I recently finished reading This Is How They Tell Me The World Ends by Nicole Perlroth. I don’t typically read non-fiction. I find that great fiction is often more “real” than most non-fiction in its ability to illuminate truths about ourselves. But, I love non-fiction when it’s (A) well-researched yet concise in analysis, and (B) reveals all the sub-stories that you feel in your gut are happening, but aren’t being captured. This book shines on both fronts.

When I first learned aboutStuxnet, I was astounded at the scale of coordination among multiple countries’ security agencies. I didn’t think this level of cooperation between governments was possible while simultaneously maintaining secrecy. I voraciously tried to consume as much content about the cyberattack as I could, but I always felt like the documented information was too thin for such a coordinated effort involved seven different zero-day exploits. I wanted to read a book that went deeper. This is (in part) that book. 

But Stuxnet is just one stop on a tour of decades of escalation in scope, sophistication, and consequences of cyberattacks. Perlroth does an excellent job of giving the reader the feeling of being an insider, hanging out at the after-parties of BlackHat and DEFCON, overhearing hackers on all sides of this fight speak with each other with as much candor as a diligent reporter can get access to.

The most memorable lesson from the book is the indefensible position US security agencies took for decades regarding their knowledge of security vulnerabilities of popular software. The US naively assumed only they would be savvy enough to exploit little-known zero day vulnerabilities in things like Microsoft Window, Apple’s Safari browser, or Cisco routers, and instead of working with vendors to patch known bugs, they hoarded them for years on end for the purpose of signal intelligence. This led to many years of global tech users being openly vulnerable to security exploits directly due to US security agencies’ inaction, and it was these same exploits that were often used by international governments and ransomware mercenaries to spy on and attack whomever they chose to target, which was often US corporations and US citizen employees of those companies. The US governments attempts at security through obscurity and secrecy (always a terrible idea by contrast to security by design) backfired predictably and terribly. And it continues today.

The climax of the book is the swelling brinksmanship that the US, Russia, Iran, and China have created in infiltrating each others’ digital systems (military, civilian, corporate, and most terrifyingly, power infrastructure systems). Any given one of the hacks described in this book made modest headlines at the time they happened (often in stories broken by Perlroth herself), but the real success of the book is seeing how these hacks are connected and often in an escalating response to each other, and how the actual people soliciting or selling exploits react as they see the consequences of their actions over time. 

If you want a survey of global cyberattacks over the past 2 decades, this is your book. 5/5 stars.

Creating value in one place, capturing it in another

 

The most basic idea of business is:

  1. Make something worth buying.
  2. Sell it.
  3. Repeat.

So, I walk into Jason’s Hat Shop, find an awesome hat that fits my head, and pay Jason for the hat on my way out the door. Jason is using his hat-making skills to create value for me, capture that value from me, and then reinvest the cash to create more value, in the form of more hats. 

But many companies don’t capture value in such a straightforward way. Some time ago, I noticed that a number of companies appear to execute step (1) without executing step (2). They make something valuable, but then they give it away for free. Or so it seems.

For example, in 2013, Apple started giving away its operating system. It’s still giving away MacOS and all upgrades, while Microsoft is still charging for every version of Windows. What’s going on here? Isn’t Apple missing out on the chance to sell something that’s worth buying? 

For Apple, the value capture is happening elsewhere in the business: the hardware sales. If you try to download your free MacOS and you’re not running on shiny Apple hardware…good luck. Apple is still paying its developers for MacOS, but it’s not monetizing MacOS directly; it’s monetizing the Apple ecosystem as a whole. That’s a strategic decision. 

—-

Once you see this pattern in one place, you start seeing it in other places. Some companies appear to create value that they don’t capture directly.

When I was noodling around with this idea, I asked Twitter

 

As I kept thinking about this and looked at the responses, I realized that my question wasn’t that simple. There aren’t clean value-in, value-out answers. Companies have many parts, and you see all kinds of lumpiness in value creation and capture. What’s really happening is that value is being created by some parts of the company and captured in others. 

 

GitHub 

This was one of the most common answers in the Twitter thread above, and it’s a product of Microsoft. However, before becoming a Microsoft business line, GitHub was a successful, profitable, independent company for years (and profitable before it ever took its first VC dollar). GitHub creates more value than it directly captures with its public and generous freemium model: Using it has always been free if you (the customer) are willing to make your work open to the public to see. This does not compel you to publish under an open-source license, but if you’re willing to make your repo public, the product costs nothing. (Under Microsoft’s management, this free usage expanded to cover private repos with limited functionality as well.) This is kind of a double value creation: GitHub gives away usage of its service for free to support more open software development. Particularly when GitHub was a new, independent company, it was in GitHub’s best interest to do so because it solidified GitHub as the defacto standard place to host code, but it created more value than it immediately captured by offering a clean, well-lit place for all code to live and others to benefit.

However, the value capture was ingenious. As more publicly hosted code called GitHub home, it naturally became the primary web presence for developers. This is a very savvy position relative to other version-control software; the developer profile page combined with free tools generated a strong network effect. More developers wanted their code to collect attention (stars, forks, etc.) on GitHub because it increased their influence and the value of their public profile.

The value capture in post-acquisition life is even more clever. Microsoft has long wanted to own developer relationships (“Developers! Developers! Developers!”), and expanding the freemium model beyond just public usage to include limited private usage further cemented its lead as the best place to host code online. Microsoft can use this strong developer relationship to create tie-ins to other products such as VSCode—or, more important, Azure—to help it compete in the insanely ferocious cloud computing race against AWS. Azure is the fastest-growing revenue driver in Microsoft today, and any value the company can give away in other layers of its product offerings that can amplify the success of Azure is highly strategic.

