Dr Andrew Dwyer shares a round-up of the recent CrowdStrike incident, during which he provided expert comment to media outlets.

On Friday 19^th July, the CrowdStrike incident impacted computer systems around the world. As news of the incident unfolded, Dr Dwyer, Lecturer in Information Security at Royal Holloway, spoke to MIT Tech Review and LBC Radio, drawing on his research at the intersection between information security, geopolitics, and socio-technical approaches to security. In this article, he provides a round-up on the incident, key take-aways, and what next for the information security and cyber policy communities.

Incident Round-Up

CrowdStrike is an American endpoint detection company that provides detection of malware and other suspicious behaviour. On Friday 19^th July, CrowdStrike updated its Falcon platform that affected computers running most of the common Windows operating systems. This update led to a system crash that affected systems globally – with immediate impacts on transportation infrastructure, public-facing websites, and other services. CrowdStrike has released preliminary details on the incident as well as methods to recover from the incident. Some have called this the world’s largest-ever IT incident. Although this is difficult to verify, it is at least comparable in scale to the 2017 WannaCry and NotPetya incidents.

Key Take-Aways

Although this was not due to a cyber-attack, unlike some reporting on the day and subsequently, it can still be considered a significant information security incident. It demonstrated several key risks in our increasingly interdependent digital economy:

1. Supply Chains: Endpoint detection has significant and deep access to endpoints to detect and prevent violations. However, this makes endpoint detection a significant potential vector for exploitation, and in this case, poor implementation of updates.
2. Redundancy: The speed of recovery is key to cyber resilience, but many companies lacked redundancy in their systems and networks to maintain minimum business continuity. This is key challenge, and one where enhanced requirement for critical infrastructures through the EU’s NIS2 regulations will force more attention to
3. Digital Economy Consolidation: The increasing concentration of key elements of our digital economy in fewer large tech companies increases the risk of a lack of resilience in the supply chain. This is also the case in cyber security, where recent acquisitions have further consolidated the sector.
4. Geopolitics: The access that endpoint detection has can be exploited. No more so is this seen with the case of Kaspersky’s removal from US government systems over allegations of espionage by Russia. Dr Dwyer recently published an essay about this event and the role of endpoint detection in geopolitics here.

What Next?

There must a reflection on incident management and planning for companies across the globe. However, for cyber policy makers, it demonstrates (again) how supply chain dependencies are essential to prevent loss of availability in the digital economy. Endpoint detection provides an essential and important role in limiting the impacts of malware and suspicious behaviour. Yet, to do that, it must have access to our systems and networks that make it an essential node in the infrastructure of our digital economy.

CrowdStrike is likely to face a number of lawsuits off the back of the incident. Internally, it will be quickly assessing the quality assurance processes that clearly failed in this case. Collectively, we are lucky that this was not a malicious act by a state actor or cybercrime group, but that is perhaps little consolation for the work of IT teams across the world who have been recovering from this incident. But this is another chance to reflect at the fundamentals of how information security operates and risk propagates in the wider fabric of the digital economy.