{"id":2403,"date":"2024-07-24T17:00:00","date_gmt":"2024-07-24T17:00:00","guid":{"rendered":"http:\/\/mobiledave.me\/?p=2403"},"modified":"2024-07-31T00:24:09","modified_gmt":"2024-07-31T00:24:09","slug":"the-worst-internet-outage-still-hasnt-happened-yet","status":"publish","type":"post","link":"http:\/\/mobiledave.me\/index.php\/2024\/07\/24\/the-worst-internet-outage-still-hasnt-happened-yet\/","title":{"rendered":"The worst internet outage still hasn\u2019t happened yet"},"content":{"rendered":"
\n

\"Billboards

Billboards in Times Square went dark on July 19, after a bad Crowdstrike update crashed millions of computers worldwide. | Michael Nagle\/Bloomberg via Getty Images<\/figcaption><\/figure>\n

The world is still dealing with the fallout from the CrowdStrike screwup that took millions of computers offline last week<\/a>. Some IT workers have had to fix each computer manually<\/a>, walking from machine to machine with a USB stick<\/a>, and some remote workers say<\/a> they\u2019re locked out of their computers with no fix in sight. All because of a few lines of bad code<\/a>.<\/p>\n

It started in the early morning hours of Friday, July 19, when the cybersecurity company CrowdStrike pushed an update to its millions of customers. Unfortunately for all of them, there was a mistake in the code that caused Windows computers to crash repeatedly. This caused lots of problems for airlines, banks, hospitals, TV broadcasters, government agencies, and everyone who interacted with these organizations as the dreaded \u201cblue screen of death\u201d<\/a> took over millions of computers. It took CrowdStrike just 78 minutes<\/a> to identify the problem and issue a fix, but because many computers needed to be manually restarted, the problems persisted through the weekend and into this week. As of Wednesday morning, Delta Air Lines was still experiencing delays<\/a> due to the outage. The ongoing Delta flight cancellations separated countless unaccompanied minors from their parents for days<\/a>.<\/p>\n

This is all annoying and anxiety-inducing. But a massive outage like this \u2014 whether caused by a faulty update, as was the case with CrowdStrike, or by a cyberattack \u2014 could have been much worse. Much<\/em> worse. Like, getting kicked back to the 19th century overnight worse, and it\u2019s not clear what we can do to stop it. <\/p>\n

\u201cThis was just an accident,\u201d Mark Atwood, an open source policy wonk and former Amazon employee, told me. \u201cThis could have been something that \u2026 just turned everybody\u2019s computers into bricks, possibly unrepairable.\u201d<\/p>\n

The really scary thing is that there\u2019s honestly not much you or I can do to prevent a catastrophe like that from happening in the future. If you work for CrowdStrike, sure, you could do your part, but for the most part, building a more resilient internet is a job for the federal government. As trite as it may sound, one thing you can do is call your representatives in Congress and demand action. Because even if there\u2019s not much you can do on an individual level to prevent the next big internet outage or cyberattack, you will likely be affected.<\/p>\n

One big problem \u2014 and a key reason why this outage was so huge \u2014 is that CrowdStrike controls so much market share, and its software is so deeply integrated into so many computers, that one bad update can bring them all down. <\/p>\n

Regulations require companies in critical industries, like health care<\/a> and banking<\/a>, to protect people from harm, which means they must follow cybersecurity guidelines and use endpoint security software, which protects internet-connected devices from cyberattacks. CrowdStrike tends to be the default option<\/a> to comply with these regulations, and in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) even picked CrowdStrike to secure multiple government agencies<\/a>. CrowdStrike now controls nearly 25 percent of the market for endpoint security. So when CrowdStrike pushes out a bad update, a lot of people are affected. This particular incident affected 8.5 million Windows devices, according to Microsoft<\/a>. <\/p>\n

Lawmakers and regulators can and should learn from this CrowdStrike fiasco. It could be an opportunity for the federal government to redouble its efforts at improving cybersecurity and for security companies to do better. We have to demand they build products that are truly secure, says Dan O\u2019Dowd, CEO of Green Hills Software and founder of the Dawn Project<\/a>, an organization dedicated to making computers safe for humans.<\/p>\n

