How to Get Rich Sabotaging Nuclear Weapons Facilities
Private equity monopolist Orlando Bravo made billions by putting our whole society at risk.
Welcome to BIG, a newsletter about the politics of monopoly and finance. If you’d like to sign up, you can do so here. Or just read on…
Happy new year. Today I’m going to write about the Russian hack of American nuclear facilities, and why a billionaire private equity executive just profiled in the Wall Street Journal as a dealmaker extraordinaire is responsible. Plus some short blurbs on:
The Problem with Amazon competitor Shopify
Ticketmaster’s Grotesque Settlement with the Department of Justice
Economists Non-Surprising But Important Findings about Debt-Fueled Private Equity and Covid
Big Tech and Diversity
Appliance Parts Monopolization?
Happy New Year! The password is 12345.
My Password Is “Password”
Roughly a month ago, the premier cybersecurity firm FireEye warned authorities that it had been penetrated by Russian hackers, who made off with critical tools it used to secure the facilities of corporations and governments around the world.
The victims are the most important institutional power centers in America, from the FBI to the Department of Treasury to the Department of Commerce, as well as private sector giants Cisco Systems, Intel, Nvidia, accounting giant Deloitte, California hospitals, and thousands of others. As more information comes out about what happened, the situation looks worse and worse. Russians got access to Microsoft’s source code and into the Federal agency overseeing America’s nuclear stockpile. They may have inserted code into the American electrical grid, or acquired sensitive tax information or important technical and political secrets.
Cybersecurity is a very weird area, mostly out of sight yet potentially very deadly. Anonymous groups can turn off power plants, telecom grids, or disrupt weapons labs, as Israel did when it used a cyber-weapon to cripple Iranian nuclear facilities in 2010. Bank regulators have to now consult with top military leaders about whether deposit insurance covers incidents where hackers destroy all bank records, and what that would mean operationally. It’s not obvious whether this stuff is war or run-of-the-mill espionage, but everyone knows that the next war will be chock full of new tactics based on hacking the systems of one’s adversary, perhaps using code placed in those systems during peacetime.
And that makes this hack quite scary, even if we don’t see the effect right now. Mark Warner, one of the smarter Democratic Senators and the top Democrat on the Intelligence Committee, said “This is looking much, much worse than I first feared,” also noting “The size of it keeps expanding.” Political leaders are considering reprisals against Russia, though it’s likely they will not engage in much retaliation we can see on the surface. It’s the biggest hack since 2016, when an unidentified group stole the National Security Agency’s “crown jewels” spy tools. It is, as Wired put it, a “historic mess.”
There is a lot of finger-pointing going on in D.C. and in cybersecurity circles about what happened and why. There are all of the standard questions that military and cyber lawyers love, like whether this hack is war, espionage, or something legally ambiguous. Policymakers are revisiting the longstanding policy of having the National Security Agency focus on offensive hacking instead of securing defensive capacity.
The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the “battle space.” Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn’t manage its security problems particularly well, and another on how it is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others.
Indeed, cybersecurity risk is akin to pollution, a cost that the business itself doesn’t fully bear, but that the rest of society does. The private role in cybersecurity is now brushing up against the libertarian assumptions of much of the policymaking world; national security in a world where private software companies handle national defense simply cannot long co-exist with our monopoly and financier-dominated corporate apparatus.
All of which brings me to what I think is the most compelling part of this story. The point of entry for this major hack was not Microsoft, but a private equity-owned IT software firm called SolarWinds. This company’s products are dominant in their niche; 425 out of the Fortune 500 use Solar Winds. As Reuters reported about the last investor call in October, the CEO told analysts that “there was not a database or an IT deployment model out there to which [they] did not provide some level of monitoring or management.” While there is competition in this market, SolarWinds does have market power. IT systems are hard to migrate from, and this lock-in effect means that customers will tolerate price hikes or quality degradation rather than change providers. And it does have a large market share; as the CEO put it, “We manage everyone’s network gear.”
SolarWinds sells a network management package called Orion, and it was through Orion that the Russians invaded these systems, putting malware into updates that the company sent to clients. Now, Russian hackers are extremely sophisticated sleuths, but it didn’t take a genius to hack this company. It’s not just that criminals traded information about how to hack SolarWinds systems; one security researcher alerted the company last year that “anyone could access SolarWinds’ update server by using the password “solarwinds123.’”
