 |
| At Least She Got a Seat in Istanbul Not Even a Mention in the FT |
 |
| When You're This Far Gone It's No Wonder You Don't Hear the Wake-Up Call And a "Sobering Fact" Is Likely to Have No Effect |
In this post, I will hit that downed horse several more times.
Hopefully demonstrating that with respect to prevention there is quite a bit of low hanging fruit.
Please note that only the first point below directly relates to Mr. Younger’s opinion piece in the FT.
Russia
Mr. Younger had and perhaps still has access to secret information that makes him better placed than me to make an assessment about the links between ransomware hackers and the Russian Federation.
And as well to draw the conclusion that securing the cooperation of the RF will be a key element in stopping attacks.
His comment may be read to imply that the Russian Government
is more capable of controlling crime originating inside its borders than other countries are within theirs (that, I’d note, would be a remarkable achievement), or
that there are bonds between the hackers and certain organs of RF state security or
perhaps both
In any case, if the hackers were expelled and are motivated by profit, wouldn’t they simply pack up and go elsewhere?
Or in a demonstration of the intense competition in the “free market”, wouldn’t other countries’ enterprising hackers step up to fill the void?
From time to time, countries are “ranked” for the amount of “malevolent” internet traffic they originate.
Perhaps, these reports may identify potential candidates?
I didn't include all the countries named.
You can look at the reports cited below for additional country names.
One point to keep in mind.
It’s unclear if these reports are based solely in IP addresses or if there are other metrics.
Like VPNs proxy servers can make one appear to be in a country when one is not. Proxy server chains can create even more difficulty in locating a person or entity.
Matthew 7:7 Just one day after I posted this, Auntie answered. Still a great deal even at GBP 159 a year! https://www.bbc.com/news/technology-57504007
According to this report in 4Q2012, the PRC was responsible for 41% of “global attack traffic” on the internet, the US second with 10%, and the RF in fourth place with 4.3%.
According to another report, in 2016 China led the pack with 27.2% of cyber attacks (this is a subset of malicious traffic) the US with 17.12%, Turkey 10.24%, Brazil with 8.6%, and Russia with 5.14%.
According to this report for May 2019, “China, Russia and Ukraine appear to be active in a wide variety of hack attempts, including root kits, ransomware, brute force attacks and a wide variety of malware.”
State Intelligence Operations versus For Profit Criminal Hacking
It’s important to keep this distinction in mind when looking for solutions.
While finance is my provenance, I’d venture to guess that eliminating spying is even harder than eliminating organized crime.
According to what I read in the media, even allies spy on one another.
I’d also venture that countries are not going to allow the extradition of their intelligence operatives to a foreign country.
What about criminals?
The definition of “criminal” can be tricky—to use a shared finance and legal term --particularly when it comes to matters of state security.
Unauthorized access to state secrets, secret internet or communications systems and physical sites is a crime.
In such a case one might revise the statement about “terrorists” and “freedom fighters” to:
One country’s cyber spy is another country’s cyber criminal.
So what is to be done?
Prevention may offer a higher prospect of reducing risk than after the fact prosecution. Though prosecution should not be abandoned.
The Sophisticated “Hacker”
There seems to be a general perception that hackers are an incredibly brilliant lot.
Think of an evil twin from a soap opera.
A “rogue” Bill Gates, Linus Torvalds, or Larry Page.
That’s not always the case.
Much of the hacking takes place by the equivalent of opening an unlocked door or open window.
Those tools are fairly simple to program.
And for the lazy available for purchase on the web, or so I am told.
Here is a CISA alert from 6 May of this year.
More sophisticated hacking software is often developed from undisclosed flaws in existing software or systems that the hacker has purchased from someone else clever enough to discover them.
Here’s an article these “flaws” or zero day exploits.
Here’s another on how these sort of exploits were used to hack IOS in February 2020.
And there are other ways.
According to security experts the WannaCry ransomware attack was made possible by using information from some NSA software that Shadow Brokers illegally acquired and then put up for sale.
The Somnolent/Negligent Target
Here’s where we get to the really uncomfortable part – taking responsibility.
Lot of attacks are successful because targets left their doors unlocked and windows open.
WannaCry was facilitated because many users hadn’t upgraded from Windows XP.