\u201cWe know how to do it. It\u2019s been done for years and years in the military and in aviation,\u201d O\u2019Dowd told me. \u201cBut it does cost more, and people just have to accept that we\u2019re going to have a somewhat higher cost, so that we don\u2019t lose it all.\u201d<\/p>\n

Cybersecurity experts talk about \u201cthe big one\u201d a lot<\/a> these days, and that\u2019s what O\u2019Dowd is referring to when he says we could lose it all. <\/p>\n

\"A<\/p>\n

The big one might involve hackers attacking physical infrastructure<\/a>, like the power grid, water treatment plants, or shipping ports. Bad actors could target elections<\/a>, hack voting machines, and spread misinformation. These kinds of things are actually already happening, but so far, there has not been a truly catastrophic outage or an attack so successful that it\u2019s brought down large swaths of modern society. Not yet, at least.<\/p>\n

The CrowdStrike incident should be a wakeup call, a reminder that the big one is coming and that there\u2019s more we could do to stop it. Republican lawmakers have called on CrowdStrike CEO George Kurtz to testify before the House Homeland Security Committee<\/a>\u00a0to explain what happened to cause the outage and what the company was doing about it. CrowdStrike told me it was \u201cactively in contact with relevant congressional committees,\u201d and on Wednesday published a preliminary incident report<\/a> detailing what went wrong and how it planned to prevent something like this from happening in the future.<\/p>\n

Attention on Capitol Hill may also signal interest in legislation to create new regulations for the cybersecurity industry, although nothing has been announced. <\/p>\n

Meanwhile, FTC Chair Lina Khan is drawing attention to<\/a> how the concentration of power can mean \u201ca single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers.\u201d She seems to suggest that a better regulated cybersecurity industry could reduce that harm. Others, including Atwood<\/a>, have pointed out that, in some ways, the regulations are in place, but companies like CrowdStrike still aren\u2019t following best practices.<\/p>\n

\u201cEveryone believed there was no silver bullet, there was no cure for this other than try to think harder,\u201d Atwood told me. \u201cThere are still bullets and best practices that, if you do them, the odds of making mistakes like this fall a lot.\u201d<\/p>\n

Truth be told, there\u2019s no easy way to make our networks and computers completely secure. But the federal government is continuing to try. It established CISA in 2018 to do everything from securing elections to protecting the power grid from electromagnetic pulse, or EMP, attacks<\/a>. President Joe Biden also issued an executive order in 2021<\/a> to improve the nation\u2019s cybersecurity with 55 new requirements, almost all of which have now been completed<\/a>. (That executive order is also what led CISA to pick CrowdStrike as the federal government\u2019s endpoint security partner.) And this year, following a series of breaches<\/a> during the 2020 midterm elections, CISA also launched a program to bolster election security, including protections for non-voting systems, like voter registration databases.<\/p>\n

That just represents a handful of the federal government\u2019s efforts to avoid a catastrophic cyberattack or outage. And the cybersecurity industry is growing in lockstep<\/a> with increasing anxiety about such a disaster. Spending on cybersecurity rose about 70 percent from 2019 to 2023, according to Moody\u2019s<\/a>, and the rise of generative AI will only complicate the picture<\/a> in the years to come. The 2024 election cycle has already seen AI-generated robocalls<\/a> that mimicked President Biden\u2019s voice and told people not to vote, which does not sound as frightening as a cyberattack bringing down a power plant, but is an attack on democracy nevertheless.<\/p>\n

The big one is still out there, lurking in some unknown future, waiting for the right string of events to occur and lead to catastrophe. Some of the worst nightmare scenarios have actually already happened, only not at a global scale. Ransomware attacks on hospitals and health care providers that threaten lives are a regular occurrence<\/a> in the US these days. After taking out a portion of Ukraine\u2019s power grid<\/a> with a cyberattack in 2015 and 2016, Russia used a novel cyberattack<\/a> to cut the heat to 600 buildings in the Ukrainian city of Lviv this past January. So far, and very luckily, we have not seen a cyberattack lead to a nuclear disaster, but such a thing<\/a> is not out<\/a> of the realm of possibility<\/a>. <\/p>\n

\u201cSo I just rewatched Chernobyl<\/em> last week,\u201d Atwood said, referring to the HBO series<\/a> about the 1986 nuclear disaster. \u201cAnd that was one of the key lines: Why worry about something that hasn\u2019t happened yet?\u201d<\/p>\n

