David Zalubowski/AP Photo
Car dealers hobbled by the hack of a dealer management software system called CDK Global have said it may take months or years to get back on track.
For more than a week, most car dealerships in America have been unable to sell cars, and they don’t sell a lot of branded shirts or bottled water, so it’s a pretty existential crisis. This is because of a middleman, a dealer management software system called CDK Global, that has been out of commission since June 19 because of a ransomware attack. CDK has not given a clear timeline on when the problems will ultimately be resolved. In the meantime, customers have flocked to the handful of dealerships that don’t use CDK, and other dealerships have applied spit and tape to try and fashion a temporary solution. Dealers hobbled by the hack have said it may take years to make up for the financial loss.
If this sounds familiar, it is: the hack of a middleman taking down an important piece of the U.S. economy. Earlier this year, it was a hack of Change Healthcare, a payment software solution for the health care system, that crippled hospitals and other providers. Before that it was SolarWinds, another software company for network IT infrastructure, that was hacked; it was later discovered that an intern at the company set a password as “solarwinds123.” (Solar Winds has said that the password was to a third-party vendor application and had nothing to do with its IT systems or the hack.)
And even more recently, Evolve Bank & Trust, the partner bank to fintech companies enveloped in the Synapse mess that has left 200,000 people with no access to their money for over a month, announced its own ransomware attack, and when it didn’t comply with the ransom, the hackers released 33 terabytes of financial data onto the internet.
The common thread here is an economy of middlemen, a group of linkers, connectors, and bridgers that offer little in value (or in these cases actively detract from it) and much in opportunity for skimming and causing prices to rise. This has in a real sense become the U.S. economy in microcosm, and in many ways it speaks to public frustration with it.
In the case of SolarWinds, Change, and CDK Global, you can thank either private equity or unaccountable behemoths for these particular situations. In both cases, minimizing labor costs and maximizing revenue is greatly preferred, and it has led to almost comical levels of poor security practices. Worse, it has led to these middlemen becoming greater factors in their respective industries, to the point of becoming systemically important critical infrastructure (SICI), a term in cybersecurity that refers to these types of obscure but vital facets of economic life.
Nobody is really tracking these SICIs, but as the Change and CDK ransomware attacks have indicated, hackers most certainly are, because they know they have found easy marks for their moneymaking efforts. It’s the soft underbelly of our distorted economy, and it needs to be understood to reduce the absurd risks that have been created.
Change should never have been swallowed up into the UnitedHealth behemoth, as the Prospect wrote in 2021. Change allowed United insight into thousands of health provider billing practices, and vertical integration across insurance payers and UnitedHealth-employed doctors. It also centralized data in the hands of one billing company, making it an inviting target for hackers.
We’re now seeing the very structure of our economy failing.
What we didn’t anticipate was that security would also not be taken seriously. This April, I wrote about how hospital lobbyists blocked stronger standards for protections for health companies against cyber attacks. But what was not even known at the time was the centrality of middleware software firms like Change; the fight was largely over hospital cybersecurity systems.
Private equity–owned CDK Global flew well under the radar in this respect as well. Its dealer management software is used by 15,000 of the roughly 17,000 dealers in America. How it got this place of importance, and once again access to so much data, is a story about corporate bullying of competitors and favorable Supreme Court rulings, as Matt Stoller writes. But the broad strokes here are not unlike Change; for the sake of “efficiency,” one company gets this central position in an industry, which they can use to raise prices and profits, and along the way costs are slashed and risks heightened until the inevitable hack.
I have spoken to data specialists in the auto dealer space who claim to be able to deliver the kind of dealer management software that CDK provides for significantly lower costs. That is what we see in relation to VeriSign, another middleman that overcharges for registering .com websites and sports a ridiculous 67 percent profit margin. Like with Change, health care is riddled with middlemen, like pharmacy benefit managers (which The New York Times managed to write about seven years after I did) and group purchasing organizations, both of which claim to use bulk buying to facilitate lower prices for prescription drugs and medical supplies, but which in reality cause prices to elevate and shortages to explode.
America runs on middlemen. They have insinuated their way throughout the products and services we rely upon, and they make them more expensive, poorer in quality, and more vulnerable to hidden risks.
These risks can be seen most sharply in the information security realm. As Cory Doctorow writes, “This is the American story of the past four decades: accumulate tech debt, merge to monopoly, exponentially compound your tech debt by combining barely functional IT systems. Every corporate behemoth is locked in a race between the eventual discovery of its irreparable structural defects and its ability to become so enmeshed in our lives that we have to assume the costs of fixing those defects.”
For the next several months anyway, we have an enforcement authority in power at the Antitrust Division of the Justice Department who keenly recognizes the peril of a middleman economy. That’s why Live Nation, the middleman between fans and entertainers, is under a monopolization lawsuit. That’s why RealPage, the software middleman for rental companies, is under investigation and has been subject to FBI raids. It’s why UnitedHealth itself is being scrutinized, for its suite of middlemen and its vertical integration of the health care space.
Talking about health care economics, Jonathan Kanter, who leads the Antitrust Division, told The New York Times that “Intermediaries are now commonplace … [they] are not only consuming a lot of money—or taking a lot of money out of the system—but making decisions about the course of care.”
We’re now seeing the very structure of our economy failing. The concept of outsourcing critical functions to middlemen, who supersize and fall into the hands of extractive parent companies that then put safety and stability last on their list of concerns, has been replicated too many times to be coincidental. Systemically important critical infrastructure should not be built into a monopoly bottleneck, as the free market tends to do. And if we are going to have these centralized go-betweens, at least they ought to be regulated like the public utilities that they are.
But until then, the tyranny of the middleman helps explain why the public has this perception of an economy that doesn’t work in their interests, and in fact actively fights them and harms them. The reason things feel so broke all the time, perhaps, is because they are.
This story has been updated with information about SolarWinds and the 2019 IT breach.