As is common practice, after a certain amount of time, software vendors stop “supporting” old software. That includes providing security patches for known vulnerabilities.
You’ll see that same failure mentioned regarding some of the 2018 ransomware attacks in the USA.
Another is failure to install patches and updates that are provided by the vendor.
That is, perhaps even more egregious. One doesn’t have to plunk down money for a new bit of software, but merely install a “patch” from the vendor.
Pulse Secure VPN appears to be our poster child here.
First, an article from AP about breaches this year.
Here is a CISA alert from 15 April 2020 which is an update from 10 January 2020.
Take a look at the timeline outlined in this report.
You’ll notice the vendor made its first wake-up call in January 2019. That was followed by several “sobering facts” from a variety of sources.
Both of these incidents may be a salutary caution to those whose mobile phones no longer receive software updates or security patches. Or those who have ignored a message to update their phones.
I’ll upgrade this comment later to “a wake-up call” or “sobering fact" later.
As you will notice from the FT article cited above, WannaCry was described as a “wake-up call”.
That the somnolent didn't and don’t answer.
Perhaps the solution is a louder ring tone? Voice mail?
Not bloody likely! (See picture at the head of this post).
Stricter government requirements and robust penalties for failure to adhere to them are likely to get more attention and responses.
 |
| Noted Internet Security Expert, B. Franklin Interesting Fact: Colonial Pipeline Earlier Management Ignored His Advice |
Alex Younger, former head of the Secret Intelligence Service, penned an opinion piece in Saturday’s FT Ransomware attacks have to be stopped — here’s how.
Some 898 words long. Lots of good advice and interesting points.
However, he had but these 37 words (4%) on what I consider to be one of the key steps to resolving the problem.
It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.
The last sentence “names the issue exactly”.
I think this is the major problem.
By way of analogy, let’s assume a town where no one locks their doors, where people leave valuables in plain sight, where it’s common to leave the keys to one’s Maybach in the ignition, and the car in the driveway..
Now we could crackdown on those who buy stolen goods even those in other cities.
We could station a policeman by each house to keep guard.
Or, we could get as many citizens as possible to lock their doors and secure their property.
What this latter step hopefully would do is lessen the opportunity for crime.
And the amount of crime that takes place.
It also lessens the number vulnerable targets that one has to guard.
If we can take the above steps, then resources can be more focused.
Also and perhaps more importantly, with national security issues, one would I hope prefer to prevent an attack over a successful response to the attack.
Is this the case with ransomware? That doors are unlocked, valuables unsecured?
First, some macro examples from an earlier post.
Two quotes from the FT. Italics mine.
Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.
The oil and gas sector has been criticised for lax cyber security regulation.
The above points are estimates not facts.
But it should be not only an “overdue wake up call” but also a “sobering fact” even if these are overestimates by a factor of two.
The companies making these estimates are companies selling security products and so may have a profit dog in the fight.
So let’s turn to recent comments by US Secretary of Energy. She is reported to have said that “hackers” could shut down the US energy grid.
Second, some individual examples.
Colonial Pipeline was penetrated through a VPN which was “not intended to be used” but not turned off. That system had single factor authentication.
In February 2020, CISA (Cybersecurity and Infrastructure Security Agency) published an alert on a ransomware attack on an unnamed US pipeline.
That alert mentions some of the same security failures as with Colonial Pipeline.
Lessons learned?
Wake-up calls unanswered?
Sobering facts insufficiently “sobering” to overcome the state of intoxication?
As well, you will note that many of the other failures mentioned in that alert are “basic cybersecurity”. The PC equivalent of locking doors, securing valuables, etc.
You will see this pattern of “rookie” mistakes in many of their alerts
Another study that ranks cybersecurity by country seems to confirm the above.
The US ranks 46th out of 75 countries.
Some caveats:
This isn’t an apples to apples comparison. Rather it is an overall ranking across a broad gauge of metrics not just for ransomware. It includes attack attempts, infection rates on personal devices, etc.
But despite that drawback it does highlight the Willy Sutton Principle: One would expect the USA to be of more interest to hackers than many of the other countries on the list. And so more targeted. And so more in need of defense.
