CSRB VS. CROWDSTRIKE? — In a little over three years, the Cyber Safety Review Board has proven it has the chops to take on some big issues in security, from vulnerabilities in open source code to the culture of corporate giants like Microsoft. Could CrowdStrike be next? — Officially, we don’t know: The Department of Homeland Security, which chooses what incidents the after-action review board will investigate, did not respond when asked whether it would open a formal review of the July 19 IT outage, triggered by the cybersecurity giant sending a defective update to Microsoft customers around the world. For its part, a spokesperson for CrowdStrike said it would be “happy to work with them on any inquiry that they may have.” — Unofficially, many support it: MC spoke with former Cyber Safety Review Board members and other security experts, a majority of whom said they strongly support that idea. — A clarion call for resilience and accountability: Former National Cyber Director Chris Inglis said he “put[s] the event in the same category as SolarWinds,” the late 2020 Russian hack that is regarded both as one of the U.S.’ worst intelligence failures — and a wake-up call on supply chain security. Inglis argued the incident carries important lessons about digital resilience and the legal liability of software providers. CrowdStrike’s error grounded thousands of flights, disrupted 911 services and pushed some hospitals to cancel elective medical procedures. It’s still unclear how much of that the security provider will be on the hook for. “Changes in expectations, accountability, and behavior are needed on all sides,” said Inglis, who served on the board before he resigned from government in February 2023. — Watching the watchmen: Another former CSRB board member, Katie Moussouris, said she strongly supports a review of CrowdStrike because the firm’s preliminary post-incident analysis revealed there were both “technical bugs” in its software and “process bugs” in the way it tested and rolled it out. The firm did not test the defective update on simulated Windows computers, for example, and many CrowdStrike customers were surprised at the level of deep access it had to the Microsoft operating system. “This was a definite risk of how they choose to deploy their tech,” Moussouris said, and the CSRB "could look at what kind of culture the company had, and whether it contributed to this disaster." — Training ground: Brian Fox, the chief technology officer at supply chain security company Sonatype, echoed Moussouris’ and Inglis’ points on software liability, resilience, and CrowdStrike's technology practices. But Fox said he thinks the review is a good idea first and foremost because the outage was “the perfect tabletop” for what a major attack from a U.S. adversary would look like — especially one that targets a company so much of the digital economy relies on. “Identifying ways that we might be able to contain the damage of a malicious attack on a monoculture piece of tool I think is something that would be worthwhile investigating,” he said. — Not so fast: One cyber expert MC reached out to, Trey Herr, voiced skepticism of such a probe. Herr, who is the senior director of the Atlantic Council’s cyber statecraft initiative, argued that the key issue in the CrowdStrike outage isn’t what happened — but how we got to a place where “8.5 million machines are failing because of a single cause.” That isn’t something the CSRB is well-positioned to address, said Herr, who has testified before Congress about the board. “There are far more complex failures for the CSRB to work,” he added, citing the recent theft of nearly all of AT&T’s customer records. — One thing to watch: Several of the CSRB’s members recused themselves from its recent investigation of Microsoft due to conflicts of interest. And that would be an issue again in a CrowdStrike probe, since the deputy chair of the public-private board, Dmitri Alperovitch, was one of the firm's co-founders. Other board members work for CrowdStrike competitors.
|