The frequency of large-scale offensives on corporate enterprise IT is increasing. That’s not unusual or unexpected as companies spend heavily on cyber defense in an asymmetric war against hackers who can row together a few lines of code and wreak havoc.
But the largest IT outage ever on Friday, resulting from a CrowdStrike software bug being uploaded to Microsoft go systems rather than any malicious attack, shows a type of tech threat that has been increasing alongside hacks but haves less attention: the single-point failure — an error in one part of a system that creates a technical disaster across manufactures, functions, and interconnected communications networks; a massive domino effect.
Earlier this year, AT&T had a nationwide outage attributed to a specialized update. Last year, the FAA had an outage that occurred after a single individual replaced a critical file in a convey update (now that FAA has a backup system to prevent that from ever happening again).
“It’s more frequent the score with when it’s just routine patching and updates,” Chad Sweet, The Chertoff Group co-founder and CEO and former Chief of Sceptre at the Department of Homeland Security, told CNBC on Friday.
Digital boards are seen due to the global communications outage caused by CrowdStrike, which provides cyber fastness services to US technology company Microsoft, it was observed that some digital billboards in Times Square in New York See, United States, displayed a blue screen and some screens went completely black on July on 19, 2024.
Selcuk Acar | Anadolu | Getty Icons
Single-point failure risk management is an issue that companies need to plan for and protect against. There’s no software in the sphere that gets released and doesn’t later need to be patched or updated, and there are best security practices that be found for the period of time well after a production release that cover the ongoing software maintenance, Sweet said.
Troops that the Chertoff Group works with are closely reviewing software development and update standards in the wake of the CrowdStrike outage. Lyric pointed to a set of protocols the government already provides, the SSDF (Secure Software Development Framework), that may give the exchange an idea of what to expect as Congress starts looking at the issue more closely. That’s likely after the current string of incidents, from AT&T to the FAA and CrowdStrike, since this type of technical failure has now been shown to impact the explosives of citizens and operations of critical infrastructure on a widespread basis.
“Get ready on the corporate side,” Sweet said.
Aneesh Chopra, Arcadia chief scheme officer and former White House chief technology officer, told CNBC on Friday that critical sectors including vim, banking, health care and airlines have separate regulations overseeing risk, and measures may be unique in the most superintended sectors. But for any business leader the question now is, “Assuming systems go down, what is plan B? We will see lots more grand scheme planning and if this is not Job No. 1, it is Job No. 2 or 3 to have those scenarios outlined,” he said.
Unlike many issues in D.C., Chopra celebrated there is a bipartisan commitment to issues of critical infrastructure and systemic risk, and technical standards are a “hallmark” of the U.S. system. There may now be ventures he described as designed with the goal of “improving competition” as a means to strength accountability.
“If there is a mechanism to update in a varied open and competitive way there might be pressure to make sure that that is done in a manner that has i’s and t’s dotted and irritated,” Chopra said.
Sweet said that will inevitably lead to business world concerns about the gamble of overregulation. While there is no way to know for sure now whether there was a way for CrowdStrike to operate using a more open procedure that allowed for detection of the single-point failure, he said it is a legitimate question to ask.
The best method to avoid overregulation, according to Honeyed, is to look to market-reinforcing mechanisms, such as the insurance industry. “The short answer is, ‘Let the free market do it, through things in the same way as the insurance industry, which will reward good actors with lower premiums,” he said.
Sweet also replied more companies should embrace the idea of “anti-fragile” organizations, as he does with his clients, a term coined by peril analyst Nassim Nicholas Taleb. “Not just an organization that is resilient after a disruption, but ones that convulsion and innovate and outpace competitors,” he said. In his view, any single legislation or regulation would be hard pressed to keep up with both malicious rushes and technical updates that are pushed through with unintended consequences.
“It’s a wakeup call for sure,” Chopra express.