Enron collapsed in October of 2001 after the complex structure of subsidiaries and questionable accounting practices built by the energy giant fell apart, sending ripples across government, Wall Street and individual faith in Corporate America. The company had experienced the kind of rapid growth that created a new norm on Wall Street and remains a plague of short-term thinking. In Enron’s zest for financial success, lines were crossed and billions were lost as it all unraveled. Government reacted with Sarbanes- Oxley, requiring more oversight and audit functions in publicly traded companies.
Then, we saw this all happen again in 2008, much to our surprise, with the fall of Lehman Brothers and others as the real estate and financial markets crumbled. You would think at some point we would begin to recognize the signals when something is not quite right. Yet, here we are again, at a tipping point, but this time with big technology and digital players who pride themselves on the motto: “move fast and break things.” That could be our first clue something could go wrong because things are breaking. Senior executives of Enron went to jail. Board members were held accountable. Have we reached the Enron moment in digital where the risk is too great and only a small handful of companies hold the keys to solving the problem? Let’s look at some of the signals to assess the risk and get prepared.
Data Breaches. On the heels of the Cambridge Analytica breach that brought CEO Mark Zuckerberg to Washington to face scrutiny by Congress, Facebook once again announced that it had been hacked with potentially 30 million user names and passwords or other sensitive data leaked. While I’m not a big Facebook user, I immediately began to receive phishing-extortion like emails saying they knew my user name and password and wanted thousands of dollars from me. Google, too, sheepishly announced that Google Plus had been hacked and user data exposed. Of course, earlier this year Equifax announced that nearly half of the citizens of the U.S. had their most sensitive data compromised. Yahoo, Uber, Panera, Under Armour, Orbits, Saks, schools, hospitals, government departments, the list goes on and on - and that’s just this year; and that’s just want gets reported. While Amazon has not yet announced any such massive breaches, it seems only a matter of time. The common thread in criticism of these companies is that they are taking too long to inform consumers of the breach, potentially exposing them to more threats. To make matters worse, in March of this year the senior security executives from Google, Facebook and Twitter all resigned, suggesting that perhaps there is too much liability or not enough people inside listening to their warnings. The European Union is said to announce soon the first round of fines for failure to comply with GDPR (the data privacy laws intended to protect EU residents which went into effect in May of this year). The clear signal here is that even our largest most forward-thinking technology companies don’t seem to quite know what to do with these data breaches or how to respond fast enough. If they can’t figure it out, who will? What’s the ramification when the breaches become more wide-spread impacting potentially massive financial markets, retirement and savings, the energy grid, airlines and every day computer systems that allow us to work and go about our business?
Amazon has too much data – is it too big to fail? We just watched Sears, America’s original retailer, drown in billions of dollars in debt. Meanwhile, Amazon, like Walmart before it, tears through one industry and market after another. The difference here is Amazon is collecting a mass of data on every one of us: what we watch on Amazon Prime, what we buy, what kind of food we eat, what we say to Alexa and what we store in the cloud. It is also serving millions of businesses and government with its cloud services, meanwhile capturing all of that data. While there has not been a publicized breach, the likelihood is more than not that they will eventually fall victim. What happens if their cloud service is breached and millions of smaller businesses suffer or the many government agencies they serve are brought to a halt? What happens to all the small businesses relying upon Amazon when they decide to change their pricing structure or algorithms that drive business to them? Are we seeing another Enron or Lehman moment where perhaps there is simply too much risk in one place? What happens when Amazon moves into health care and financial services and then there’s a melt down?
Artificial Intelligence and Bias. Go to any digital or tech conference and people are ecstatic with the idea of Artificial Intelligence (“AI”) and robotics replacing humans across many functions and industries. But who creates the AI? A recent report in Reuters cited that Amazon had to abandon an AI tool it was using for recruiting because it was biased against women and could be biased against minorities. Any chance the people who built the AI were primarily, if not, exclusively men? Reuters reported that across big tech, the majority to super majority of tech workers are, in fact, men. There’s also growing evidence that the big tech company employees largely lean left, politically, creating a potential scenario that AI of the future may also be skewed. It’s not to say that the engineers are doing it intentionally, it’s that they are human and flawed as all of we humans are. As they build the rule framework that powers AI, they do so with their own inherent biases, whatever they may be, whether overt or not. This means the machines that will use AI as their rule framework for decision making could be built with inherent biases from its creators. It doesn’t really matter if you are a man or a woman or a Republican or Democrat or Independent, the idea that a robot could be built with biases should terrify all of us. How can we fully entrust AI if we don’t have full trust in the people building it and managing it or overseeing it to be neutral? Can we rely on just a handful of companies with something so powerful? Much like Enron created rolling blackouts for California to make money at great harm to California citizens, could the same manipulation occur if we begin to rely on AI developed by only a handful of potentially biased individuals or the companies who employ them? If the genie gets out of the bottle and we can’t regain control or oversight of the AI out there, what happens then? Too many companies cite themselves as fast followers and simply buy the technology from someone else merely accepting these risks.