That\u2019s how some cybersecurity executives think about the unimaginable, he told me, even when their own employees are warning against it. <\/p>\n

If we\u2019ve learned anything from the past week \u2014 or even the past decade \u2014 it\u2019s that the scale of outages and cyberattacks is getting larger as the world depends more on internet-connected devices to run itself. There\u2019s no better time than now to reconsider whether we\u2019re doing enough to stop the next one.<\/p>\n

A version of this story was also published in the Vox Technology newsletter. <\/em>Sign up here<\/strong><\/em><\/a> so you don\u2019t miss the next one!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Billboards in Times Square went dark on July 19, after a bad Crowdstrike update crashed millions of computers worldwide. | Michael Nagle\/Bloomberg via Getty Images The world is still dealing with the fallout from the CrowdStrike screwup that took millions of computers offline last week. Some IT workers have had to fix each computer manually, walking from machine to machine with a USB stick, and some remote workers say they\u2019re locked out of their computers with no fix in sight. All because of a few lines of bad code. It started in the early morning hours of Friday, July 19, when the cybersecurity company CrowdStrike pushed an update to its millions of customers. Unfortunately for all of them, there was a mistake in the code that caused Windows computers to crash repeatedly. This caused lots of problems for airlines, banks, hospitals, TV broadcasters, government agencies, and everyone who interacted with these organizations as the dreaded \u201cblue screen of death\u201d took over millions of computers. It took CrowdStrike just 78 minutes to identify the problem and issue a fix, but because many computers needed to be manually restarted, the problems persisted through the weekend and into this week. As of Wednesday morning, Delta Air Lines was still experiencing delays due to the outage. The ongoing Delta flight cancellations separated countless unaccompanied minors from their parents for days. This is all annoying and anxiety-inducing. But a massive outage like this \u2014 whether caused by a faulty update, as was the case with CrowdStrike, or by a cyberattack \u2014 could have been much worse. Much worse. Like, getting kicked back to the 19th century overnight worse, and it\u2019s not clear what we can do to stop it.  \u201cThis was just an accident,\u201d Mark Atwood, an open source policy wonk and former Amazon employee, told me. \u201cThis could have been something that \u2026 just turned everybody\u2019s computers into bricks, possibly unrepairable.\u201d The really scary thing is that there\u2019s honestly not much you or I can do to prevent a catastrophe like that from happening in the future. If you work for CrowdStrike, sure, you could do your part, but for the most part, building a more resilient internet is a job for the federal government. As trite as it may sound, one thing you can do is call your representatives in Congress and demand action. Because even if there\u2019s not much you can do on an individual level to prevent the next big internet outage or cyberattack, you will likely be affected. One big problem \u2014 and a key reason why this outage was so huge \u2014 is that CrowdStrike controls so much market share, and its software is so deeply integrated into so many computers, that one bad update can bring them all down.  Regulations require companies in critical industries, like health care and banking, to protect people from harm, which means they must follow cybersecurity guidelines and use endpoint security software, which protects internet-connected devices from cyberattacks. CrowdStrike tends to be the default option to comply with these regulations, and in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) even picked CrowdStrike to secure multiple government agencies. CrowdStrike now controls nearly 25 percent of the market for endpoint security. So when CrowdStrike pushes out a bad update, a lot of people are affected. This particular incident affected 8.5 million Windows devices, according to Microsoft.  Lawmakers and regulators can and should learn from this CrowdStrike fiasco. It could be an opportunity for the federal government to redouble its efforts at improving cybersecurity and for security companies to do better. We have to demand they build products that are truly secure, says Dan O\u2019Dowd, CEO of Green Hills Software and founder of the Dawn Project, an organization dedicated to making computers safe for humans. \u201cWe know how to do it. It\u2019s been done for years and years in the military and in aviation,\u201d O\u2019Dowd told me. \u201cBut it does cost more, and people just have to accept that we\u2019re going to have a somewhat higher cost, so that we don\u2019t lose it all.\u201d Cybersecurity experts talk about \u201cthe big one\u201d a lot these days, and that\u2019s what O\u2019Dowd is referring to when he says we could lose it all.  