Last week’s meltdown is an overdue reminder of our wider vulnerability to cyberattack.
The post CrowdStrike: Accidents and Designs appeared first on CEPA.
Fragility is dangerous. That is the lesson of last week’s computer meltdowns. The culprit was a carelessly written update to CrowdStrike’s widely used Falcon Sentinel cybersecurity software. It crashed millions of Windows computers, causing caused chaos in air transport, financial services and health-care, at great financial and human cost.
But it could have been far worse. Few users realize that allowing automatic updates means their computers and other devices are, in effect, remote-controlled. In other—nefarious—contexts, we would call the mass hijacking of computers a botnet. These are at the heart of the cybercrime industry. In May the US Justice Department and the FBI arrested a Chinese national, YunHe Wang, who had illegally and secretly gained control of millions of computers around the world that ran Windows software. He then rented them out to cybercriminals, making nearly $100m, the DOJ says.
Organized crime should be seen as a national security threat. It corrodes public confidence in the integrity of state administration. The Kremlin increasingly outsources its assassination and sabotage campaigns to gangsters.
But far worse would be if China, Russia or Iran were able to turn legitimate software updates into a de facto botnet. By exploiting the trust we have in legitimate software companies, their spies and saboteurs could steal our data, scramble it, or make it inaccessible on computers and networks all over the world.
Western decision-makers and opinion-formers worry a lot about the phantom menace of Russia’s nuclear weapons. We all pay far too little attention to these much more pressing national security threats to the fragile but deeply interconnected computer systems that underpin our economies, public services, and societies.
Few noticed, for example, the most horrifying near-miss in the history of the internet, revealed earlier this year. The target was far less well-known than CrowdStrike or Microsoft. It was the xy compression utility. These open-source tools, written and maintained by volunteers, are the workhorses of the software world. Anyone can inspect them and suggest improvements. If you can gain the trust of other experts, your suggestions will be implemented—and become the building blocks of countless other programs.
We still know startlingly little about the perpetrator of this attack. He or she first emerged in November 2021 making expert contributions to other open-source projects under the username JiaT75. Nobody ever met this person face-to-face or checked their identity, but they gradually took over the job of updating xy, until they were able to issue an update that would have, in effect, made any computer that installed it open to manipulation: a master key, in effect, to hundreds of millions of machines.
By chance, a conscientious Microsoft engineer called Andres Freund noticed that a trial version of xy was using slightly more memory than it should, and was able to diagnose the flaw just before its general release. Few outside the cybersecurity world even noticed.
The sophistication and patience of the attack probably points to the SVR, Russia’s foreign intelligence service. But the clues left could be a clever double-bluff, designed to distract attention from the real culprits: China, Iran or North Korea.
The attacker’s near-success, and the difficulty of attributing it, stems from the same simple fact: the internet was not designed with security in mind. We have no easy way of checking the identity of the people we interact with. And we take most of what arrives on our computers on trust.
That carefree attitude has stoked amazing technological innovation and cut many costs to near-zero. But it comes with huge, hidden costs. We need to update not just our software, but our online security culture.
Edward Lucas is a Non-resident Senior Fellow and Senior Adviser at the Center for European Policy Analysis (CEPA).
Europe’s Edge is CEPA’s online journal covering critical topics on the foreign policy docket across Europe and North America. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.
The post CrowdStrike: Accidents and Designs appeared first on CEPA.
