LAS VEGAS – The global impact of the flubbed CrowdStrike update and ensuing Microsoft outage was a wakeup call for European and U.S. cybersecurity leaders. The topic took center stage here at the Black Hat USA 2024 opening keynote.
Open questions included: How could a single vendor trigger such massive global disruptions, what does this portend for vital systems of democracy such as elections and how can the cybersecurity community ensure it doesn’t happen again?
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
“Sadly, it was an interesting lesson for the bad guys. [They learned] It was one mechanism that started the entire process,” said Hans de Vries, COO of the European Union Agency for Cybersecurity, commenting on the CrowdStrike bungled software update.
“The impact was enormous. We have to be prepared for more of these types of cases. From a threat analyzing perspective, to supply chain attacks, and the multifaceted cooperation need to address these issues are really the biggest issues to address in the coming years,” he said.
Joining de Vries on stage was Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, and Felicity Oswald OBE, CEO of the UK’s National Cyber Security Centre.
Easterly warned there has been a lot of “irresponsible noise on the CrowdStrike incident” — however, the gravity of the outage can’t be ignored. She outlined her three top takeaways from the CrowdStrike outage.
Felicity Oswald, OBE & CEO, NCSC
.
“It just reinforced what [CISA] has been saying about the importance of technology vendors, developing, designing, testing and deploying software that is secure by design,” she said.
Her second observation was “how critical software is and how much we depend on it working properly.”
She observed that the outage’s impact on organizations was mixed, depending on the cyber readiness of the firm. Despite ample mitigation resources, some companies struggled to get systems back online while others recovered quickly.
“The big lesson… is a need for cyber resiliency,” she said.
Oswald echoed Easterly’s call for cyber readiness. “Resiliency is always going to be a buzzword in cybersecurity, and that's my job. But it's also the job of every public sector, organization, private sector organization, big and small organization in our civil society,” she said.
She compared cybersecurity readiness to “knowing how to do your financial accounts, knowing how to protect an employee’s health and safety and reduce the risk of fire to your organization,” Oswald said.
Jen Easterly, director, CISA
.
Our adversaries are watching
Questions beyond cyber readiness were also piqued during the panel discussion. Easterly raised supply chain concerns.
“What went through my mind was ‘Oh, this [outage] is exactly what China wants to do,’” Easterly said.
“What we know about Chinese hackers, specifically those colloquially known as Volt Typhoon, is they are embedded in our critical infrastructure specifically not for espionage or data theft or IP theft, but to launch disruptive or destructive attacks in the event of a major conflict in the Taiwan Strait,” she said.
Ensuring election integrity
Looking beyond the CrowdStrike-Microsoft outage, the panel addressed both the fragility and robust nature of the election systems underpinning democracies around the world.
Christina Cassidy, panel moderator and Associated Press reporter asked: “The idea that a single vendor could trigger massive global disruptions, [what might the impact be on] early voting location in Maricopa County, Arizona?
Panelist gave the familiar refrain that “cyber resilience” is the key.
“For me, the importance of knowing your key assets, knowing your critical assets, knowing what risks might happen [is vital],” Oswald said. “Some of those [problems] will be malicious, sometimes they will be accidental. Sometimes they'll be caused by who knows what. And knowing what your plan is. It's the basics of any I have worked for some time as emergency primary government is the basics of planning for anything, you have plan for the worst and hope for the best.”
Commenting on the recent European Union parliamentary elections in the Netherlands, de Vries said no major cyber incidents were identified. He credits preparation and cooperation and intelligence sharing with other cyber agencies.
“We had an exercise with the European Parliament and European Commission last year to make sure that they all know the process. … This is really important because we know that the threat is much bigger than five years.”
[For up-to-the-minute Black Hat USA coverage by SC Media, Security Weekly and CyberRisk TV visit our spotlight Black Hat USA 2024 coverage page.]