The big one might involve hackers attacking physical infrastructure, like the power grid, water treatment plants, or shipping ports. Bad actors could target elections, hack voting machines, and spread misinformation. These kinds of things are actually already happening, but so far, there has not been a truly catastrophic outage or an attack so successful that it\u2019s brought down large swaths of modern society. Not yet, at least. The CrowdStrike incident should be a wakeup call, a reminder that the big one is coming and that there\u2019s more we could do to stop it. Republican lawmakers have called on CrowdStrike CEO George Kurtz to testify before the House Homeland Security Committee\u00a0to explain what happened to cause the outage and what the company was doing about it. CrowdStrike told me it was \u201cactively in contact with relevant congressional committees,\u201d and on Wednesday published a preliminary incident report detailing what went wrong and how it planned to prevent something like this from happening in the future. Attention on Capitol Hill may also signal interest in legislation to create new regulations for the cybersecurity industry, although nothing has been announced.  Meanwhile, FTC Chair Lina Khan is drawing attention to how the concentration of power can mean \u201ca single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers.\u201d She seems to suggest that a better regulated cybersecurity industry could reduce that harm. Others, including Atwood, have pointed out that, in some ways, the regulations are in place, but companies like CrowdStrike still aren\u2019t following best practices. \u201cEveryone believed there was no silver bullet, there was no cure for this other than try to think harder,\u201d Atwood told me. \u201cThere are still bullets and best practices that, if you do them, the odds of making mistakes like this fall a lot.\u201d Truth be told, there\u2019s no easy way to make our networks and computers completely secure. But the federal government is continuing to try. It established CISA in 2018 to do everything from securing elections to protecting the power grid from electromagnetic pulse, or EMP, attacks. President Joe Biden also issued an executive order in 2021 to improve the nation\u2019s cybersecurity with 55 new requirements, almost all of which have now been completed. (That executive order is also what led CISA to pick CrowdStrike as the federal government\u2019s endpoint security partner.) And this year, following a series of breaches during the 2020 midterm elections, CISA also launched a program to bolster election security, including protections for non-voting systems, like voter registration databases. That just represents a handful of the federal government\u2019s efforts to avoid a catastrophic cyberattack or outage. And the cybersecurity industry is growing in lockstep with increasing anxiety about such a disaster. Spending on cybersecurity rose about 70 percent from 2019 to 2023, according to Moody\u2019s, and the rise of generative AI will only complicate the picture in the years to come. The 2024 election cycle has already seen AI-generated robocalls that mimicked President Biden\u2019s voice and told people not to vote, which does not sound as frightening as a cyberattack bringing down a power plant, but is an attack on democracy nevertheless. The big one is still out there, lurking in some unknown future, waiting for the right string of events to occur and lead to catastrophe. Some of the worst nightmare scenarios have actually already happened, only not at a global scale. Ransomware attacks on hospitals and health care providers that threaten lives are a regular occurrence in the US these days. After taking out a portion of Ukraine\u2019s power grid with a cyberattack in 2015 and 2016, Russia used a novel cyberattack to cut the heat to 600 buildings in the Ukrainian city of Lviv this past January. So far, and very luckily, we have not seen a cyberattack lead to a nuclear disaster, but such a thing is not out of the realm of possibility.  \u201cSo I just rewatched Chernobyl last week,\u201d Atwood said, referring to the HBO series about the 1986 nuclear disaster. \u201cAnd that was one of the key lines: Why worry about something that hasn\u2019t happened yet?\u201d That\u2019s how some cybersecurity executives think about the unimaginable, he told me, even when their own employees are warning against it.  If we\u2019ve learned anything from the past week \u2014 or even the past decade \u2014 it\u2019s that the scale of outages and cyberattacks is getting larger as the world depends more on internet-connected devices to run itself. There\u2019s no better time than now to reconsider whether we\u2019re doing enough to stop the next one. A version of this story was also published in the Vox Technology newsletter. Sign up here so you don\u2019t miss the next one!<\/p>\n","protected":false},"author":1,"featured_media":2405,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"class_list":["post-2403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech-policy"],"_links":{"self":[{"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/posts\/2403"}],"collection":[{"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/comments?post=2403"}],"version-history":[{"count":3,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/posts\/2403\/revisions"}],"predecessor-version":[{"id":2408,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/posts\/2403\/revisions\/2408"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/media\/2405"}],"wp:attachment":[{"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/media?parent=2403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/categories?post=2403"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/mobiledave.me\/index.php\/wp-json\/wp\/v2\/tags?post=2403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}