Andrew Peck, a cyber resilience PhD researcher in the Department of Computer Science at Loughborough University who, prior to joining the institute, had a career delivering IT solutions to big industry, healthcare and government, and Professor Oli Buckley, an expert in cyber security also in the department, have reacted to the IT outage news.
“Waking up to discover that chunks of the infrastructure we rely on are not functional is a seemingly increasing feature of the cyber-physical infrastructure that modern economies and societies depend on”, said Andrew.
“There are two points worth considering here. The first is a perspective on resilience. Cyber resilience asks, ‘how do we survive something going wrong?’, whereas cyber security asks ‘how do we stop something bad happening?’.
“Companies that still don’t have these strategies in place will be watching the relative success of their rivals today and realising that this has to become part of what they do.
“The second thing to consider is the cause of the crash today. The outage appears to be caused by a poorly written update from a cyber security vendor.
“The measure in terms of resilience is not what has happened, but what CrowdStrike do in response.
“CrowdStrike will have shifted from ‘security’ to ‘resilience’ mode in a heartbeat as the success or failure of their business depends now on how well they manage their responsibilities and client communications.
“Whilst this outage is theirs to own, their solutions have prevented similar incidents many times over and they have a lot of goodwill and a strong reputation which should let them weather this.”
So, what can be done to prevent this happening again?
“It highlights the important work to be done at a government and policy level”, Andy said.
“I expect UK Government ministers and their advisers that are about to start drafting the Cyber Security and Resilience Bill – announced in the King’s speech – to be watching this incident closely to work out what mandatory frameworks and measures they want to make part of UK law going forward to insulate the economy and society from shocks like this.
“It’s important to note that this incident doesn’t appear to be malicious, and I’d expect to see the Bill account for that with requirements for governance, oversight and checks within our digital supply chains in the same way that legislation around GDPR defines and places responsibility on data controllers and processors.”
A "critical gap"
Professor Oli Buckley, a Professor in Cyber Security, commented: "CrowdStrike's recent update issues highlight a critical gap: while experienced users can implement the workaround, expecting millions to do so is impractical.
"The real challenge lies in deploying the workaround across all affected systems—a non-trivial task demanding coordinated efforts, so a proper patch can be put in place.
"Additionally, it looks like a config file error rather than a code update and it seems to be mainly impact CrowdStrike Falcon.
"This an Endpoint Detection and Response Platform and has had the knock-on impact of affecting those running Microsoft software. As we are incredibly reliant on Microsoft products this is causing such widespread issues.
"Ironically, Falcon's role is to protect devices from cyber threats by monitoring for intrusions or suspicious activity and then it should block it.
"This is a complex bit of software that can update the way a system behaves to try and keep them safe from attack."