Using passwords ripped form the movie Spaceballs is one thing, but it appears that lax security practice at the company was common, systemic, and longstanding. The company puts its engineering in the hands of cheaper Eastern Europe coders, where it’s easier for Russian engineers to penetrate their product development. SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.” The executive in charge of security quit in frustration. Even after the hack, the company continued screwing up; SolarWinds didn’t even stop offering compromised software for several days after it was discovered.
This level of idiocy seems off-the-charts, but it’s not that the CEO is stupid. Far from it. “Employees say that under Mr. Thompson,” the Times continued, “an accountant by training and a former chief financial officer, every part of the business was examined for cost savings and common security practices were eschewed because of their expense.” The company’s profit tripled from 2010 to 2019. Thompson calculated that his business could run more profitably if it chose to open its clients to hacking risk, and he was right.
And yet, not every software firm operates like SolarWinds. Most seek to make money, but few do so with such a combination of malevolence, greed, and idiocy. What makes SolarWinds different? The answer is the specific financial model that has invaded the software industry over the last fifteen years, a particularly virulent strain of recklessness typically called private equity.
I’ve written a lot about private equity. By ‘private equity,’ I mean financial engineers, financiers who raise large amounts of money and borrow even more to buy firms and loot them. These kinds of private equity barons aren’t specialists who help finance useful products and services, they do cookie cutter deals targeting firms they believe have market power to raise prices, who can lay off workers or sell assets, and/or have some sort of legal loophole advantage. Often they will destroy the underlying business. The giants of the industry, from Blackstone to Apollo, are the children of 1980s junk bond king and fraudster Michael Milken. They are essentially are super-sized mobsters who burn down businesses for the insurance money.
In private equity takeovers of software, the gist is the same, with the players a bit different. It’s not Apollo and Blackstone, it’s Vista Equity Partners, Thoma Bravo, and Silver Lake, but it’s the same cookie cutter style deal flow, the same financing arrangements, and the same business model risks. But in this case, the private equity owner of SolarWinds burned down far more than just the firm.
Arson for Profit
In October, the Wall Street Journal profiled the man who owns SolarWinds, a Puerto Rican-born billionaire named Orlando Bravo of Thoma Bravo partners. Bravo’s PR game is solid; he was photographed beautifully, a slightly greying fit man with a blue shirt and off-white rugged pants in front of modern art, a giant vase and fireplace in the background of what is obviously a fantastically expensive apartment. Though it was mostly a puff piece of a silver fox billionaire, the article did describe Bravo’s business model.
Thoma Bravo identifies software companies with a loyal customer base but middling profits and transforms them into moneymaking engines by retooling pricing, shutting down unprofitable business lines and adding employees in cheaper labor markets.
The firm then guides its companies to use the profits they generate to do add-on acquisitions, snapping up smaller rivals with offerings that they could spend months and millions of dollars trying to replicate.
As I put it at the time, Bravo’s business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can, and raise prices. The investment thesis is clear: power. Software companies have immense pricing power over their customers, which means they can raise prices to locked-in customers, or degrade quality (which is the same thing in terms of the economics of the firm). As Robert Smith, one of his competitors in the software PE game, put it, “Software contracts are better than first-lien debt. You realize a company will not pay the interest payment on their first lien until after they pay their software maintenance or subscription fee. We get paid our money first. Who has the better credit? He can’t run his business without our software.”
SolarWinds represents this thesis perfectly. The company was founded in 1999 to help companies monitor their network performance. It was profitable from the start, but it began morphing into a financial conglomerate in 2007, when it changed CEOs and raised money from original PE gangster Bain Capital to make “strategic acquisitions,” aka roll-up the software space in which it was operating. It went public two years later during the Great Recession to raise more funds. SolarWinds shaped its strategy in the aftermath of both an appeals court overturning the Microsoft break-up order, and the unanimous Supreme Court decision Trinko, which made it extremely hard to bring monopolization suits. Oracle CEO Larry Ellison characterized what the shift broadly meant, saying “We have to roll up our industry.”
