Rackets in Everything
What The Godfather can teach us about risk: What We Have Here is a Failure of Intelligence; Cyber Fraud; What a Fossil (Fuel); Talent Gaps and Overlaps
My father made him an offer he couldn't refuse.
― Michael Corleone, The Godfather
Risk Developments this letter:
What We Have Here is a Failure of Intelligence
Cyber Fraud
What a Fossil (Fuel)
Talent Gaps and Overlaps
Q&A
I’ll be joining Byrne Hobart of The Diff at 2pm ET/11am PT tomorrow, December 11th on his subscriber call to talk about cyber risk, cybersecurity, insurance, and incentives. Looking forward to discussing all things cyber including FireEye, discussed below!
Corleone Crossing the Atlantic
Vito Corleone, The Godfather is an American allegory of violent revolution, rackets, and frontiers. Both Vito and America were born out of violent tax protests. Both rise to power by pioneering new and more sophisticated rackets. These rackets tended to work out as the frontier expanded, but ultimately the greatest threat to both is the shifts in values and internal tensions as new territory runs out.
It is not until The Godfather Part II that we learn the mythological origins of Vito. Orphaned in Italy by his mother’s murder at the hand of a powerful don, Vito comes to America. His founding myth takes place in New York’s Little Italy. He loses honest employment at a grocery store due to a political favor for a local boss, Don Fannuci. He then turns to a life of petty crime, and soon encounters the same Don, who shakes him and his gang members down for a percent of his profits. In protest, he decides to murder Fannuci, but first Vito asks his associates to let him handle the matter, without telling them how. In the classic scene where the murder takes place, Vito shadows Fannuci during the festival of Saint Roch (a saint invoked against the plague). Vito climbs from rooftop to rooftop, as Fannuci saunters along the parade route. In Fannuci’s building, Vito murders him in cold blood, lifting the accursed plague of the Black Hand on the neighborhood. After this, Vito takes over the neighborhood, careful only to exploit outsiders and rising in status as a fair and judicious man within the community. Similarly,
Vito’s son, Michael, the future Don of the Corleone criminal organization, has a similarly violent origin story. The modern plague is the drug trade brought by Solazzo, the Turk, and protected by McKlusky, a corrupt cop. It is this new, more lucrative trade that threatens the Corleone family. Vito, who by this point has bought much clout in politics to support his union and numbers rackets, turns down Solazzo’s offer to become a partner in the drug business. Vito has staked his reputation on “legitimate” rackets and fears that the drug trade, the ethical frontier, will destroy the relationships he has built with politicians. Michael doubles down on his father’s origin story by killing not only McKlusky, Fannuci’s equivalent, but also Solazzo, the embodiment of uncertainty and the other. Instead of continuing his father’s rackets or turning to drugs, Michael finds a frontier of his own, Las Vegas. It is one befitting of his time and the new model of organized criminal, not as one who lives by a code, but as the “continuation of [business] by other means.”
Despite the calculation to avoid drugs, for ethical, practical or financial reasons, Vito, Michael and all mobsters are still in the business of extralegal methods. Their business empire consists of various rackets, just not the explicit bullying pizzo of Don Fannuci.
But what is a racket anyway?
The U.S. legal definition merely contains a laundry list of illegal things that, if performed twice in a ten year period, constitutes “racketeering activity.” The generally accepted definition is repeated or continuous organized crime.
But both of these definitions beg the question. If racketeering is organized criminal activity then the question is not whether a crime was committed, but whether the defendant is a criminal. This kind of character judgement is circular reasoning because racketeering is a crime. Just being charged changes people’s perception. Take many rappers for example. Their fame is often built on notoriety because they publicly claim to perform criminal acts, but just being perceived as a criminal makes them prime targets for RICO, a racketeering law passed specifically in response to the mob.
Where did the whole idea of a racket come from? Historically, a racket is a subtle kind of extortion using deception or fraud to create plausible deniability. Here we are getting somewhere. Let’s break down various rackets seen in The Godfather:
Fannuci’s simple protection racket - The Godfather Part II
Vito’s numbers and union rackets - The Godfather Part I
Michael’s corporate racket - The Godfather Part II
While only Fannuci’s racket is obviously criminal, we recognize all of these as using misrepresentation and coercion, but a racket is something more: Namely, something ineffable offensive to our morals.