The Trojan Horse. Bloomberg Businessweek recently detailed the potential that China has implanted a chip in servers at Apple, Amazon, and potentially thousands of other companies by tampering with the manufacturing of a mother board used in servers that power technology businesses (i.e. they infected the supply chain at its source). The chip was implanted to be nearly undetectable and activated to connect via the internet to a portal that would allow the Chinese to take over the servers and infiltrate the companies operating those servers. Both companies formally denied that they were impacted as reported by Bloomberg (if you want to read more, this is the cover story of Bloomberg Business week October 8, 2018 edition). Whether some, none or all of the reporting is true, it creates a serious question: what if a foreign government could flip a switch (whether by hardware or a virus implanted via phishing) and take over devices, servers or other systems? I recently attended the NACD Global Summit in Washington D.C. at which the Director of the FBI, Christopher Wray, spoke about the cyber-threats against American Corporations. He warned that in many cases, the virus is already implanted, it just needs to be turned on. He cautioned that in an effort to reduce supply chain costs or outsourcing IT functions, to be mindful those reduced costs come with some risks. It’s widely known in cyber security circles that a virus could be implanted and remain dormant until the attacker is ready. The time to pay for those risks is likely coming soon.
These are just a couple of examples of the signals that an Enron moment in digital is on the horizon. This doesn’t even factor in the social impact of Facebook’s inability to control manipulation of its platform that has the power to impact elections, Google’s complete dominance of search results or Amazon’s overwhelming access to data and logistics power that could disrupt almost any industry. I’m not trying to attack any of these companies. I know many great people at all of them. I use services from all of these companies and believe deeply in the value of capitalism as a driving force. However, we can’t allow convenience and ease to blind us from the reality of what is happening and the risks that are building.
Despite periodic turbulence, the stock market seems to remain at an all-time high. What type of security breach might wake everyone up and drive the tech sector down? What might prompt the government to step in and regulate these fast-moving spaces? While the cause of the breakdown will be different from that of Enron or Lehman, the result may be the same: a total and complete wake up of the government and people to realize what’s going on behind the curtain. Outside of waiting on the government to act, what can you do about this in the boardroom and c-suite?
Recognize that these are real threats that impact every company. Just like Enron had a ripple effect and the real estate bubble in 2008 had a ripple effect, this too will have an impact on every company. Take steps in the c-suite and board to discuss these threats and how you could be impacted.
Ask the hard questions of senior management and each other. All too often senior management doesn’t want the board to know when problems are developing, often earnestly hoping they can course correct, and sometimes, as in Enron, intentionally. Think about what you would do if you were on the Enron board or Lehman Brothers board? What is your responsibility? How do you trust, but verify digital and cyber threats are being taken seriously across your company?
How reliant are you on technology from outside the United States? What about your vendors and suppliers? If you are taking the risk, be sure you are fully apprised of the risk.
How reliant are you on Apple, Amazon, Facebook, Microsoft or other dominant tech companies to reach customers or operate your business? Does it put you at any risk if one of them were to face a massive breakdown?
Do you have crisis plans in place for a total meltdown or a massive breach? If you haven’t read about the Maeserk breach, search for Wired magazine’s “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”. If there’s only one thing you do, be sure to have a crisis plan in place and practice and prepare for it over and over and over again.
Don’t wait for this to happen to think about it. Don’t make the same mistakes of the past. I know the agenda is already packed and you are busy, but find the time for a discussion, a meeting, or an off-site session to talk about these real threats to the organization and how the company is preparing for them.
There’s so much more to this subject than can be covered in a blog post, but I hope this gets you thinking about how close we are to an Enron moment in digital. Most people weren’t prepared in 2008 and weren’t prepared in 2001. Maybe this time, companies and executives will recognize signals of change in the wind.