 

Xerox (PARC) 

This response in the Twitter thread is a fun one, though nonobvious. Xerox employs roughly 24K people and generated $7BN in revenue in 2020, according to Wikipedia, and while that sounds like a lot of economic activity it captured for itself, the inventions it funded at the Palo Alto Research Center (PARC) were the essential inspirations and even exact inventions that generated multiple trillions in enterprise value for the likes of Apple and Microsoft. Members of PARC invented Ethernet, the modern PC graphical user interface, and the mouse. In this case, value created by Xerox at PARC was later captured by other companies.

The intended purpose of PARC was to find new products for Xerox to sell, and to discover how technology could help differentiate Xerox’s existing products. The company invented the future but couldn’t squint hard enough to see the commercial opportunity. This was not an altruistic gift of value creation; it’s a sad case of mismanagement in value capture that allowed Steve Jobs and Bill Gates to reap the rewards. 

Gates’s famous quote in conversation with Jobs on the subject is too good not to mention: “I think it’s more like we both had this rich neighbor named Xerox, and I broke into his house to steal the TV set and found out that you [Jobs] had already stolen it.”

Folks on Twitter also answered “AT&T” specifically because of the innovations at Bell Labs. AT&T was so successful at value capture at one point that it was trust-busted, so I’m not sure I agree with its inclusion on a list of companies that create more value than they directly capture, but the argument for why it should be on this list directly follows this Xerox PARC example. Bell Labs’ more famous inventions include the transistor (!), the operating system UNIX, and the programming language C.

 

Roblox 

This was one of the less popular examples cited in the Twitter thread, but I love it. All video games offer one of the highest value-to-cost ratios if you consider time spent as a key metric to entertainment value. For the price of a movie ticket, you can buy a video game that will last you >10x the play time of a 100-minute movie and often stimulate you with riveting challenges that spur interesting decision-making. I chose to feature Roblox specifically because not only does it present this incredible value to its customers, but also it has become a platform. A generation of indie game developers embrace Roblox as the place to build and distribute new games because they want access to Roblox’s audience.

A platform is a great template for a company that does a successful job of creating more value than it captures directly or immediately. A thousand flowers of other developers blossom on Roblox and help keep content fresh. That has enabled Roblox to last a decade as a gaming title, in a world where video games rarely have retail shelf life past 9 months. Roblox strategically gives away great value (access to distribute to 150 million active users on the platform) in exchange for a healthy pipeline of evergreen content that competes for relevance in its marketplace. You could argue that Roblox isn’t giving away anything free because it charges a 30% take rate, or marketplace fee, to participate, but compare this distribution access to World of Warcraft or League of Legends, which offer zero opportunity for third-party distribution; all new value creation is first-party, and no audience access is shared. 30% seems like more than a fair shake in this light and, more important, is a win-win-win: Developers get incredible distribution, players get constant new content, and Roblox gets a decade-long staying power and the privileged position of owning a marketplace that sells Robux, an in-game currency with a gross margin of 99%, to power the platform.

 

Craigslist 

This is another fun example that fits easily on this list, but for a subtle reason. The previous examples made the list because of their valiant efforts in value creation. By contrast, Craigslist is easy to include because its effort to capture value is so low. Craigslist enables so much commerce in local markets and is an incredibly flexible tool to buy and sell almost anything with shockingly quick liquidity. But it only makes money on job listings in a small subset of cities. The company’s management says that this revenue model was put in place to make the service better: charging for job listings in a subset of cities increased the quality of the job listings and reduced spam because spam couldn’t afford to pay the listing-fee tax. This incredibly low ratio of value capture to value creation is due to an almost noncommercial operation of the business. Is the world better because of its noncommercial efforts and the resulting unbundling over the past decade of Craigslist into many vertical niches? I’ll leave that one as an exercise for the reader.

Despite Craigslist’s low effort to capture value, the generosity of giving away marketplace listings was critical in scorching the earth to hinder competition, whether deliberate or not. Companies have done a good job over the past decade of competing with Craigslist on specific verticals (e.g., AirBnb vs. Craiglist’s vacation rentals or Indeed vs. Cragslist’s white-collar job listings). But companies that have tried to compete on a broad horizontal level with all of Craigslist (online classified listings competitors) have been forced into a race to the bottom on pricing due to Craigslist’s aggressive, nonexistent listing price and transaction fee from day one. Currently, Facebook Marketplace is doing the best job of competing on this broad horizontal basis, but it’s still unclear if it will actually become a material revenue line or just another piece of value FB gives away for free to capture value elsewhere in their business (Ads). Either way, Craigslist’s generosity is a moat because no company can compete with Craigslist without sacrificing profit.

This table helps summarize the various value creation and capture for these services:

 

Bottom line:

Across these examples, value creation and capture is lumpy. It’s disproportionate in some parts of businesses in one direction (often deliberately, in reaction to competition), and this lumpiness can create large pockets of value, often for free. 

The point is, many businesses don’t follow the simple process I described at the start (make something worth buying → sell it → repeat). It’s possible to get much more creative—and strategic—about how you navigate that process. Startups shouldn’t be tied to the simple and obvious model when an unexpected, uneven mode of value creation and capture might become a strategic advantage that helps them win. 

I’m inspired to partner with the next generation of companies that do this. If you aspire to build one, I’d love to talk to you about it via andrew@spero.vc.