Sign in Subscribe

The tip of the iceberg

By Nicolas Zahn
The tip of the iceberg
Making the invisible visible as soon as it is no longer working... Source: https://x.com/wilplatypus/status/1814387942401654874

Welcome to the eigth issue of my monthly newsletter

I'll be sharing analysis and short stories about digital transformation, practical recommendations, or recommended reading on this platform.

This week, let's talk about CrowdStrike and how the latest incident to bring cybersecurity awareness to the masses - albeit it for a short period - is only a symptom of a much bigger problem that needs urgent resolution unless we want to relive the Titanic experience.

Please enjoy!

Some weeks ago even people that usually don't care about cybersecurity were suddenly interested, because they were directly affected by a major issue: a problem with a popular EDR solution - Endpoint Detection and Response, basically a safety measure on end-devices connected to networks like the internet in charge of warning and defending against malicious actors - crashed several systems leading to the infamous "Blue Screen of Death" or BSOD, making visible just where we rely heavily on IT, from hospitals to airports, from government agencies to shopping malls.

The company developing the software in question, CrowdStrike, has quickly released instructions and an apology but I do not want to go into the details of this particular incident. CrowdStrike published an interesting Post Incident Report and various media portals have written about the impact and the likely causes of the incident, e.g. here or here if you are interested in learning more about the incident.

Although the magnitude of this incident is considerable, it is but one of several critical incidents of the recent past shining a light on a truly uncomfortable truth: the systems running everything around us and the systems intended to protect them are unsafe!

What's important to note here, is that there is not just a threat from malicious actors but also a considerable risk from negligence, incompetence, and simple human error from cybersecurity vendors and the companies implementing their systems, calling into question the system availability. What's worse, malicious actors were quick to jump on the opportunity to use this self-inflicted incident for their purposes as the urgent need for additional updates to fix this mess opened a lucrative attack window.

How we got here is unfortunately not a surprise as various cybersecurity experts laid out in their post-incident analysis: cybersecurity is often an afterthought when designing software so there is a need for security software. Given the evolving nature of software there is also a need for additional updates and complex supply chains and systems mean that problems even at one of many steps can cause systemic impacts.

The incident also reminded us, that compliance with certain standards does not equal security especially in ecosystem that have single points of failure and huge concentrations or markets dominated by individual products or companies, an issue not limited to IT or the internet but also known from other fields and occurring in the past, e.g. in telecommunications.

Failures on multiple levels - technical, organizational, but also political - facilitated this incident. And although our fast news cycles might give the impression that we are "back to normal", things like this can and most likely will happen again, potentially with even worse consequences, whether through a malicious actor or by accident, unless we act.

I've written previously about "policy debt" when it comes to Digital Governance and cybersecurity is no exception. The CrowdStrike incident is but part of a huge iceberg, experts have been warning about for decades! Go to any cybersecurity conference and you'll hear "told you so", leading to a feeling of lethargy and frustration in light of this incident.

So, what to do? More attention and more resources for cybersecurity must certainly be part of the solution, but if we want to evade the iceberg that is unsafe software, companies, developers, researchers, and policymakers must talk to each other and abandon their silos. Cybersecurity is a complex challenge that requires different stakeholders - operating in very different worlds and with different motivations - to better work together and we also need to address the issue of bad incentives in a market that continues to treat security as an afterthought. If not, we'd better get our violins out.

Subscribe to this newsletter and follow me on social media for more publications and thoughts:
LinkedIn
Twitter
Bluesky
Mastodon