PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
As I waited for my flight to be rescheduled during last week’s IT outage, I listened to fellow passengers wonder aloud how a company whose name has never hit their radar could have such an impact on such a spectrum of day-to-day matters.
What this illustrates is the dominance of a few key players in the technology security space—like CrowdStrike—who are capable of providing normally very strong defences due to a combination of technical software engineering skill, reputation, market penetration and sheer volume that allows them to gather useful threat intelligence. It follows that every new customer provides new sources of threat data that makes the CrowdStrike service demonstrably more useful to both the next new customer and all the existing customers. The better and more comprehensive a service, the more likely it is to attract more and more bigger clients. And so, it perpetuates.
That creates an inevitable problem. The volume of clients required to create this comprehensive and commercially attractive service, means that when a supplier—in this case CrowdStrike—has a problem, the effects are equally compounded. Whether the problem is a genuine error or process failure (as in this case) or a compromise by a hostile actor (as in Solar Winds in 2020, NotPetya in 2017 or WannaCry in 2017), the consequences are massive and far-reaching.
The pace of change demanded by the technology world creates a unique challenge where we both require a fast pace of change and a highly reliable service. One can't be compromised for the other.
Organisations that were impacted will point to regulations that require them to provide strong comprehensive cyber security solutions with rapid updates on their systems to sustain maximum defence. CrowdStrike is a reputable vendor in the space.
Really, the regulatory solution currently demands that public service providers have enough visibility of all the potential threats, in order to provide effective scale and sufficient threat intelligence (in turn providing effective protection to the respective public service users). So, while there is criticism of those who have been impacted; it's worth bearing in mind that prior to the incident they could have been praised for taking effective comprehensive cyber security protective measures using an industry-leading tool.
CrowdStrike themselves must, of course, bear some responsibility for the effect. It was their mistake after all. They will be heavily audited after this and there is no bad thing about an organisation that is placed under a microscope. But it would be naive to believe that mistakes never happen and when it comes to key public services, operating a model that simply demands ‘mistakes can never happen’ is a great aspiration but is unrealistic in practice.
The CNI regulatory regime needs to re-examine this quandary. Does each sector's regulator for cyber security (and there are several) have visibility of common critical software used across all their sector providers? Never mind how common that same software is across multiple sectors covered by multiple regulators. Only until that is understood can regulatory regimes put in place mitigations to reduce such impacts of mistakes (or attacks).
Concurrently, information sharing at pace is a challenge in all sectors of the digital economy, especially when it comes to defensive information; we must share the knowledge of how attackers work quicker than attackers can exchange this information on how they can be effective. This challenges both PGI’s digital investigations and cyber security arms who frequently work with customers to explain the benefits of information sharing agreements between private sector organisations, public sector organisations, national agencies, and internationally.
This, for commercial software providers, is at odds with the commercial dynamics under which they secure market share. But when it comes to CNI, perhaps there needs to be a wider consideration to factor into that regulatory framework.
A mistake did not make CrowdStrike a bad organisation overnight, but perhaps some CNI regulatory complacency allowed a hidden commercial dependency to go unevaluated and thus untreated. Unless that is put right, a similar thing will happen again and again. The pursuit of technical excellence makes that inevitable.
More about Protection Group International's Digital Investigations
Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.
Disclaimer: Protection Group International does not endorse any of the linked content.
While my experience of parenting has been limited to trying to ‘school’ my younger siblings (classic older child behaviour), I have recently started thinking about how we should explain digital threats to children and the next generation – i.
PGI, in collaboration with project management partner Development Alternatives Incorporated (DAI), recently completed a study under the USAID and International Telecommunication Union (ITU) initiative aimed at promoting gender equity and inclusion in cybersecurity across Asia and the Pacific.
In 1858, The New York Times called the telegraph (the thingy that sends individual telegrams) “trivial and paltry”, and also “superficial, sudden, unsifted, too fast for the truth”.