A Cyberattack Rattled US Car Dealerships. Which Industry is Next?

Editors note: This article was originally published on thedailyupside.com.

A funny thing happened on the way to the dealership this summer. For a brief period, it became almost impossible to buy a car in the US.

After a ransomware attack in June at CDK Global, an under-the-radar Chicago-based software provider with a market cap of around $6.4 billion, operations at thousands of car lots across the country ground to a halt for nearly three weeks. Roughly half of the entire industry relies on the same CDK Global software.

The car dealership crisis came just weeks before a wobbly software update from cybersecurity provider CrowdStrike tripped up millions of computers running Microsoft Windows. The gaffe affected systems across the globe — including in critical infrastructure like airports, banks, hospitals, and government services.

Cyber experts say both crises presage an increasingly unstable future. Thanks to consolidation and a lack of competition in the software industry — particularly providers offering niche but critical systems — a single point of software failure can turn entire industries into teetering Jenga towers. Next time could be a lot worse.

Summer Haze

In the past, most outages, cyberattacks, and data breaches were either brief or targeted specific individuals: Who hasn’t gotten a notification that a piece of their personal information has been leaked to some Dark Web forum? But the attacks on CDK Global and especially the CrowdStrike outage were different.

“Hopefully these recent events serve as a wake-up call. Companies and policymakers often shrug off the constantly growing number and severity of data breaches that hurt individuals. These outages, as well as ransomware attacks, [brought] business to a halt,” Rory Mir, associate director of community organizing at the digital rights nonprofit the Electronic Frontier Foundation, told The Daily Upside.

In other words, these attacks highlighted that the risks associated with a single point of software failure are too big to ignore:

• According to an Anderson Economic Group forecast seen by The Detroit Free Press, the CDK Global outage cost the nearly 15,000 US car dealers that use its software roughly $1 billion — and around 56,200 car sales — in just three weeks.
• The impact of the CrowdStrike outage is certainly far larger. Nir Perry, CEO of cyber insurance risk platform Cyberwrite, told Reuters that an outage of this magnitude could trigger economic damages worth tens of billions of dollars. Delta Airlines said the outage cost it $380 million in revenue.

The result? A cyber insurance industry that must now deal with the mounting complexity of compounding risks. Which likely means higher and higher premiums for customers.

“The issue is that we don’t know what we don’t know, so [insurers] don’t know how to price the risk,” Dr. Keri Pearlson, executive director of cybersecurity at MIT Sloan School of Management, told The Daily Upside. “And even though we have seen multiple cyber incidents, we don’t know what the likelihood of the next one is, or even what the next one will be, so how can we build pricing models for the risk of something we don’t even know how to articulate?”

Industry Town

While the CrowdStrike outage showed how one issue can affect countless industries, the CDK Global cyberattack demonstrated how the fate of many players in any particular industry can be tied directly to just a couple of dominant software providers. And of course, car dealers are far from the only sector for which this is true. In fact, it’s one of the least critical industries to be so dependent on single providers.

For instance, a trio of payment processors — FIS, Fiserv, and Jack Henry — hold a roughly 70% market share in the banking industry, according to a 2022 industry survey conducted by the American Bankers Association. Fiserv has roughly 42% market share on its own, making it one giant domino.

Meanwhile, just three software providers have near-total control of the airline booking market: Travelport, Amadeus, and Sabre, according to analyst estimates seen by The Wall Street Journal.

If it’s not clear yet, all that consolidation poses obvious risks. “Fewer tools used by a large number of companies naturally create choke points. Think of the Suez Canal blockage a few years ago,” Brad Hibbert, chief operating officer and chief strategy officer at vendor risk management firm Prevalent, told The Daily Upside. “You can’t have critical choke points in a supply chain — physical or software.”

Long a magnet for devastating cyberattacks, healthcare may be most at risk, with software providers like Epic Systems and the Oracle-owned Cerner cornering the US digital medical records market, according to healthcare analytics firm Definitive Healthcare.

“If I had to pick one industry I’d pick healthcare, and specifically with the backdrop of global conflict,” Andrew Southall, founding engineer at cloud services security firm SkySiege, told The Daily Upside. “Healthcare IT is poorly paid, managed, and generally running on old stuff… it’s a known weak target.”

Spread Your Bets: So what can be done to protect small businesses from a single point of software failure, malicious or otherwise? Given the creativity of malicious actors, building up defenses might require a more holistic mindset, one less focused on protection and more focused on a “mindset of resilience,” Dr. Pearlson said. “We need to assume they will get past our protections and we need to invest in response and recovery processes and people.”

One major solution suggested by experts: diversify, diversify, diversify.

“The lesson here is to adopt multi-vendor strategies, particularly for critical systems like cybersecurity, IT infrastructure, and business operations. Businesses need to think about redundancy and backup solutions across multiple vendors, ensuring there’s a fallback if one platform goes down,” John Price, founder of cybersecurity firm SubRosa, told The Daily Upside.

Unfortunately, that’s easier said than done.

Antitrust Your Gut: While Federal Trade Commissioner Lina Khan and trustbusters at the Department of Justice make headlines with their ongoing battle against Big Tech, dominant providers of more niche software have evaded attention. And that’s likely part of the problem.

“Customers — enterprise or individual — benefit from a market with a wide variety of choice so they can find the solutions which meet their needs and respect their rights,” Mir said, adding that “antitrust has been broken for decades because of the idea that ‘consumer welfare’ only extends to low prices. In reality, we find that major monopolies can impose other types of harm, such as a company that keeps prices low by surveilling customers or cutting corners in security practices.”

One result: Even well-informed customers can be stuck with a vendor they aren’t sufficiently satisfied with. And, increasingly, those market-dominating vendors have bigger and bigger targets on their backs.

“In cybersecurity specifically, [consolidation] risks creating a ‘digital monoculture,’” Mir said. “Cybersecurity is inherently adversarial, so when it is more concentrated that means there are fewer targets [that] more adversaries can focus on.”

For car dealerships, however, the tale of CDK Global is one of antitrust law gone awry. Just a few years ago, the company found itself in an antitrust case brought by industry upstart Authenticom, which alleged that both CDK Global and fellow dominant player in the industry, Reynolds and Reynolds, illegally formed a cartel to control the market, leading to high prices on inferior software.

The case ultimately ended with CDK Global paying Authenticom a one-time cash payment as part of a settlement, after a circuit court ruled to vacate a preliminary injunction against the two dominant market players previously ordered by a district court.

In vacating the injunction and siding with CDK Global, circuit court judges cited a landmark 2004 Supreme Court case, Verizon Communications v. the Law Offices of Curtis Trinko. In the unanimous decision, US Supreme Court Justice Antonin Scalia wrote that “the mere possession of monopoly power, and the concomitant charging of monopoly prices, is not only not unlawful; it is an important element of the free-market system.”

We’ll leave it to the legal scholars to figure out how much that opinion aligns with the original intent of the Sherman Antitrust Act, but one thing is certain: The world in 2004 had no idea about the cybersecurity risks the world would be facing by 2024.