After its IPO, SolarWinds followed Ellison’s advice, became a merger machine, buying a dozen companies from 2011-2014, including Pingdom, Confio and N-Able Technologies. In 2015, Thoma Bravo Partners (along with Silver Lake) bought the company, and loaded it up with $2 billion of debt to finance the purchase. (Yes, this was one of those purchases in which the private equity buyer bought the company with the company’s own money.) Under Bravo’s control, SolarWinds engaged in more mergers, buying companies who made threat monitoring software, email security, database performance monitoring, and IT support firms. SolarWinds sought to become a one-stop-shop in its niche, not particular good at quality, but with everything a customer might need. Of course, the Federal Trade Commission and the European Competition Commission allowed these deals; just a month before the hack was revealed, the FTC approved yet another acquisition by SolarWinds.
Did this acquisition spree and corporate strategy work? Well that depends on your point of view; it certainly increased accounting profits. From a different perspective, however, the answer is no. Accounting profits masked that the corporate strategy was shifting risk such that the firm enabled a hack of the FBI and U.S. nuclear facilities. And from the user and employee perspective, the strategy was also problematic. It’s a little hard to tell, but if you look at software feedback comment forums, you’ll find a good number of IT pros dislike SolarWinds, seeing the firm as a financial project based on cobbling together random products from an endless set of acquisitions. (If you are at SolarWinds or another Thoma Bravo company, or use their products, send me a note on your experiences.)
Now IT pros are a fickle bunch, but generally speaking the ornery IT security professional is someone who is frustrated because he has to deal with risk that no one else in the company sees or cares about. It’s not a coincidence that SolarWinds head of security warned of a looming catastrophe, and quit after he was ignored.
In other words, a massive hack like this was inevitable. It occurred at SolarWinds, but it could have happened in many other software firms with similar practices. Because as it turns out, Bravo software vendors make up critical supply chains across the corporate and government world. Bravo (and his competitors like Vista Equity Partners) have spread their tentacles, taking over everything from construction payroll software to auto and bank tools, to security, health IT and electronic record-keeping to the monopoly provider of mortgage data (Ellie Mae). And his reach is growing; Bravo has completed more than 40 deals this year, four worth more than $2 billion each.
These private equity-owned software firms torture professionals with bad user experiences and shitty customer support in everything from yoga studio software to car dealer IT to the nightmarish ‘core’ software that runs small banks and credit unions, as close as one gets to automating Office Space. But they also degrade product quality by firing or disrespecting good workers, under-investing in good security practices, or sending work abroad and paying badly, meaning their products are more prone to espionage. In other words, the same sloppy and corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire. In a sense, this hack, and many more like it, will continue to happen, as long as men like Bravo get rich creating security vulnerabilities for bad actors to exploit.
It’s not clear to me that Bravo is liable for any of the damage that he caused, but he did make one mistake. Bravo got caught engaging in what very much looks like insider trading surrounding the hack. Here’s the Financial Times on what happened:
Private equity investors sold a $315m stake in SolarWinds to one of their own longstanding financial backers shortly before the US issued an emergency warning over a “nation-state” hack of one of the software company’s products.
The transaction reduced the exposure of Silver Lake and Thoma Bravo to the stricken software company days before its share price fell as vulnerabilities were discovered in a product that is used by multiple federal agencies and almost all Fortune 500 companies.
But the trade could prove embarrassing for Menlo Park-based Silver Lake and its rival Thoma Bravo, which rank among the biggest technology-focused private equity firms in the world.
Bravo and Silver Lake deny they knew of the hack when they sold stock, so it may just be extreme amounts of luck, or as the FT puts it, an “embarrassing” accidental profit. Now, I’m no great wordsmith, but generally when I think of “embarrassing” I imagine things like spilling soup onto one’s tie or being told ‘you’re muted’ for the third time on a conference call as one tries to talk, not a private equity billionaire making money by selling stock right before material information about a dangerous hack of a critical software becomes public. I usually refer to that as “probably insider trading.”
In this case, however, possible insider trading really isn’t the problem. Though I hate the phrase, the real scandal isn’t what’s illegal, it’s what is legal. Bravo degraded the quality of software, which usually just means that people have to deal with stuff that doesn’t work very well, but in this case enabled a weird increase in geopolitical tensions and an espionage victory for a foreign adversary. It’s yet another example of what national security specialist Lucas Kunce notes is the mass transformation of other people’s risk into profit, all to the detriment of American society.
What to do?
