The frequency of large-scale attacks against corporate IT continues to increase. This isn’t unusual or unexpected, as companies invest heavily in cyber defenses to fight asymmetric warfare against hackers who can string together a few lines of code and wreak havoc.
But Friday’s largest-ever IT outage was caused by an erroneous upload of CrowdStrike software to Microsoft operating systems rather than any malicious attack, illustrating a technology threat that continues to grow with hacking but attracts less attention : Single point of failure – an error occurs in a certain part of the system, resulting in a technical disaster across industries, functions and Internet communication networks; a huge domino effect.
Earlier this year, AT&T experienced nationwide service outages due to a technology update. The FAA had an outage last year when one person replaced a key file in a routing update (now the FAA has backup systems to prevent this from happening again).
Chad Sweet, co-founder and CEO of the Chertoff Group and former chief of staff at the Department of Homeland Security, told CNBC on Friday: “Even if it’s just routine patches and updates, this is going to happen more often.”
Due to a global communication outage caused by CrowdStrike, which provides network security services to the American technology company Microsoft, some digital advertising billboards in Times Square in New York City, the United States, appeared blue screens, and some digital advertising billboards turned completely black on July 19, 2024.
Selcuk Akar | Anatolia | Getty Images
Single point failure risk management is something companies need to plan for and protect against. Sweet said there is no piece of software in the world that does not require patches or updates after release, and that best security practices exist covering ongoing software maintenance for a period of time after a product is released.
Companies working with the Chertoff Group are closely reviewing software development and updating standards following the CrowdStrike outage. Sweet noted that the government has provided a set of protocols, SSDF (Secure Software Development Framework), that may give the market an idea of what to expect as Congress begins to look more closely at the issue. This is likely to happen after a series of recent incidents from AT&T to the FAA and CrowdStrike, as this type of technology failure has now been shown to widely impact the lives of citizens and the operation of critical infrastructure.
“Be prepared on the corporate side,” Sweet said.
Aneesh Chopra, Arcadia’s chief strategist and former White House chief technology officer, told CNBC on Friday that key industries including energy, banks, health care and airlines have separate risk regulations. Regulations, in the most highly regulated industries, measures may be unique. But the question now for any business leader is, “What’s Plan B if the system fails? We’re going to see a lot more scenario planning, and if that’s not job No. 1, then having those scenarios That’s job description No. 2 or No. 3,” he said.
Unlike many issues in Washington, D.C., Chopra noted that there is bipartisan commitment on critical infrastructure and systemic risk issues, and that technology standards are a “hallmark” of the American system. What he described as possible efforts now aimed at “improving competition” as a means of increasing accountability.
“If there is a mechanism for doing updates in a more open and competitive way, then there may be pressure to make sure that updates are done in a dotted-line way,” Chopra said.
Sweet said this will inevitably raise concerns among the business community about the risks of over-regulation. While it’s unclear whether CrowdStrike has a way to operate with a more open process that would allow for the detection of single points of failure, he said it’s a legitimate question.
Sweet believes the best way to avoid overregulation is to pursue market-enhancing mechanisms, such as the insurance industry. “The short answer is, ‘Let the free market do this through, for example, the insurance industry, which will reward good players with lower premiums,'” he said.
Sweet also said that more companies should embrace the idea of ”antifragile” organizations, just as he does with his clients, a term coined by risk analyst Nassim Nicholas Taleb. Creative. “Organizations can not only remain resilient in the wake of disruption, but also thrive, innovate and outperform their competitors,” he said. In his view, it will be difficult for any single piece of legislation or regulation to keep pace with malicious attacks and technological updates. And these updates can have unintended consequences.
“This is definitely a wake-up call,” Chopra said.
About The Author