Let me propose a new definition of a racket: a promise that is factually accurate, but not True.
Take the quintessential racket; “Nice shop you got here. Shame if something were to happen to it…” It is accurate to say that you could pay me not to smash up your shop, but there is no Truth in the exchange. Famously, Yelp has been called an extortion racket. Google runs a sort of racket, where the implication is that your business will not be listed on the first page of search results unless you buy ads. Not to mention, there are plenty of opportunities in cybersecurity for rackets. What separates Yelp and Google from cybercrime and the mafia is legitimacy. Bad reviews or a low page-rank are a function of quality. Perhaps the most controversial racket is the government tax racket. Citizens pay taxes for protection, but who are they being protected from, the police, who will arrest you for tax evasion, or somebody else? Where an internal stakeholder (customers, searchers and citizens) have an interest to protect, an implied threat is legitimized.
What does this have to do with the United States of America? For one thing American history is full of famous swindles, bait-and-switches, and rackets. We are an enterprising lot with a deep culture of bending the rules, but rackets are not what makes America unique. Rackets are a feature of all modern nation-states. Just as Vito stepped into the power vacuum in 19th century New York’s Little Italy, and Michael stepped into Las Vegas gambling, nation-states stepped in to put an end to religious wars. If you think this is an unserious, sensationalized take, I recommend Charles Tilly’sWar Making and State Making as Organized Crime. In it he expands on Fredric Lane’s four stages of capitalism:
A period of anarchy and plunder
A stage in which tribute takers attracted customers and established their monopolies by struggling to create exclusive, substantial states
A stage in which merchants and landlords began to gain more from protection rents than governors did from tribute
A period (fairly recent) in which technological changes surpassed protection rents as sources of profit for entrepreneurs
Below is a causal diagram, created by Tilly, that expands upon Lane’s analogy between organized crime and states:
Tilly goes on to describe and contrast the process of state formation (blue arrows) with that of organized crime (red arrows) and that of the idealized and sanitized version (green arrows). His distinction between extraction and war making juxtaposes a monopoly on violence for external as opposed to internal purposes. Tilly goes on to quote George Modelski on how external power creates the state,
“Global power... strengthened those states that attained it relatively to all other political and other organizations. What is more, other states competing in the global power game developed similar organizational forms and similar hardiness: they too became nation-states – in a defensive reaction, because forced to take issue with or to confront a global power, as France confronted Spain and later Britain, or in imitation of its obvious success and effectiveness, as Germany followed.... Thus not only Portugal, the Netherlands, Britain and the United States became nation-states, but also Spain, France, Germany, Russia and Japan.… why these succeeded where "most of the European efforts to build states failed" is that they were either global powers or successfully fought with or against them.”
Tilly further compares this model with the failure of de-colonialized states, where they “... acquired their military organization from outside, without the same internal forging of mutual constraints between rulers and ruled.” Not accountable to courts, financial interests, legislative bodies or other checks on power, the military in such states retains its extractive raison d’être. That is to say, for the monopoly on violence to be legitimate, it must be acquired by providing actual protection to at least one internal stakeholder group, or it is simply extractive.
What is extraordinary about the United States is the tax racket, but the endless frontier. We have discussed Albert Hirshcman’s Exit, Voice and Loyalty here before, and it is a useful model to combine with Lane’s above. At each stage of this development, a government’s subject or a business’ customer may not find the behavior legitimate, and in countries with limited land and opportunity, the options are either voice or loyalty. In a country with an active, and especially expanding frontier, exit is not only possible, but a strong threat. Vito’s frontier is a neighborhood without bullies. Michael’s is semi-legitimate commercial activities like gambling. Tilly’s frontier is the production-possibility frontier. As long as there is new territory to exit into, rackets can, as Tilly said, “[surpass] protection rents as sources of profit.”