In July, I interviewed Eileen Appelbaum, the author of Private Equity at Work: When Wall Street Manages Main Street. Eileen is quiet economist who has been leading the political fight against private equity barons, for years. She told me that the key problem with private equity isn’t the idea of financiers doing investment, as investment is necessary for any commercial sector to flourish. The problem is how these financiers - usually large ones who do cookie cutter deals - offload risk onto employees, lenders, investors, and the public itself.
One key change would be to pass the Stop Wall Street Looting Act, which would make it much harder to use debt to finance predatory acquisitions, as well as stopping the purchase of companies purely to lay people off. Stronger antitrust enforcement would also help, because that would make it much harder to use the roll-up strategy to buy up an entire sector, and it would prevent the raw exploitation of market power to generate cash. I would add another idea; cybersecurity analysts and policymakers need to start taking business models into account when doing government procurement; taking too much risk in the boardroom means hacks in the IT department and ultimately losses on the battlefield years later.
There are many ways to see this massive hack. It’s a geopolitical problem, a question of cybersecurity policy, and a legally ambiguous aggressive act by a foreign power. But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.
And they are celebrated for it. If Western nations had coherent political systems, the men responsible for this mess would be dragged in front of legislative committees and grilled over the business practices putting all of us at risk. Instead, five days ago, Pitchbook just gave out their Private Equity Awards, and named their “dealmaker of the year.”
Yes, it was Orlando Bravo.
FTC Does a Solid: The FTC blocked a hospital merger in Tennessee! Yay!
Shopify, Same as the Old Boss? A lot of people in the online commerce space are hoping that Amazon competitor Shopify will save the space. Shopify basically does the back office stuff for online retailers, but doesn’t have its own consumer facing brand and site to compete with them, thus eliminating the conflict of interest Amazon has vis-a-vis its merchants. Competition in this space is good, especially with a business offering neutrality as a differentiating element. And yet, even with competition, the legal environment for monopolization is shaping Shopify’s business strategy. Here’s the Yiren Lu back in November writing in the New York Times on the company.
Toward the end of our interview, [Shopify President Harvey] Finkelstein made a statement about how Shopify was the company best positioned to “own entrepreneurship” the way that Facebook owns social and Google owns search.
“Own entrepreneurship”?!? That sounds… ominous.
Sure enough, I recently got a note from a reader about Shopify. “We are implementing Shopify at our store as our new POS system. They are a subscription model starting at $30/month. But consistent with the immoral climate of today’s business world, their support people are incompetent, we are now required to spend $130/month to make it print basic reports every business needs, their leadership will not respond to emails; basically, it’s a superb example of everything wrong with the switch to the subscription model. It’s just one more scam that will enrich a few at the top and drive the rest of us nuts. I’m a CPA, a businessman for 40 years, and was fooled by Shopify. Their product is overpriced crap but their stock is up enormously.”
I’m hopeful about Shopify, but it’s clear that we need more than just two players in this space.
Handcuffs and Tickemaster: The Department of Justice caught Ticketmaster hacking into its competitor’s software, destroying its business, and buying out its assets. What was the penalty? Ticketmaster had to pay $10 million and start an ethics compliance program, and one executive might go on trial. At this point, Ticketmaster stands less as a company and more as a monument to failed antitrust enforcement. Does the CEO of Tickemaster have to murder a child in public for someone to do something about this monstrosity of a company? It’s time to put handcuffs on CEOs already.
Economist Find That Debt-Fueled Private Equity Is Bad: Three economists - Joan Farre-Mensa, Roni Michaely, Martin Schmalz - have published an important paper on private equity funds which load up firms they buy with debt so they can pay out special dividends, a cash grab known as a ‘dividend recapitalization." As the paper’s summary puts it, “Debt-financed payouts are associated with increased firm financial fragility during the COVID-19 and other crises—but internally funded payouts are not.” It turns out that these firms squeezed by private equity to borrow and pay dividends go bankrupt a lot more than firms who just pay out dividends from internal operations. This may seem obvious, and it is. But economists have now said it, which makes it matter in certain policy circles.
Big Tech and Diversity: There’s an interesting battle happening within big tech over diversity questions. Conservatives feel censored by what they perceive as progressive bosses, while left-wingers perceive racism and sexism by those same higher ups. I may at some point get into it when I’ve done more research, but the gist is that people who have a different vision of how to order society are running smack dab into monopolists who have expressed quasi-progressive views but are only interested in ordering society to maintain their market power. Here’s one thread from a left-winger attacking Google for stealing her work. There’s a lot more here, and I’ll dig into it eventually.