In Part 2, we’ll look at some other issues, not all of which relate directly to Mr. Younger's opinion piece.
 |
| Expectations Often Are Not Fulfilled |
Ellen Carr has an article in the 10 June FT “Linus from Peanuts has risk lessons for high-yield investors”
Two quotes from that article to set the stage for some additional observations.
When we get the chance to buy bonds with collateral backing them up, we feel, well, more secure.
Secured bondholders anticipate that, if their research fails them and the issuer ends up in bankruptcy court, they are likely to be paid in full before unsecured lenders get a dime.
There is truth in these statements.
But note that in both of the quotes Ms. Carr speaks about “feelings” and “anticipations”.
Sadly these “wishes” don’t always turn into “horses” that bond holders can ride.
Some inconvenient and perhaps even “sobering” facts.
(H/T for the latter phrase to Joseph Blount, President and CEO of Colonial Pipeline).
The nature of the collateral drives its value in a liquidation.
Property, plant, and equipment generally are sold for a fairly low percentage of historic cost in collateral realisation, particularly if they are highly specific to an industry. Or are costly to move.
As you’d expect items nearer to cash have higher sales values, assuming they are liquid in nature and trade in liquid markets.
Holders of collateral in the form of 100% of the shares of capital stock in a subsidiary are effectively junior in legal priority to all other creditors in that subsidiary. Last in the line in the cash waterfall from the subsidiary’s estate.
Such shares are generally less liquid than listed shares.
The nature of the corporate distress drives collateral values in liquidation.
If one company in an industry is failing but the industry itself has reasonable prospects, the sales price of collateral is likely to be more than if the entire industry is tanking.
This will also depend on whether there is existing excess capacity in the industry.
The form of the corporate distress resolution can affect access to collateral.
In a US Chapter 11, one may find one’s position changed under the reorganization plan.
Realisation of collateral can be legally stopped.
The reorg plan may change tenors, rates, and in some cases even the collateral itself.
In that regard DIP financing can create a new and higher priority class of secured creditors.
Laws and transaction structures can affect collateral.
Be sure that you legally have and can enforce your collateral rights.
Be sure the legal structure is sound. Complex structures involving multiple national laws may be fragile. You enforce your collateral rights in the jurisdiction where the collateral "resides".
Read the Offering Memo. The deficiencies outlined in points #1 and #2 above are often clearly spelled out in the Offering Memoranda. (See earlier posts on Golden Belt Sukuk and Peking University Founders Group),
Be sure you will get a fair shake in courts if you have to enforce your rights. For example, you don’t really want to be a foreign lender in Saudi Arabia. (See Al Gosaibi, TIBC, AlAwal Bank, AlSanea. Or Redec for those with long memories or access to the internet.)
Be sure there are no quirks in local law or advantages for well connected individuals. (See Dana Gas posts).
With that as background, let’s take a look at the transactions she mentioned in her article.
 |
| What's the Scrap Value of a Cruise Ship? |
Royal Caribbean Line: US$ 3.320 billion senior secured notes maturing in 2023 (US$ 1 billion) and 2025 (US$ 2.320 billion)
You’ll find the Indenture here.
Collateral – pages 7-8
“Collateral” is defined as:
shares of capital stock in subsidiaries that own the pledged “vessels”
28 pledged vessels
the Collateral Account and any “Trust Moneys” within
the material trademarks owned by the Issuer and Celebrity Cruises Inc. on the Issue Date, including the Royal Caribbean and Celebrity brand trademarks and (y) all intellectual property rights of the Issuer in and to marketing databases, customer data and customer lists, except to the extent prohibited by contractual obligation existing on the Issue Date or applicable law, rule or regulation.,
You may have read that the book value of the pledged collateral is some US$ 12 billion.
Sounds great!.
That’s roughly four times coverage of the Secured Notes.
But let’s look a bit closer.
First, this collateral is industry specific.
Ask yourself what is the value of cruise related collateral if RCL is failing because it cannot generate sufficient cash to repay its debt.
Then ask how the fact that the cruise industry in general is “facing rough seas” may depress collateral values even more.
A falling tide lowers all boats.
And their related values. And that of their customer lists, trademarks, etc.
Second, note that the US$ 12 billion is based on historic cost.
It’s an old rule of the market that one sells assets at the current market price which may be significantly different than historic cost or book value.
If you are a motivated seller, bidders are more likely to bid low than high. If indeed, they bid at all.
