Last week, a glitch in a software update disrupted key sectors of the global economy, leaving travelers stranded at airports, patients waiting in hospitals and customers stranded outside banks with cash.
The historic outage was caused by a faulty update by cybersecurity firm CrowdStrike and affected millions of computers running the Microsoft Windows operating system.
Laura DeNardis is Professor and Endowed Chair of Technology, Ethics and Sociology and Director of the Center for Digital Ethics.
“One of the lessons from this incident is just how destructive a wide range of malicious cyberattacks can be,” said Laura DeNardis, professor and endowed chair of technology, ethics and society and director of the Center for Digital Ethics. DeNardis teaches in the graduate program in communication, culture and technology and the undergraduate program in technology, ethics and society. She is also a member of Georgetown University’s Technology and Society Initiative, an interdisciplinary collaboration conducting research at the intersection of technology, ethics and governance.
The incident raised important questions about the vulnerability of the world’s technology infrastructure and the potential consequences of widespread, malicious cyber attacks.
To understand these questions, read DeNardis’s take on the CrowdStrike outage and potential strategies for making the world’s technology systems more resilient.
Ask the Professor: Laura DeNardis on the CrowdStrike outage and cyberspace security measures
The world experienced widespread technical outages linked to a company called CrowdStrike. What on earth happened on Friday, July 19, 2024?
Cybersecurity company CrowdStrike released a routine software update that caused customers’ Windows systems to unintentionally crash. The purpose of the update was related to the core cybersecurity mission of detecting new threats and specifically collecting data on “potential new threat techniques.” However, an error in the software update caused the problem, causing customers to experience a Windows “blue screen.”
As CrowdStrike quickly explained to its customers and the world, the problem wasn’t a cyberattack, but an error in a software update. The bug was in a CrowdStrike Falcon platform update for Microsoft Windows, so computers using other operating systems (such as Mac or Linux) were not affected. Because so many mission-critical systems in society depend on CrowdStrike, the outage was widespread, causing disruption in critical sectors. Flights were canceled, medical procedures were postponed or canceled, and many other everyday social systems were affected.
In a sad irony, the effects of the outages caused by errors in software designed to thwart widespread cybersecurity attacks ended up mimicking the effects of real, widespread cybersecurity attacks.
Why has this issue had such a big impact on so many industries?
The 8.5 million Windows devices that Microsoft estimated were affected by the CrowdStrike update error represents less than 1% of Windows devices. So why was the outage so widespread? Organizations that operate critical civil infrastructure are the very organizations that implement cybersecurity services like those offered by CrowdStrike. Agriculture, aviation, banking, energy, government, healthcare, manufacturing, retail, and more all use specialized cybersecurity services. These sectors were affected by the outage. Regulators were quick to ask whether greater market diversity in the tech industry would have mitigated the impact, and this is undoubtedly one of many topics that will come up in upcoming congressional hearings.
The bigger problem is that everything is digitally connected. As I explain in my recent book, blackouts don’t just concern the work we do through computer screens and phones, but also the connected critical infrastructure and cyber-physical objects around us. Blackouts are no longer about the inability to send emails or access files, but about the right to healthcare and the right to move freely. Everything from our food supply to our energy systems relies on secure and resilient digital technologies.
During last week’s outage, many users encountered an error screen (commonly known as the “Blue Screen of Death”) on their Windows computers.
The CrowdStrike incident was caused by a faulty update, not a cyberattack. How did the hackers take advantage of the situation?
Although the outage was not a cyberattack, hackers quickly took advantage of the confusion. Malicious activity following the outage used “social engineering” techniques aimed at tricking people into taking actions that harmed themselves or their organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) warned that “cyber threat actors continue to leverage this outage to conduct malicious activity.” Social engineering techniques included phishing attacks aimed at tricking people into downloading malware, divulging security credentials, or making monetary payments. Fake websites also appeared. CrowdStrike Intelligence published an updated list of websites impersonating CrowdStrike. CrowdStrike also revealed that hackers were distributing malicious ZIP files primarily targeting customers in Latin America.
