The world is still dealing with the aftermath of the CrowdStrike screwup that took millions of computers offline last week. Some IT workers Each computer had to be fixed manuallyWalking from machine to machine with a USB stickand some remote workers say They’re locked out of their computers with no fix in sight. For all reasons A few lines of bad code.
It began in the early hours of Friday, July 19, when cybersecurity company CrowdStrike pushed an update to its millions of customers. Unfortunately for all of them, there was a bug in the code that caused Windows computers to repeatedly crash. This caused a lot of problems for airlines, banks, hospitals, TV broadcasters, government agencies and those who interacted with these agencies. The dreaded “blue screen of death” Millions of computers have been taken over. It took Crowdstrike Only 78 minutes to identify the problem and issue a fix, but because many computers needed to be manually restarted, the problems persisted over the weekend and into this week. Delta Air Lines as of Wednesday morning Still faced delays Due to outage. Ongoing Delta flights cancelled Many unaccompanied minors have been separated from their parents for days at a time.
All of this is disturbing and anxiety-inducing. But such a massive outage — whether in the case of a crowdstrike or a botched update due to a cyber attack — could be worse. a lot As bad as it is, it’s worse to revert to the 19th century overnight, and it’s not clear what we can do to stop it.
“It was an accident,” Mark Atwood, an open source policy wonk and former Amazon employee, told me. “It could be something that … just bricked everyone’s computer, probably beyond repair.”
The really scary thing is that there isn’t much you or I can do to prevent a disaster from happening in the future. If you work for CrowdStrike, of course, you can do your part, but for the most part, building a more resilient Internet is a job for the federal government. As trivial as it may sound, one thing you can do is call your representatives in Congress and demand action. Because even if there isn’t much you can do on a personal level to prevent the next big internet outage or cyber attack, you’ll likely be affected.
A big problem — and a key reason this outage is so big — is that CrowdStrike controls so much market share, and its software is so deeply integrated into so many computers, that a bad update can take them down.
The regulation requires important industrial companies, like Health care And Banking, to protect people from harm, which means they must follow cybersecurity guidelines and use endpoint security software, which protects Internet-connected devices from cyberattacks. Crowdstrike The default option tends to be To comply with these rules, and in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) even chose CrowdStrike To protect multiple government agencies. CrowdStrike now controls about 25 percent of the market for endpoint security. So when CrowdStrike releases a bad update, a lot of people are affected. This particular incident affected 8.5 million Windows devices, According to Microsoft.
Lawmakers and regulators can and should learn from this crowdstrike fiasco. This could be an opportunity for the federal government to redouble its efforts to improve cybersecurity and do better for security companies. Dan O’Dowd, CEO and founder of Green Hills Software, says, “We need to demand that they make products that are truly secure.” The Dawn ProjectAn organization dedicated to making computers safer for people
“We know how to do it. It’s been done for years in the military and aviation,” O’Dowd told me. “But it costs more, and people just have to accept that it’s going to cost us a little bit more, so we don’t lose it all.”
Cyber security experts Talk a lot about the “big one”. These days, and this is what O’Dowd is referring to when he says we can lose everything.
A major hacker may be involved Physical infrastructure attackLike power grids, water treatment plants or shipping ports. bad actor Can target selection, hack voting machines, and spread misinformation. Such things are actually already happening, but so far, no truly catastrophic outage or attack has been so successful that it brought down large parts of modern society. Not yet, at least.
The CrowdStrike incident should be a wakeup call, a reminder that the big one is coming and we can do more to stop it. Republican lawmakers called out CrowdStrike CEO George Shultz to testify before the House Homeland Security CommitteeTo explain what caused the outage and what the company is doing about it. CrowdStrike told me it was “actively contacting relevant congressional committees” and Wednesday A preliminary incident report is released Details what went wrong and how it plans to prevent something like that from happening in the future.
The attention on Capitol Hill may signal legislative interest in creating new regulations for the cybersecurity industry, though nothing has been announced.
Meanwhile, FTC Chairman Lina Khan Attracting attention How power concentration can mean “a single fault results in system-wide outages, affecting industries from healthcare and airlines to banks and auto-dealers.” He thinks a well-regulated cybersecurity industry can mitigate that damage. other, including AtwoodNoted that, in some ways, the regulations are in place, but companies like CrowdStrike are still not following best practices.
“Everybody believed there was no silver bullet, no cure except to try to think more,” Atwood told me. “There are still bullets and best practices that if you do, the chances of making this type of mistake are greatly reduced.”
Frankly, there is no easy way to completely secure our networks and computers. But the federal government continues to try. It established CISA to do everything from security to elections in 2018 to protect the power grid From electromagnetic pulse, or EMP, attacks. President Joe Biden too issued an executive order in 2021 To improve the nation’s cyber security with 55 new requirements, Almost all of which have now been completed. (That executive order also made CISA select CrowdStrike as the federal government’s endpoint security partner.) And this year, the following A series of violations During the 2020 midterm elections, CISA also launched a program to strengthen election security, including the protection of non-voting systems such as voter registration databases.
This represents only a handful of the federal government’s efforts to prevent a catastrophic cyber attack or outage. and the cybersecurity industry growing in lockstep With growing concern about such a disaster. Spending on cyber security is set to increase by nearly 70 percent from 2019 to 2023. According to Moody’sand the rise of generative AI Only the picture will be complicated In the coming years. 2024 election cycle Already seen AI-generated robocalls The one that imitated President Biden’s voice and told people not to vote, which doesn’t sound as scary as a cyber attack destroying a power plant, but an attack on democracy.
The big one is still out there, lurking in some unknown future, waiting for the right thing to happen and lead to disaster. Some worst nightmare scenarios have already happened, just not globally. Ransomware attacks on hospitals and healthcare providers that threaten lives a regular occurrence These days in the United States. after Taking out part of Ukraine’s power grid With a cyber attack in 2015 and 2016, Russia used a novel cyber attack Last January to reduce the heat in 600 buildings in the Ukrainian city of Lviv. So far, and very fortunately, we have not seen a cyber attack leading to a nuclear disaster, but That kind of thing is not out of Realm of possibility.
“So I just rewatched Chernobyl last week,” Atwood said, referring to the HBO series about the 1986 nuclear disaster. “And that was one of the key lines: Why worry about something that hasn’t happened yet?”
That’s how some cybersecurity executives think about the unthinkable, he told me, even when their own employees are warning against it.
If we’ve learned anything from the last week — or even the last decade — it’s that the scale of outages and cyberattacks is getting bigger as the world relies more on Internet-connected devices to run itself. Now is no better time to reconsider whether we are doing enough to stop the latter.
A version of this story also appeared in the Vox Technology Newsletter.Register hereSo you don’t miss the next one!