Thanks for reading. Send me tips, stories I’ve missed, or comment by clicking on the title of this newsletter. And if you liked this issue of BIG, you can sign up here for more issues of BIG, a newsletter on how to restore fair commerce, innovation and democracy. If you really liked it, read my book, Goliath: The 100-Year War Between Monopoly Power and Democracy.
P.S. Here’s an interesting tip from a reader.
So here's I think another monopolization to look at. Appliance repair parts. I fix busted washers and the like once in a while, and from what I've seen, and what the countermen tell me at the appliance parts store, a monopolization has taken place and there really is only one company wholesaling appliance parts, and they've jacked the prices up a bunch over the last decade or so. Reduces the likelihood of getting a busted appliance fixed, if, say the gas valve for a stove now costs $125 or so instead of $40 like it used to a decade or so ago. Monopoly as a cause of economic wasteage and environmental wasteage as well. Makes a huge difference in the total environmental costs of household appliances, as most of the environmental costs come from manufacturing, and if the unit is kept in service via repair of failed components, well that's a huge reduction in environmental costs.
But then there really is a need for the government (seeing as the industry won't ever do it) putting in place some sort of design standardization of certain key components to appliances. Refrigerator/freezser compressors--there really shouldn't be but three or four on the market. Gas valves for stoves--one, maybe 2. There just isn't that much new in the design or manufacture of most of the key components in appliances, near as me the non-engineer can tell, and reducing the inventory costs and manufacturing costs by lengthening production runs--well, that's how things are supposed to work in efficient markets. Right?
Worth checking out and seeing if what I've heard on parts monopolization is right. Someone, like maybe some econ grad student, ought to look into parts standardization, because it really is wrong to throw out rather than repair.
I get a lot of tips on areas of the economy that are monopolized, and I don’t have time to look into each one. My short-cut is to put the notes up here. I’m thinking I should come up with a template so you can do some of the basic research and we can then submit them to policymakers. If that’s of interest, let me know.
First, great read. Not only did you manage to consolidate most of the decent reporting on this matter (you should also know about the Bloomberg Article and the Bloomberg Opinion Piece published recently: https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack https://www.bloomberg.com/opinion/articles/2020-12-21/solarwinds-hack-biden-must-act-after-suspected-russian-cyberattack); you also managed to finally start to get at the fact that this fiasco is the result of very, very, very poor corporate governance.
So, please, consider starting to point to the fact that if our current oversight and regulatory controls had operated correctly, at least shareholders would have been alerted to the fact that there were enterprise risk management problems at SolarWinds in February of 2020, which is the date of the latest audited financial statements published by the company. PwC signed the opinion, which is unqualified with respect to information system security risk that we now know pervaded the company. And, since we know that the fact that the company engaged in very poor information system security risk management practices, PwC should have known about the problem before it issued its last two opinions on the company's financial position and results of operations.
What I am getting at is that I really appreciate folks like you who report on these matters, but I really wish you would start to point fingers at the Elites who sit in fancy offices of audit/assurance/consulting firms, and who make decisions to give people like Orlando Bravo a pass on a daily basis.
Our public company oversight processes are at best corrupt, and we really need someone like you, someone who can write engagingly, and who can tell a story coherently, to always make sure that he includes the entire cast of enablers who help people like Orlando Bravo to accomplish his crimes. And I use the word "crimes" intentionally, because my understanding of the Sarbanes-Oxley Act of 2002 leads me to believe that if Mr. Bravo was aware of the bad management practices of the man he had running that company, he is equally accountable as the CEO and CFO, and should be prosecuted.
We have to start to treat white collar criminals just like we do their drug-cartel counterparts. Corruption is corruption, and always should be treated as a crime that eventually leads to death and destruction for countless numbers of people. To accomplish that, we have to reform the way our systems of oversight function. Holding the public accounting firms responsible for audits of public companies is one way to start us down that road.
Thanks for the article. Thanks for caring about these things. Those of us who work in the field of information system security compliance, enterprise risk management, and business continuity planning need people like you to help us move the needle towards good corporate governance. Much appreciated.
Matt, one of your best, if not the best, newsletter so far. Great read. Private equity looks scarier than ever now.