SUBSCRIBER+EXCLUSIVE ANALYSIS – As the world gets back online after a global outage that impacted some 8.5 million individual devices around the world, national security and cybersecurity experts are assessing lessons learned from a still fragile global tech ecosystem and how that fragility could impact future national security.
BOTTOM LINE UP FRONT
Last week’s global outages, traced back to a defective update from cybersecurity company Crowdstrike, that impacted Windows systems around the world, should serve as a global wake up call for national security leaders. The cascading effect of the outages highlighted the need for improved resilience and a better understanding of the concentration of risk and the fluid nature of entities that should be deemed ‘critical infrastructure’.
“I think there is a concern that as we get more and more dependent on complex IT systems, the points of vulnerability multiply,” former Secretary of Homeland Security Michael Chertoff told The Cipher Brief. “… we’ve become so dependent on using cyberspace as a way of controlling our physical activities, and not just information, that increasingly, we see that even an innocent error can cause a ripple effect across a whole number of different infrastructures.”
Chairman of the Joint Chiefs Charles Q. Brown said last week that there had been no impact on DOD operations but did call the incident a warning of the nation’s vulnerability to cyberattacks.
“I’m sure our adversaries are looking at this as a way to put sand into gears if we’re trying to generate combat power to go to respond to a crisis anywhere around the world,” said Cyber Initiatives Group Principal and former Executive Director of the Cyberspace Solarium Commission Mark Montgomery.
The fact that this happened Crowdstrike, an Austin-based cybersecurity company that does business with nearly 300 customers of the Fortune 500 leading companies, is a sign of the risk presented by the interconnectivity of global devices.
“I like Crowdstrike a lot,” former director of the National Security Agency and the CIA retired General Mike Hayden told The Cyber Initiatives Group. “If Crowdstrike has a problem, I’m very concerned because now we all have a problem.”
THE CONTEXT
- Crowdstrike sent an alert to its clients saying its "Falcon Sensor" software was causing Microsoft Windows to crash, displaying simply a blue screen, commonly referred to as the "Blue Screen of Death."
- Global air traffic operations were significantly impacted. United, Delta, American, Allegiant and Spirit Airlines all reported cancelations. Major airports in Sydney, Berlin, London, Singapore and Hong Kong reported disruptions.
- More than 2,000 flights into, out of or within the U.S. were canceled.
- Global shipping companies including FedEX and UPS, reported major disruptions.
- Banks in the U.S., India, Australia, Germany and elsewhere also reported outages.
- Across the U.S., 911 services, including dispatch and call centers, and state driver and social security service centers went down.
- Health-care systems were impacted worldwide. Major hospitals reportedly canceled non-critical surgeries, and U.K. booking systems for doctors went down.
WHAT THE EXPERTS SAY
SILVER LINING: EXPOSING THE VULNERABILITIES BEFORE THE ADVERSARIES DO
“It's demonstrating a real vulnerability. An idea that we've been pushing hard is on military mobility, about how our national security is tied to aviation, rail, and ports, but also, we may need to remind ourselves of our economic productivity. Obviously, we need to figure out what happened and we probably need to have a very questioning attitude about software updates that are applied automatically and ask questions about the difference between the Microsoft model and how Apple restricts access. I'm guessing that's going to be the key to why this propagated in some systems and not others. There are a lot of important lessons to learn, but I'd be lying if I didn't say this will be one more bullet line in my presentation on why you should focus on the resilience of your systems, your ability to recover, your ability to mitigate, and then have multiple redundant networks to bring things back online. So, from my perspective, there is a little bit of lemonade in this lemon."
"We focus sometimes on the size of the reach and the number, sensitive information, et cetera, but it really is when these things impact ordinary people in such a significant way. We just talked to my sister-in-law whose daughter was caught flying in today with her grandson and now they're not coming. I mean these are the kinds of stories that create an environment that helps create the political will to look at things like liability issues as well as regulation."
"It's hard to see how this doesn't lead to increased calls for more regulation, liability, et cetera, going down to the national cyber strategy. Politically, you can imagine that Congress is going to be pounding the table about this, and I assume that'll produce at some point, some reaction. And also I think Mark's point about resilience is really right. This is going to really force companies to go back and say, what if this happens again? Because it will happen again, and companies need to be in a better position to deal with this. For airlines to have to go back to pieces of paper and pencils at every boarding gate is insane".
DEFINING CRITICAL INFRASTRUCTURE
"We've always said that the definition of critical infrastructure needs to be dynamic, because it will change. The example we always used to use is that you might not think of the Milwaukee bus system as critical infrastructure until the time comes when you need to evacuate the city."
"If we're talking about the challenge of concentration or if one domino falls, even if it's a CrowdStrike, what does that mean? That's a hard conversation. This incident basically made CrowdStrike critical infrastructure because when they went out, it led to reciprocal effects all the way down the board. I agree with what everyone else saying that there is going to be a challenge of, "Let's make sure this doesn't happen again," but that also means don't be dependent on a primary vendor across the board. And that's a challenge you have in power, water, phone, everything. So, it's going to be tough.
I'm on the fence on whether there's going to be extreme action as a result of this other than just the stock price drop we saw that it'll likely bounce right back up because candidly, I have pretty good confidence in CrowdStrike, but that's the way we see it right now, is that they were very quick and responsive in saying it wasn't an adversary that caused this action. They're very quick in jumping in to help as they can, but is 24 hours too long to get everybody back online? That's the real question."
"This incident continues to prove what I refer to as "Evil Cyber Lord Rule Number One," which is never ascribe exclusively to evil when stupid is still available as an option. I also think that there are a couple of other implications that came out here: one is that these systems are so complex that it is actually very difficult to predict all of the possible interactions.
Some of the After Action reviews are going to need to ask, whether there was a process failure on the part of CrowdStrike in terms of how it tested and looked at the update. There's also a security issue, which is that presumably if this was an accident, you could also therefore cause it by a deliberate action on the part of an adversary. So, Microsoft needs to be looking at that question.
But talking about the concentration risk, that's a really difficult one for individual companies to deal with because there are, the network benefits of having, being on one vendor are pretty big, and they're really difficult for any individual company to overcome."
"I really do always come back to resilience. The public needs to demand greater resilience, and it does that by putting pressure on their elected officials, raising it at town halls, et cetera, so that members of Congress feel the heat and the administration feels the heat and can apply that heat to businesses. And the customers can demand greater transparency around how resilient companies are. We really need to focus on the cloud providers and require that they provide greater transparency into the resilience that they constantly claim they have. They assert this, but they do not show it. We need them to show their homework."
Cipher Brief Writer/Research Ethan Masucol contributed to this Cipher Brief Analysis
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Who’s Reading this? More than 500K of the most influential national security experts in the world. Need full access to what the Experts are reading?
It's not just for the President anymore. Cipher Brief Subscriber+Members have access to their own Open Source Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.