This ecosystem of social engineering techniques is a reminder that cybersecurity is not just about technical defenses, it’s also about human defenses.
What lessons have been learned from this incident? What does this outage portend for future cyberattacks?
Media and government tech policy attention has often been so focused on social media content issues that it has ignored more important questions about the underlying infrastructure. There are hidden layers of infrastructure on which everything depends: cybersecurity platforms, protocols, domain name systems, routing and addressing, satellite systems, and more. In my book on internet governance, I address why the design, operation, and governance of these underlying infrastructures is the new space in which economic and geopolitical power will be deployed.
For decades, people have predicted a “digital Pearl Harbor,” but the internet and digital technology has held up. Ransomware attacks, government-mandated power outages around the world, worms, viruses, and attacks on critical infrastructure have all posed major challenges but never caused global catastrophic damage.
But one of the lessons from this incident is how devastating a widespread, malicious cyberattack can be. The incident affected a small number of computers compared to the number of connected devices in the world. CrowdStrike employees quickly identified the problem and were transparent with the world that this was an update error, not a cyberattack. They released a solution to mitigate the issue and explained how they would respond going forward, including more rigorous testing of updates. Still, this outage was devastating, and it gives people an idea of what could happen if a more widespread outage or targeted attack were to occur. In my opinion, the most devastating attack would be one targeting energy grids or satellite systems.
This incident also raises important questions about liability, accountability, and deterrence. Losses from this single incident will likely run into the billions of dollars. Determining liability in complex digital systems is an area of governance that needs to be addressed. Additionally, cyber insurance is now a routine strategy for organizations large and small. The focus of these policies is often on malicious security incidents, such as the costs of data breaches and ransomware attacks. Because this incident was not an intentional act, it highlights the importance of including non-malicious disruptions as part of your insurance strategy.
Is there anything we should be doing to keep us all safe?
The outage is a reminder that even people who have never been online can be severely affected by outages and cyberattacks. The aftermath of the CrowdStrike outage left families sleeping on airport floors. Even people who have never been online can be affected by massive data breaches at Target, Home Depot, and the U.S. Office of Personnel Management. Ransomware attacks on hospital systems have diverted ambulances from emergency rooms and denied patients treatment. Cybersecurity is a society-wide issue that requires a multi-stakeholder strategy from the private sector, technology coordination agencies, and governments.
Still, the vast majority of us who are connected to the Internet can contribute to reducing cyber risks. Most of us understand the basics of protecting access, such as using complex passwords, avoiding reusing the same login credentials, and using multi-factor authentication (MFA). Other best practices for protecting our own systems and data include keeping software up to date, preferably through automatic updates, backing up files regularly using both local and cloud computing services, never using unsecured Wi-Fi networks, and using a Virtual Private Network (VPN).
The harder problems aren’t technical, they’re psychological. Scams and cybercrimes using social engineering techniques continue to grow. Hackers are getting better at tricking people into replying to text messages, clicking links in emails, making payments, or disclosing personal information. It’s important to stay informed about current cybersecurity threats.
One of the core research areas of Georgetown University’s Center for Digital Ethics is cybersecurity ethics. Why is cybersecurity an ethical field?
Everything in society now depends on strong cybersecurity: privacy, national security, financial transactions, and the basic critical infrastructure that keeps society functioning. Ethical dilemmas are deeply ingrained in the design, operation, governance, and use of cybersecurity. Cybersecurity policy choices involve fundamental ethical choices, such as the encryption strength debate, responding to ransomware, and the moral obligation to protect medical devices. For example, governments are interested in strong encryption for national security, but also weak encryption for foreign intelligence and law enforcement functions. As digital technologies continue to make inroads into the physical and biological worlds, including at their intersections with quantum computing and neuroscience, ethical complexities will only grow. Cybersecurity is the great human rights issue of our time and is part of the Center’s core mission to bring about a more ethical digital future.