In The Godfather, when New York became too crowded with crime families, violence broke out like a plague, so entrepreneurial mobsters moved west to Las Vegas. In The United States, when Alaska was at last declared a state (1959), we ran out of new lands. Since then, the frontiers have been space and cyberspace. Cyberspace, although still young, is beginning to show signs of overcrowding. The ad tech ethical race to the bottom, balkanization of The Internet, and proliferation of cybercrime are all symptoms of overcrowding. Space still seems too far away to offer immediate relief.
In closing, I’d like to revisit Tilly’s “forging of mutual constraints” and briefly mention The Godfather Part III. Part III is often maligned, but here I would like to focus on the substance of the plot, not the film making or acting. In Part III, Michael attempts to go clean, make amends with his ex-wife, confess his sins to The Catholic Church, and enter real estate through The Church’s holding company, by paying off the Vatican’s debts. If Part I was about respect and legitimacy and Part II was about corporate capitalism and internal threats, Part III is about forgiveness, God and land. It is a return to the questions of the Wars of Religion — the “forging of mutual constraints.”
The picture at the top of this post is one of my favorite paintings. It is pure myth. Painted by a German in 1851, modeled on the Rhine, with inaccurate lighting, impossible posing, incorrect boats, overly idealized caricatures and the wrong flag. “Awfully nice founding story you got there… shame if something were to… happen to it.” Nonetheless, it seems True to me. The legitimacy of the American project, one of the few de-colonization attempts in which mutual constraints were forged by the endogenous creation of a military, rests on the continued expansion of opportunity. The specter of religious wars forged the modern nation-state, and without new lands to discover, internal conflicts threaten to break the bonds of mutual constraints that have kept our rackets True and legitimate.
Risk Developments
What We Have Here is a Failure of Intelligence
The big risk news this week is incident response firm FireEye’s disclosure of a breach in which some of their red team tools were stolen. This is not the first time secret hacking tools have been stolen. FireEye’s close ties to the U.S. government do make it especially noteworthy, and from a business perspective people certainly note the irony of a “cybersecurity” firm being hacked, but neither of those reasons are why this is interesting.
First, the intelligence community diaspora and infosec practitioners in general have circled the wagons in defense of FireEye:
It’s a truism that hacks happen to everyone. Still, FireEye is in the business of incident response (and now we know incident causation as well), not defense, so it’s more like an EMT calling 911 than it is a security guard getting robbed. Their stock tumbled, but since most breach financial impacts are associated with response or legal costs I don’t expect it to be a dramatic hit to their bottom line:
What is noteworthy is their recent $400M investment from Blackstone, closed just three weeks ago. In the world of breach disclosure, less than three weeks would be a record, so it’s likely they knew about the breach at some level while raising capital. Second, and perhaps more importantly, is the indication of failed intelligence models. Secret nefarious tools and cloak and dagger stuff have significant costs.
These costs may be reputational, a loss of public trust, or even the lack of efficacy. Just look at Credit Suisse’s continuing embarrassment of riches. Their corporate spy ring was a mess of miscommunication, cover-ups and threats. Not only did it telegraph the message to all CS employees, “we don’t trust you,” but it also doesn’t seem to be helping their business. Growth solves all problems, but instead of finding a frontier in finance, Credit Suisse continues to be mired in internal struggles.
What can countries and companies do? Sense making is important, and there are secrets to be found, but I’ll leave the last word to retired intelligence professional Carmen Medina, in her excellent piece on the future of intelligence as open-source, she says,
“The goal should be to create a new culture of sense-making collaboration among intelligence officers, policymakers, and yes the public. The public’s ability to contribute to the sense making process would be one way of rebuilding trust.”
Cyber Fraud
Frauds and rackets are closely related, but critically different. A fraud is outright deception. A racket is implication. The former is a lie meant to taken at face value, while the latter is the truth meant not to be taken at face value. Trying to get people to understand when they’re being lied to is hard.
