Ransomware Prioritize Prevention Then Pursue Prosecution – Part 1

 

Noted Internet Security Expert, B. Franklin
Interesting Fact: 
Colonial Pipeline Earlier Management Ignored His Advice

Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.

Some 898 words long. Lots of good advice and interesting points.

However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.

It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.

The last sentence “names the issue exactly”.

I think this is the major problem.

By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..

Now we could crackdown on those who buy stolen goods even those in other cities.

We could station a policeman by each house to keep guard.

Or, we could get as many citizens as possible to lock their doors and secure their property.

What this latter step hopefully would do is lessen the opportunity for crime.

And the amount of crime that takes place.

It also lessens the number vulnerable targets that one has to guard.

If we can take the above steps, then resources can be more focused.

Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over  a successful response to the attack.

Is this the case with ransomware? That doors are unlocked, valuables unsecured?

First, some macro examples from an earlier post.

Two quotes from the FT. Italics mine.

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

The above points are estimates not facts.

But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.

The companies making these estimates are companies selling security products and so may have a profit dog in the fight.

So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.

Second, some individual examples.

Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.

In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.

That alert mentions some of the same security failures as with Colonial Pipeline.

Lessons learned?

Wake-up calls unanswered?

Sobering facts insufficiently “sobering” to overcome the state of intoxication?

As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.

You will see this pattern of “rookie” mistakes in many of their alerts

Another study that ranks cybersecurity by country seems to confirm the above.

The US ranks 46^th out of 75 countries.

Some caveats:

1. This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.

2. But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.

In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.

Collateral: Great Expectations vs Sobering Facts

Expectations Often Are Not Fulfilled

 

Ellen Carr has an article in the 10 June FT “Linus from Peanuts has risk lessons for high-yield investors”

Two quotes from that article to set the stage for some additional observations.

When we get the chance to buy bonds with collateral backing them up, we feel, well, more secure.

Secured bondholders anticipate that, if their research fails them and the issuer ends up in bankruptcy court, they are likely to be paid in full before unsecured lenders get a dime.

There is truth in these statements.

But note that in both of the quotes Ms. Carr speaks about “feelings” and “anticipations”.

Sadly these “wishes” don’t always turn into “horses” that bond holders can ride.

Some inconvenient and perhaps even “sobering” facts.

(H/T for the latter phrase to Joseph Blount, President and CEO of Colonial Pipeline).

The nature of the collateral drives its value in a liquidation.

1. Property, plant, and equipment generally are sold for a fairly low percentage of historic cost in collateral realisation, particularly if they are highly specific to an industry. Or are costly to move.

2. As you’d expect items nearer to cash have higher sales values, assuming they are liquid in nature and trade in liquid markets.

3. Holders of collateral in the form of 100% of the shares of capital stock in a subsidiary are effectively junior in legal priority to all other creditors in that subsidiary. Last in the line in the cash waterfall from the subsidiary’s estate.

4. Such shares are generally less liquid than listed shares.

The nature of the corporate distress drives collateral values in liquidation.

1. If one company in an industry is failing but the industry itself has reasonable prospects, the sales price of collateral is likely to be more than if the entire industry is tanking.

2. This will also depend on whether there is existing excess capacity in the industry.

The form of the corporate distress resolution can affect access to collateral.

1. In a US Chapter 11, one may find one’s position changed under the reorganization plan.

2. Realisation of collateral can be legally stopped.

3. The reorg plan may change tenors, rates, and in some cases even the collateral itself.

4. In that regard DIP financing can create a new and higher priority class of secured creditors.

Laws and transaction structures can affect collateral.

1. Be sure that you legally have and can enforce your collateral rights.

2. Be sure the legal structure is sound. Complex structures involving multiple national laws may be fragile. You enforce your collateral rights in the jurisdiction where the collateral "resides".

3. Read the Offering Memo. The deficiencies outlined in points #1 and #2 above are often clearly spelled out in the Offering Memoranda. (See earlier posts on Golden Belt Sukuk and Peking University Founders Group),

4. Be sure you will get a fair shake in courts if you have to enforce your rights. For example, you don’t really want to be a foreign lender in Saudi Arabia. (See Al Gosaibi, TIBC, AlAwal Bank, AlSanea. Or Redec for those with long memories or access to the internet.)

5. Be sure there are no quirks in local law or advantages for well connected individuals. (See Dana Gas posts).

With that as background, let’s take a look at the transactions she mentioned in her article.

What's the Scrap Value of a Cruise Ship?

Royal Caribbean Line: US$ 3.320 billion senior secured notes maturing in 2023 (US$ 1 billion) and 2025 (US$ 2.320 billion)

You’ll find the Indenture here.

