Greed, Security, and MBAs: Compromising Security for Yachts, Snazzy Cars, and Big Houses?

January 5, 2021

I read “How to Get Rich Sabotaging Nuclear Weapons Facilities.” The title is snappy. The blend of sabotage, nuclear weapons, and money is a spicy blend. I have been critical of cyber security firms’ marketing. I’ve mentioned their lingo, the nifty exhibits at law enforcement and intelligence conferences, and the endless reports about data for sale on the Dark Web.

I admit that I have focused on the flashier side of the business. I leave the specifics of repurposing open source software wrapped in scripts to others. I also have not linked obvious financial plays like the sale of 4iQ to Alto Analytics or the Recorded Future tie up with Insight Partners or any of the other mergers and roll ups emerging from the cyber security gold rush.

Why? I have been commenting about the craziness of MBAs for years, and — guess what? — no one cares. When I worked for some archetypal MBAs at assorted financial institutions, to a person the individuals agreed. I recall one flashy MBA as saying to me, “That’s right. I want money. Lots of money.” That fine individual asked me to pay for lunch because he left his wallet in his desk.

The write up about sabotage and nuclear weapons seems to be getting traction. In the aftermath of the SolarWinds’ misstep, this passage has more meaning to the average thumb typer and social media maven:

Cybersecurity is a very weird area, mostly out of sight yet potentially very deadly. Anonymous groups can turn off power plants, telecom grids, or disrupt weapons labs, as Israel did when it used a cyber-weapon to cripple Iranian nuclear facilities in 2010. Bank regulators have to now consult with top military leaders about whether deposit insurance covers incidents where hackers destroy all bank records, and what that would mean operationally. It’s not obvious whether this stuff is war or run-of-the-mill espionage, but everyone knows that the next war will be chock full of new tactics based on hacking the systems of one’s adversary, perhaps using code placed in those systems during peacetime.

The high-flying SolarWinds sparked this comment:

SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.”

What was the root cause? The write up points the finger at a roll up specialist called Bravo. I learned:

After its IPO, SolarWinds followed Ellison’s advice, became a merger machine, buying a dozen companies from 2011-2014, including Pingdom, Confio and N-Able Technologies. In 2015, Thoma Bravo Partners (along with Silver Lake) bought the company, and loaded it up with $2 billion of debt to finance the purchase. (Yes, this was one of those purchases in which the private equity buyer bought the company with the company’s own money.) Under Bravo’s control, SolarWinds engaged in more mergers, buying companies who made threat monitoring software, email security, database performance monitoring, and IT support firms. SolarWinds sought to become a one-stop-shop in its niche, not particular good at quality, but with everything a customer might need. Of course, the Federal Trade Commission and the European Competition Commission allowed these deals; just a month before the hack was revealed, the FTC approved yet another acquisition by SolarWinds.

What happened?

The misstep. The write up points out:

But in some ways it’s not that complex; the problem isn’t that Russians are good at hacking and U.S. defenses are weak, it’s that financiers in America make more money by sabotaging key infrastructure than by building it.

The root cause, therefore, is that which generates revenue in an environment in which regulators are asleep at the switch, MBAs plot their next big deal, and those who assume that whiz bang, smart security systems actually work.

Stephen E Arnold, January 5, 2021


Comments are closed.

  • Archives

  • Recent Posts

  • Meta