CrowdStrike, Microsoft Outage: Is Tech Too Vulnerable? – Georgetown University

Ask a Professor: Laura DeNardis on the CrowdStrike Outage and Securing Cyberspace

The world just experienced a widespread technical outage linked to a company called CrowdStrike. What exactly happened on Friday, July 19, 2024?

Cybersecurity firm CrowdStrike pushed out a routine software update that inadvertently crashed customers’ Windows systems. The very purpose of the update involved a core cybersecurity mission of detecting emerging threats and, specifically, gathering data “on possible novel threat techniques.” Instead, an error in the software update triggered a problem that gave customers the Window’s “Blue Screen of Death.”

As CrowdStrike immediately explained to customers and the world, the problem was not a cyberattack but an error in the software update. Because the bug was in CrowdStrike’s Falcon platform update for Microsoft Windows, computers using other operating systems (e.g. Mac and Linux) were not impacted. Because so many core systems in society rely upon CrowdStrike, the outage was widespread and disruptive across critical sectors: flights canceled, medical procedures delayed or canceled and many other routine societal systems affected.

The regrettable irony is that the effect of the outage — caused by an error in software designed to stop widespread cybersecurity attacks — ended up mimicking what would be the effects of an actual widespread cybersecurity attack.

Why did the problem have such a massive impact across so many industries?

The 8.5 million Windows devices that Microsoft estimated as affected by the CrowdStrike update error represented less than 1% of Windows devices. So why was the outage so widespread? The organizations that operate critical societal infrastructure are the very institutions that implement cybersecurity services such as those provided by CrowdStrike. Every crucial sector uses specialized cybersecurity services — agriculture, airlines, banking, energy, government, healthcare, manufacturing, retail and more. These were the sectors affected by the outage. Regulators were quick to ask how greater market diversity in the tech industry would have dampened the impact, one topic among many that will no doubt arise in forthcoming hearings on the Hill.

The much larger issue is that everything is digitally connected. As I explained in a recent book, an outage is not just about what we do through a computer screen or phone but about the connected critical infrastructure and cyber-physical objects all around us. An outage is no longer about an inability to send an email or access files but about the right to receive medical care or travel freely. Everything from our food supply to our energy systems depends upon secure and resilient digital technologies.

The CrowdStrike incident was caused by a faulty update rather than a cyberattack. How have hackers taken advantage of the situation?

Although the outage was not a cyberattack, hackers quickly capitalized on the chaos. Malicious activity in the aftermath of the outage used “social engineering” techniques designed to trick people into taking some action that could harm them or their organization. The United States Cybersecurity and Infrastructure Security Agency (CISA) warned that “Cyber threat actors continue to leverage the outage to conduct malicious activity.” The social engineering techniques included phishing attacks trying to trick people into downloading malware, divulging security credentials or making financial payments. Fake websites arose. CrowdStrike Intelligence published a running list of websites fraudulently impersonating CrowdStrike. CrowdStrike also disclosed that hackers were circulating a malicious ZIP file largely targeting Latin American customers.

This ecosystem of social engineering techniques is a reminder that cybersecurity is about our human defenses as much as our technical defenses.

What are your takeaways from this incident? What does this outage portend about future cyberattacks?

Media and government attention around tech policy over focuses on social media content problems while often ignoring the more critical issues around underlying infrastructure. There are hidden layers of infrastructure — cybersecurity platforms, protocols, the Domain Name System, routing and addressing, satellite systems — upon which everything depends. My book on internet governance addresses how the design, operation and governance of these underlying infrastructures are the new spaces where economic and geopolitical power are unfolding.

For decades, there have been predictions of a “digital Pearl Harbor,” yet the internet and digital technologies have endured. A continuous stream of ransomware attacks, government-ordered outages around the world, worms, viruses and attacks on critical infrastructure have been highly problematic but not globally catastrophic.

Yet, one takeaway from this incident is how disruptive an actual malicious and widespread cyberattack could be. This incident affected a small number of computers relative to connected devices around the world. CrowdStrike employees identified the problem quickly and transparently communicated to the world that this was not a cyberattack but an update error. They released solutions to mitigate the problem and explained what they will do differently in the future, such as more rigorous testing of updates. Still, the outage was devastating and helps people imagine what could happen in a more widespread outage or targeted attack. In my opinion, the most catastrophic attacks would be ones that target our energy grid or satellite systems.

The incident also raises important questions about liability, accountability and deterrence. The losses from this one incident will likely be measured in billions of dollars. Liability clarification in complex digital systems is a governance area that needs to be addressed. Additionally, cyber insurance is now a routine strategy for large and small organizations. The focus of these policies is often on malicious security incidents such as the cost of a data breach or ransomware attack. This incident was not an intentional act, so it emphasizes the importance of including non-malicious disruptions as part of insurance strategies.

Is there anything we should all do to secure ourselves?

The outage is a reminder that even people who have never even been online can be profoundly impacted by an outage or cyberattack. The aftermath of the CrowdStrike outage included families sleeping on airport floors. Someone who has never been online could have still been affected by the massive data breaches at Target, Home Depot or the U.S. Office of Personnel Management. Ransomware attacks on hospital systems have caused ambulances to divert from emergency rooms and have prevented patients from receiving care. Cybersecurity is a society-wide problem requiring multi-stakeholder strategies from the private sector, technical coordinating bodies and governments.

Still, the majority of us that are connected can help reduce cyber risk. Most people understand the basics of access protection: using complex passwords, avoiding re-use of the same login credentials, using multi-factor authentication (MFA). Other best practices for protecting our own systems and data include keeping software up-to-date, preferably through automatic updates; regularly backing up files, both locally and using cloud computing services; never using unsecured Wi-Fi networks; and using a virtual private network (VPN).

The more difficult issues are psychological rather than technical. Fraud and cybercrime due to social engineering techniques continues to increase. Hackers have become very good at tricking people into responding to a text message, clicking on a link in an email, making payments or disclosing personal information. Staying informed about current cybersecurity threats is critical.

One of the core research areas of Georgetown’s Center for Digital Ethics is cybersecurity ethics. Why is cybersecurity an ethics area?

Everything in society now depends upon strong cybersecurity — privacy, national security, financial transactions, basic critical infrastructures keeping society functioning. There are ethical dilemmas deeply embedded in the design, operation, governance and use of cybersecurity. Cybersecurity policy choices involve fundamental ethical choices, such as encryption strength debates, ransomware responses and the moral obligation to secure medical devices.

For example, governments have an interest in strong encryption for national security but also an interest in weaker encryption for foreign intelligence and law enforcement functions. As digital technologies continue to move into the physical and biological world — including intersections with quantum computing and neuroscience — the ethical complexities only rise. Cybersecurity is a great human rights issue of our time and part of the Center’s core mission of bringing about a more ethical digital future.

Winsage