But as they say on late night TV, “but wait there’s more”.
Third, Collateral Cap – pages 8 and 99
That’s not a sartorial accessory for the collateral,
But a way to deal with indentures in existing bonds which limit the amount of “new indebtedness” that RCL can incur.
So what is a collateral cap?
Let’ turn to the Indenture for the legal meaning of this term.
First, the amount of the collateral that is available to the secured creditors solely is limited.
“Collateral Cap” means, on the Issue Date, $1,662.0 million, as it may be increased pursuant to Section 4.13.
Second, on page 99 there is an explanation as to what happens to amounts above the “cap”.
In no event shall Collateral Proceeds in excess of the Collateral Cap or any other limitation on the extent of Collateral Proceeds contemplated by the Security Documents be applied in accordance with this Section 6.10, and such excess amounts shall be returned to the Issuer, any Guarantor or any other obligor of the Notes, as their interests may appear, or as a court of competent jurisdiction may direct.
So in the best case the collateral will not repay more than roughly 50% of the outstanding debt.
Any proceeds from the collateral sales over US$ 1.662 billion would go to RCL’s “estate” to be shared by all creditors.
Thus, the secured note holders are not going to be repaid in full before the unsecured creditors get a dime in the event that the collateral needs to be realised.
There’s more.
As is typical the Indenture permits certain liens against the collateral that have legal priority to the secured note holders’ position.
Once one takes possession of collateral like a vessel, one incurs maintenance and costs associated with berthing, including any required crew salaries and expenses, plus insurance until the sale. These out of pocket costs would then represent a deduction from the proceeds of any realisation.
 |
| Admittedly An Extreme Case But Who Is Going to Want to Buy Stores Now? |
Macy’s US$ 1.3 billion 8.375% senior secured notes maturing 2025
The notes are secured by first liens/deeds of trust on real estate.
If Macy’s hits the wall to use a technical financial term, does that perhaps indicate that retail is in real trouble?
I’d argue that it does.
Macy’s is indeed a different “fish” than say Sears or K Mart.
If a name like this is in trouble, then the sector is in trouble.
Who then is the expected buyer of these real estate assets or as we might more realistically call them “empty stores”?
Dollar General? Maybe if the price is a dollar?
What is their value in alternative uses?
Amazon fulfillment centers? Homeless shelters? Schools?
If you’re interested, Fitch assigned this issue a BB+ rating.
That is below investment grade, a good indication that full repayment is not assured.
 |
| No Need for an Extensive Hunt Just Read Below |
On June 8th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.
I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.
Quote 1
Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.
That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.
Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.
Quote 2
I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change.
Indeed it should never have happened.
It is as well a “sobering fact”.
While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.
Quote 3
We take our role in the United States infrastructure system very seriously.
With a previously reported 30%+ net profit margin, very seriously no doubt.
That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.
I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.
That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.
Madame Arqala generally rides “shotgun” in these cases.
And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.
Note that those steps are undertaken before not after a crash.
So you’re probably as excited as I am to hear from Joe.
Quote 4
Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.
It seems that CP’s “accountability” is focused on the future.
They're looking "forward not backward."
Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.
That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.
There’s got to be more to come.
Quote 5
Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.
Ah, the answer.
When you hear the word “legacy”, you immediately know that its not current management’s failure.
It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.
Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.
With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.
Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now.
Also we learn that the system “was not intended” for use.
But it certainly seems that it was “left on”.
So Colonial’s management is filled with good intentions among other things.
I guess in some quarters that counts for more than “effective actions”.
But that doesn’t mean that Colonial isn’t taking action now.
Quote 6
We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.
Clearly quite a bit work is being done now—that is to remind you after the hack.
Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?
It sure sounds like it.
With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.
Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.
Once the transcript of the hearing is published we’ll take a closer look.
 |
| Sometimes the Best Way to Avoid Being Played Is Not to Play |
She’s had quite a run with outlining the games fund managers play.
Here are just two examples.
Anyone who is sentient on the buyside has experienced this.
But it is nice to see academics confirm what we've learned.
So how does one minimize getting “played”?
The first thing to understand is that similar to other sellers of goods fund managers are looking to make a sale and a profit. Sales pitches run from “puffery” to outright misrepresentation.