In an attempt to control cyber insurance losses, International insurance broker Aon, released a new Cyber Awareness Training aimed at doing just that. Awareness programs haven’t been shown to be efficacious. One reason is the principal-agent problem. Synthetic identity fraud is on the rise and makes this point even clearer. Criminals take bits of real identities (addresses, social security numbers, etc.) and apply for credit, pretending to be a fictitious person. There is no personally responsible principal, so this kind of fraud often goes unreported until it’s too late.
Another type of “lie” hackers use is inserting code into an input field meant for legitimate information gathering. Say you build a bank website asking for social security numbers in a text field. An attacker could paste a database command to return all entries in that column from the database. Without proper checking, a computer will run the command. This type of attack, called injection, is easier to fix, because the victim is the system owner.
While sometimes easy to fix, this type of fraud is difficult to prevent because there are an infinite number of responses to an input field. Furthermore, in developer systems which by nature require code execution, it is even harder to circumscribe the types of input. This is what happened to Microsoft owned Github. Ultimately Github just decided to disabled the feature. Frauds that are hard to identify, like synthetic identity, may be easy to prevent, but frauds that are easy to identify, like injection attacks, may be hard to prevent.
What a Fossil (Fuel)
2020 has not been a good year for oil companies, but maybe that’s finally good news for the energy industry. Fracking was the first frontier in energy since the pull back from nuclear in the 1970’s, but it was a kind of racket. “Nice carbon based economy you got here… real shame if something were to happen to it” the oil and coal companies said, with the threat of the 1970’s oil crisis still fresh in policy makers’ ears. So we paid the protection money and got on with our lives, but now it appears that decreased demand for oil use due to the pandemic, historically low natural gas prices, compounding improvements in renewables and renewed interest in nuclear are starting to open a new energy frontier.
Talent Gaps and Overlaps
Talent is a tricky thing to assess. When looking at the education bundle, I break the value into three parts: knowledge, network and brand. With limitless information and classes online, a huge deflationary cost has been imposed on formal educational knowledge. This has lead to a kind of Baumol effect, which has paradoxically made a college degree even more important for its brand and network. The gains from a productivity increase in knowledge formation have accrued to the network and brand.
The talent bundle is the other side of the same coin. When hiring, do firms expect employees to contribute to the bottom line because of something they know how to do, somebody they know or how they are perceived? This issue comes up in the cyber talent gap all the time where there is a cyber talent racket at play. People think knowledge is the most important thing, firewall configuration, 1337 hacker skills and proof of concepts, but cybersecurity roles reside in a businesses cost center, so the best thing you can do in the short run is be cheap and look like the kind of person who take cyber seriously.
In the long run, of course, it matters if you misconfigure an Amazon S3 bucket, but as pointed out above, everybody can get hacked, so it’s hard to attribute real marginal costs of better security skills. Researchers are urging firms to look elsewhere for talent and lower credentialing or experience requirements. The problem is that brand and network get more important as knowledge gets more widespread, and what is important for companies to signal their cybersecurity hiring is top-tier, not merely competent.
In Biden’s cabinet, you see a related dynamic playing out. Political consultants and financiers are snapping up positions. Presumably they know a lot about the role, but there are probably plenty of candidates with the requisite knowledge. What is scarce is pedigree and network. People are dunking on Marco Rubio’s characterization of Biden’s cabinet:
It’s fair to both respond that Trump’s cabinet had no shortage of Ivy Leaguers and that we should be selecting for competence, but the great irony of the Biden/Harris ticket’s conspicuously absent Ivy League bonafides is that anyone who went to an Ivy League knows how many incompetent idiots they wen to school with. Only somebody who didn’t go to Harvard could believe that it’s a strong signal of competence.
Gratitude
Big thanks to Tom White, Roger Farley, Simone Keelah, Sachin Maini, Reza Saeedi, Vinit Shah, and all the rest of On Deck Writers for an amazing eight weeks of feedback! Also thank you to Carmen Medina, Byrne Hobart, Chris Brimsek, Jeremiah Grossman, and Parthi Loganathan who all helped me wrap my head around some ideas in this weeks’ letter. Special thanks to Slava Akhmechet, who I corresponded with this week about this moving and heartfelt this piece.