Collateral – pages 7-8

“Collateral” is defined as:

1. shares of capital stock in subsidiaries that own the pledged “vessels”

2. 28 pledged vessels

3. the Collateral Account and any “Trust Moneys” within

4. the material trademarks owned by the Issuer and Celebrity Cruises Inc. on the Issue Date, including the Royal Caribbean and Celebrity brand trademarks and (y) all intellectual property rights of the Issuer in and to marketing databases, customer data and customer lists, except to the extent prohibited by contractual obligation existing on the Issue Date or applicable law, rule or regulation.,

You may have read that the book value of the pledged collateral is some US$ 12 billion.

Sounds great!.

That’s roughly four times coverage of the Secured Notes.

But let’s look a bit closer.

First, this collateral is industry specific.

Ask yourself what is the value of cruise related collateral if RCL is failing because it cannot generate sufficient cash to repay its debt.

Then ask how the fact that the cruise industry in general is “facing rough seas” may depress collateral values even more.

A falling tide lowers all boats.

And their related values. And that of their customer lists, trademarks, etc.

Second, note that the US$ 12 billion is based on historic cost.

It’s an old rule of the market that one sells assets at the current market price which may be significantly different than historic cost or book value.

If you are a motivated seller, bidders are more likely to bid low than high. If indeed, they bid at all.

But as they say on late night TV, “but wait there’s more”.

Third, Collateral Cap – pages 8 and 99

That’s not a sartorial accessory for the collateral,

But a way to deal with indentures in existing bonds which limit the amount of “new indebtedness” that RCL can incur.

So what is a collateral cap?

Let’ turn to the Indenture for the legal meaning of this term.

First, the amount of the collateral that is available to the secured creditors solely is limited.

“Collateral Cap” means, on the Issue Date, $1,662.0 million, as it may be increased pursuant to Section 4.13.

Second, on page 99 there is an explanation as to what happens to amounts above the “cap”.

In no event shall Collateral Proceeds in excess of the Collateral Cap or any other limitation on the extent of Collateral Proceeds contemplated by the Security Documents be applied in accordance with this Section 6.10, and such excess amounts shall be returned to the Issuer, any Guarantor or any other obligor of the Notes, as their interests may appear, or as a court of competent jurisdiction may direct.

So in the best case the collateral will not repay more than roughly 50% of the outstanding debt.

Any proceeds from the collateral sales over US$ 1.662 billion would go to RCL’s “estate” to be shared by all creditors.

Thus, the secured note holders are not going to be repaid in full before the unsecured creditors get a dime in the event that the collateral needs to be realised.

There’s more.

As is typical the Indenture permits certain liens against the collateral that have legal priority to the secured note holders’ position.

Once one takes possession of collateral like a vessel, one incurs maintenance and costs associated with berthing, including any required crew salaries and expenses, plus insurance until the sale. These out of pocket costs would then represent a deduction from the proceeds of any realisation.

Admittedly An Extreme Case
But Who Is Going to Want to Buy Stores Now?

Macy’s US$ 1.3 billion 8.375% senior secured notes maturing 2025

The notes are secured by first liens/deeds of trust on real estate.

If Macy’s hits the wall to use a technical financial term, does that perhaps indicate that retail is in real trouble?

I’d argue that it does.

Macy’s is indeed a different “fish” than say Sears or K Mart.

If a name like this is in trouble, then the sector is in trouble.

Who then is the expected buyer of these real estate assets or as we might more realistically call them “empty stores”?

Dollar General? Maybe if the price is a dollar?

What is their value in alternative uses? 

Amazon fulfillment centers? Homeless shelters? Schools?

If you’re interested, Fitch assigned this issue a BB+ rating.

That is below investment grade, a good indication that full repayment is not assured.

Colonial Pipeline CEO’s 8 June Testimony -- Annotated

 

No Need for an Extensive Hunt
Just Read Below

On June 8^th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.

I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.

Quote 1

Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.

That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.

Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.

Quote 2

I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change. 

Indeed it should never have happened.

It is as well a “sobering fact”.

While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.

Quote 3

We take our role in the United States infrastructure system very seriously.

With a previously reported 30%+ net profit margin, very seriously no doubt.

That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.

I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.

That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.

Madame Arqala generally rides “shotgun” in these cases. 

And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.

Note that those steps are undertaken before not after a crash.

So you’re probably as excited as I am to hear from Joe.

Quote 4

Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.

It seems that CP’s “accountability” is focused on the future. 

They're looking "forward not backward."

Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.

That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.

There’s got to be more to come.

Quote 5

Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.

Ah, the answer.

When you hear the word “legacy”, you immediately know that its not current management’s failure. 

It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.

Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.

With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.

Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now. 

Also we learn that the system “was not intended” for use.

But it certainly seems that it was  “left on”.

So Colonial’s management is filled with good intentions among other things.

I guess in some quarters that counts for more than “effective actions”.

But that doesn’t mean that Colonial isn’t taking action now.

Quote 6

We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.

Clearly quite a bit work is being done now—that is to remind you after the hack.

Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?

It sure sounds like it.

With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.

Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.

Once the transcript of the hearing is published we’ll take a closer look.