The second is that these PE and VC and similar products are sold to “sophisticated” investors--the so-called “big boys”.
Regulators make the laughable presumption that the “big boys” don’t need the usual protections given retail investors.
That means disclosures and sales materials are allowed to be less robust and less detailed. One example relates to presentation of past returns, modelling, etc.
Professional standards of care are also lesser because the imaginary big boys are imagined to be able to take care of themselves.
Careful investors will draw the following conclusions from those “facts”.
Healthy skepticism is warranted.
Verify first, then give provisional trust, but keep verifying.
If it seems to be too good to be true, you're probably right.
Begin by carefully reading the prospectus/offering memorandum.
I have had representatives of major firms misrepresent products to me.
During one pitch, I commented that apparently their prospectus was wrong and cited “chapter and verse” from the prospectus to contradict the statement an earnest sales rep had just made.
Whenever I’m given a 1,000 page offering memorandum for all the seller’s products with a central definitions section separate from the product description so that the reader has to jump from here to there to make sense of a product, my antennae get more sensitive.
Complexity is not the friend of the investor.
Be sure you understand the product.
That means you need to do your own research if this is your first "rodeo" with a product.
But also ask the sales rep to explain the product.
Be wary of excessive use of jargon which is sometimes designed to deflect questions. Who wants to admit that they don't really understand "vol" or the "greeks" on derivatives?
As well be wary of vague phrases, waving of hands, and then the implication that a miracle occurs and you get rich.
The risk section and product/transaction description in the prospectus/offering memorandum can provide a good source of questions. And a check on the what is said in the "pitch".
Presentation of results that do not comply with CFA Institute GIPS (Global Investment Performance Standards) should not be relied on.
Non GIPS results can generally be managed to show whatever the seller wants.
GIPS also requires certain disclosures and prohibits certain practices.
Make sure benchmarks and historic performance make sense.
No one beats the market consistently.
Benchmark selection can affect relative performance.
See my earlier post on Infinity Q Diversified Alpha Fund.
If you do not understand how financial models may be “gamed”, you really should NOT invest in Level 2 and Level 3 assets.
This isn’t just about growth and discount rates, but also how “multiples” that are used to “determine” terminal value can disguise unrealistic assumption about those two previous factors.
If return is tied to or dependent on derivatives, you would be well advised to make certain you understand the downside risks.
Ask the utilities in Texas who found derivatives a rather costly tuition.
Or you could ask the good folks at JBS Spain about the derivatives they purchased.
Upward revisions of valuation should be examined carefully.
If one is being pitched, a very simple question is when the last revaluation took place and what the direction and impact was.
Amounts, timing, and the basis for the upgrade.
New funding provided by the fund manager at a higher valuation should not be considered as definitive proof the value has actually risen.
Sales of investments from one of the fund manager’s investment vehicles to another should be questioned, especially when the sale results in increasing the IRR of the selling fund.
Or sloughing off a dog into a fund that can bear a subsequent loss of value.
Yes this occurs.
Watch out for debt financing tricks that drive IRRs and presumed value. Oh and just incidentally affect the fund manager’s compensation.
On the “outgoing” cash flow from LPs: funding LP drawdowns with debt to delay capital calls.
On the “incoming” cash flows to LPs: refinancing equity with debt to generate a “return of capital” without any realisation of the investment, e.g., trade sale or IPO.
Be sure you understand the skill set of the fund manager and how deals are accessed.
When the fund manager's primary skill seems to be the use of leverage, you may want to consider fund managers with skills in developing the underlying business.
If the fund manager is buying assets from other funds or via auctions, ask whether he or she is getting a good price?
If the fund manager is buying an investment from another fund, why does he or she think they can turn another fund manager's "cast off" into gold? And is it credible?
Be sensitive to offers of preferential treatment.
Once we had a major fund management firm tell us that they were poised to revalue (upwards) investments in their existing fund.
We could invest in that fund now and take advantage of the lower current (entry) price before mark-up. Thus, earning a "guaranteed" return.
Needless to say, we not only declined the invitation for this investment opportunity but put them on our “blacklist” on the basis that if they were going to “screw” their existing LPs, we would be better off not becoming one.
Sometime later that fund had what might be charitably described as “disappointing” returns.
Posts
All Comments
