a bit weird from a diligent writer as yourself and had to make this comment.

All the best and keep up the great work.

DP

Expand full comment

This was so well articulated and spot on. Having worked in software I have seen these acquisitions happen over and over and it's always the same formula. Some startups go right from venture capital financing to being acquired and rolled up by PE. Thoma and Vista may be the two most well know for this but there's more players that have entered the space - look at the portfolios of TPG, SGE, Accel-KKR. It's actually a real challenge avoiding PE-owned software these days. They have their hands in almost every category from devops automation, municipal financial management, electronic medical records, hospital software, healthcare billing and communications. These are thousands of points of failures one glitchy oversight from doing damage like the SolarWinds hack, but in many other facets of our lives.

Expand full comment

True on the PE model for software companies. This model was originated by CA Technologies (now a division of Broadcom). They figured out that you could acquire a well installed but legacy software company, cut everything to increase profits and then just milk the install base. As you mention, even if a large enterprise understands that their software vendor is doing the above (and often they don't for some time) it is going to take them a decade to migrate to something else. The novel piece of this model is that there is nothing customers can do to stop them from doing it forever. Even if you figure out what CA and the PE firms are doing and migrate off of all their products, swear to never do business with them again... they just turn around with the money they squeezed out of you and acquire some new company whose software you use and the cycle starts over.

Expand full comment

Matt,

You are doing a great job exposing topics I have not seen elsewhere. These items are off the page of media entities. And when a topic is covered in media, your analysis is always providing a real story below the story.

Just on the comment of PwC below. PwC does not actually do the work they say they do. They get paid, and then basically sign off on what the company wants. This is the same way their auditing firm works. Any audit by any of these major firms is worse than useless. And to the commenter's point below, it's unlikely PwC really knows that much about security. These firms are filled with people that fake their background pretend to have capabilities they don't. Even if they do hire people with qualifications, they mute them. So they waste the people that they do have because the senior people run those organizations with an iron fist all directed towards profit maximization.

Expand full comment

Hey Matt, the enterprise content management (ECM) software space is characterized by high switching costs and (aside from newer startups) low innovation. No surprise then that Thoma Bravo is one of the more aggressive acquirers of ECM companies.

In 2007, Thoma Bravo bought a majority stake in Hyland Software, once an innovative business owned by the Hyland family with strong roots in the Cleveland area. Since then Hyland has been buying up competitors like crazy: (see https://en.wikipedia.org/wiki/Hyland_Software#Acquisition_History), and wreaking its havoc (aka its standard operating procedure) on employees (e.g.: https://www.clevescene.com/scene-and-heard/archives/2021/01/28/westlake-based-hyland-software-lays-off-nearly-150-employees-outsourcing-jobs-to-india-poland).

In October 2020, Hyland acquired Alfresco, the largest open source ECM company, and today announced the acquisition of Nuxeo, probably the #2 open source ECM vendor. Prior to being acquired, I regard Alfresco and Nuxeo as two of the most innovative companies in ECM. Sorry to see them both go. I hope employees run and don't walk.

Expand full comment

Shopify. Really obnoxious biz strategy

(I was going to use ruder words but ...)

Simple story. I ordered a Leonardo print back in November from a small outfit here in England. The guy sells on Amazon but also sells his own stuff directly - now utilizing Shopify.

I wanted to track the delivery which was thru Royal Mail as I recollect. The print guy sent me a link which didn't take me to Royal Mail but to Shopify. (Shopify does the back office stuff, right?). Shopify demanded that I download and install the Shopify app if I wanted to know where my print had got to.

Needless to say I refused. The print guy told me he was unable to help because Shopify 'veiled' the Royal Mail tracker from him too.

Nasty way to get Shopify's eyes, ears and grubby fingers on people's phones. Mafia tactics to muscle into 'virgin' territory.

Happy end to the story. Royal Mail delivered the Leonardo print (Vitruvian Man). Shopify can go and do something to themselves.

Expand full comment

Wow. I’m a cyber security consultant and this needed said! 100% well done and accurate.

Expand full comment