The boss of SolarWinds, the Texas firm that U.S. government agencies and big businesses rely on for vital cybersecurity, sat before a U.S. Senate Committee last week to confess a failure to catch the “unprecedented” online data raids by 1,000 suspected Russia-backed hackers.
The intruders spent a year quietly penetrating SolarWinds as a way to steal intelligence from at least nine U.S. agencies and 100 corporate clients.
The damage from the “Stella Particle” hack is still being counted. But one thing the senators didn’t probe: Have the tough new financial demands of software investors forced managers compromise vital security?
Have our software defenses grown weak because the software sector is being hollowed out — like steel and a host of other once-proud U.S. industries — by profit extraction experts who relentlessly pressure professionals to cut corners?
Brad Smith, president of Microsoft, whose Azure remote cloud computing platform was repeatedly raided by the hackers, pleased critics of U.S. cybersecurity by calling on the government to force companies to admit when they are hacked, instead of covering it up.
But George Kurtz, founder of CrowdStrike, the firm that SolarWinds hired to assess the hacks, told the Senators that weaknesses in Azure itself have been well known for years, opening the door for hackers.
What about SolarWinds? The firm is one more strategic software maker no longer owned by visionary founders.
In Solar Winds’ case, private investors bought the firm in 2015, loaded it with debt and have since sold some shares to the public. The buy was led by Thoma Bravo, a giant tech-accumulation firm.
Thoma Bravo, based in San Francisco, is familiar in Philadelphia tech. Among its scores of targets are Qlik, a King of Prussia business-sales software maker; iPipeline, an Exton insurance software company; and Elemica, the supply-chain software company in Wayne.
The firm, run by Silicon Valley-based billionaire Orlando Bravo, is very successful at attracting money. It raised $17 billion for its latest fund last year — the largest of its kind ever financed, according to PE Hub, a private equity news publisher.
In its sales pitch to Pennsylvania pension managers, Thoma Bravo said it has a track record of doubling, tripling or quadrupling clients’ investments over time.
Typically, the only way firms can do that is to squeeze the software companies they buy, hard and at the expense of employees and customers. They use the full arsenal of weapons, including cost cuts, price hikes, debt-funded mergers and consolidations, and, eventually, outsourcing, argues Matt Stoller, author of Goliath: The 100-Year War Between Monopoly Power and Democracy.
Here’s Bravo’s business model, according to a recent profile from the Wall Street Journal: “Thoma Bravo identifies software companies with a loyal customer base but middling profits and transforms them into moneymaking engines by retooling pricing, shutting down unprofitable business lines and adding employees in cheaper labor markets.”
Did such tactics contribute to the problems with SolarWinds? Stoller argues in his newsletter BIG that with demanding private equity ownership, “a massive hack like this was inevitable.”
But that’s a long way from tracing real problems to specific business moves. A spokesman for Thoma Bravo declined to comment for this column.
I’d like to hear what SolarWinds’ current and past clients, engineers and managers could tell the senators, or the agencies now scrambling to investigate this hack, about whether investor demands payed a role in the debacle.
We’ve become inured when owners grind down a civilian factory and its community. But when the nation depends on the product, as it does with cybersecurity, more is at stake.
In recent years, private investors have taken such big Pennsylvania employers as Manor Care nursing homes, Philadelphia Energy Solutions and Hahnemann University Hospital to bankruptcy and mass layoffs, after extracting millions.
I grew up thinking software was the opposite of an aging institution — it was the language of the future, born in America, profitable, ever spawning new applications. It’s still surprising to see it become just the latest mature industry ripe for squeezing.
Is all this inevitable under free-market capitalism?
Last week, President Joe Biden promised an initiative to identify software and computer hardware firms, among other strategic industries, in order to give them incentives to stay or move back here.
Government isn’t always good at picking winners. No doubt subsidies and trade protection will attract the usual profiteers, who will use any crisis to extract extra earnings from taxpayer spending on protected industries.
But the government has committed to protecting key industries, and added software to that list.
It won’t be cheap. Protection means higher prices, and probably higher taxes. It would be worth it, if it really makes America safer.