The CrowdStrike outage that crippled business operations on Friday July 19, including aviation and health care, highlights the need for organizations to safeguard the resiliency of critical systems. Chertoff Group cyber leaders including Michael Chertoff, Chad Sweet, Adam Isles, David London and Lee Kair provided commentary to networks including CNBC, CBS, FOX and NewsNation. As well as print interviews with the Wall Street Journal, Politico, CNN and TechStrong.
The frequency of large-scale attacks on corporate IT is increasing. This is not unusual or unexpected, as companies spend heavily on cyber defenses in an asymmetric war against hackers who can string together a few lines of code and cause chaos.
But the largest IT outage ever on Friday, which resulted from a CrowdStrike software bug uploaded to Microsoft operating systems rather than a malicious attack, illustrates a type of technical threat that is increasing with hacks but receiving less attention: the single-point failure — a flaw in one part of a system that causes a technical disaster across sectors, functions and interconnected communications networks; a massive domino effect.
“It’s happening more often, even if it’s just routine patches and updates,” Chad Sweet, co-founder and CEO of The Chertoff Group and former Department of Homeland Security chief of staff, told CNBC on Friday.
Sweet said this will inevitably lead to concerns in the business community about the risk of over-regulation. While there’s no way to know for sure right now whether CrowdStrike had a way to operate with a more open process that allowed for detection of the single-point failure, he said it’s a legitimate question to ask.
The best way to avoid overregulation, according to Sweet, is to look at market-reinforcing mechanisms, such as the insurance industry. “The short answer is, ‘Let the free market do it, through things like the insurance industry, which rewards good performers with lower premiums,’” he said.
Sweet also said more companies should embrace the idea of “antifragile” organizations, as he does with his clients, a term coined by risk analyst Nassim Nicholas Taleb. “Not just an organization that is resilient after a disruption, but an organization that thrives, innovates and outperforms its competitors,” he said. Any single law or regulation, he said, would struggle to keep up with both malicious attacks and technical updates that are implemented with unintended consequences.
Single-point failure risk management is an issue that companies need to consider and protect against. There is no software in the world that is released and does not need to be patched or updated later, and there are security best practices that apply well after a production release that cover ongoing software maintenance, Sweet said.
Companies Chertoff Group works with are keeping a close eye on software development and update standards in the wake of the CrowdStrike outage. Sweet pointed to a set of protocols the government already offers, the Secure Software Development Framework (SSDF), that may give the market a sense of what to expect as Congress takes a closer look at the issue. That’s likely after the recent string of incidents, from AT&T to the FAA to CrowdStrike, as this type of technical outage now impacts the lives of citizens and the operation of critical infrastructure on a massive scale.
Best Practice for Software Updates
It is important to do quality control and testing before a major software update is pushed. This detailed process includes pre-production testing to ensure the software works as intended prior to operation in a LIVE environment. The Chertoff Group works with clients to implement best practices and avoid pitfalls.
Organizations have become reliant on their systems operating perfectly all the time. Businesses need to build in resiliency by assuming occasional outages in the modern digital age. Enterprise leaders need to know what you can and cannot operate when a system goes down and plan for backup systems or substitute alternative operational paradigms as a holding pattern.
Other Considerations
Insurance companies are making decisions on the level and cost of cyber insurance coverage based on adherence to industry and government standards.
A portion of this blog is reprinted from worldofsoftware.org.
Watch & Read our team’s interview’s at the links below:
Chad Sweet on CNBC
Michael Chertoff on NewsNation and in The Cipher Brief
Adam Isles on CBS New York and WSJ
David London on FOX NewsNow
