[ad_1]
The image of stranded airport travelers looking sadly at rows of monitors, all frozen on the same Windows “blue screen of death,” might seem like the next frontier of technological dystopia. But Friday’s global outage was triggered by a botched update from security provider CrowdStrike It’s best thought of as a sequel to a movie we’ve seen before – like many film productions, it’s simply the latest in an ongoing series.
For decades, technology experts have warned against over-reliance on any one company’s software or services, or else their potential blast radius becomes too large when attackers exploit vulnerabilities or other problems arise.
In 2003, seven computer security experts wrote a paper titled “Network Insecurity: The Cost of Monopoly”
(commissioned by the Computer and Communications Industry Association, a Washington-based technology trade group whose members oppose Microsoft’s abuse of its market power) to outline the risks.
“Most of the world’s computers run Microsoft’s operating system, so most of the world’s computers are vulnerable to the same viruses and worms,” they wrote. “The only way to prevent this is to avoid monopoly in computer operating systems, for reasons as rational and obvious as avoiding monopoly in agriculture.”
Ten years ago, Tim Wu, a Columbia University law professor and technology policy expert, On these pages it is written Right now Heartbleed The web vulnerability shows that technology monoliths aren’t just a problem for big companies. The flaw in an open-source component that helps encrypt web connections didn’t implicate Google or Microsoft but was caused by a dispersed team of developers failing to find a vulnerability over two years.
“The more we centralize and put more of our lives online and in consolidated accounts, the more damage we will suffer from an attack,” wrote Wu, who has advised both the Obama and Biden administrations.
Last month, a tech executive told an event in Washington that the industry We need to stop pretending this risk doesn’t exist“We can no longer tolerate solutions or architectures that break because of a single point of failure,” said Drew Bagley, vice president and privacy and cyber policy advisor at CrowdStrike, who spoke at a company-sponsored conference in Austin, Texas. Washington post “Securing Cyberspace” Activities June 6th.
However, the CrowdStrike crisis flipped the monoculture script a bit: ignored vulnerabilities did not lead to hacks of entire companies or even industry sectors—see, for example, contemporary Ransomware attacks— Defense systems ultimately attacked their hosts. In CrowdStrike’s case, a botched automatic update contained a vulnerability that intersected disastrously with permissions Microsoft built into Windows for its security tools, causing PCs and servers to fail to reboot.
CrowdStrike doesn’t have the same firm dominance in the market as Microsoft does—it hold In the second quarter of 2023, the endpoint security market accounted for only 18.5%; Data from market research firm CanalysBut it still represents Occupies a large portion of the IT marketExperts are already calling Friday’s incident “the biggest IT outage in history.”
“The CrowdStrike incident is a good reminder of how interconnected our technology is today, with implications that extend beyond the digital realm,” wrote Brandon J. Pugh, director of cybersecurity and emerging threats. R Street InstituteWashington think tank. He called them “multiple examples of how some IT and network products are intertwined around the world, and how problems in one of them can have repercussions far beyond the core product.”
Something similar could happen with other security vendors’ products, especially if it interacts with Microsoft’s widely used Windows in a similar way. “This was a perfect storm, a buggy update that was thought to be safe and was automatically deployed at scale,” wrote founder and CEO Katie Moussouris. Ruta Security“This can happen with any security content update from any vendor.”
She predicts that companies will subject automatic updates to security software to the same testing they do to non-security software revisions — “a new routine testing task for overburdened IT departments to prevent future incidents like this.”
Moreover, technology homogenization is not just a security issue. Google has an overwhelming share of the search and advertising markets—now Subject of multiple antitrust lawsuits— expose websites and publications to danger from even the slightest changes to their systems. Meta’s huge presence in social media means that a glitch in its content moderation system could Silencing people on multiple networks And make pages or even entire websites unshareable across all their assets. On a personal level, the iPhone can unlock so many apps and services that thieves have become very creative in not only stealing their victims’ phones, but also Their screen unlock code.
But while it’s easy to find examples of where widespread use of a tool could lead to cascading problems, it’s much harder to find ways to fix them.
There is widespread agreement that resilience is a worthy goal — as Kemba Walden, the White House’s acting national cyber director, put it in a speech. Black Hat Security Conference “We have to invest in resilience in cyberspace,” he said in Las Vegas last August.
Inconveniently, resilience often implies not only inefficiency, but also requires that it be considered a virtue.
“This drive for efficiency can lead to brittle systems that work well when everything is going well, but break down under stress,” said security researcher Bruce Schneier, one of the authors of the 2003 paper. wrote “If we want to be prepared for these crises and more, we need to reintroduce inefficiencies into our system,” he said a few months into the 2020 pandemic.
Wu made similar recommendations to TNR readers in a 2014 article, advocating for “more diversity and competition at all levels, even in encryption standards.”
Pugh suggests that reducing the risk of monoculture “requires having redundant staff in place and actually testing and training them when disruptions occur, whatever the cause”.
However, selling it to shareholders may be difficult.
“It will be difficult for a single company or organization to counter the fundamental economic and business operations forces driving IT concentration,” said Michael Daniel, president and CEO of the IT Industry Leaders Association. Cyber Threat Alliancesaid in an emailed statement. “The benefits of interoperability, standardization, and scale are huge and drive companies to leverage a small set of vendors.” Luta Security’s Moussouris further called monoculture an “inevitable reality.” As she wrote: “There are only a handful of operating systems, so we’re effectively stuck with a very small base software gene pool anyway.”
Daniel, who served as Obama’s cybersecurity adviser, supports government-set standards — something the Biden administration has tried to do without legislative help through the following workarounds: Adding stricter security requirements to government IT contracts.
“Given the underlying economic and business structures, the specific issue of concentration risk may require government action to address,” he wrote. “Such actions may include minimum interoperability standards, zoning, and graceful degradation of functionality.”
In other words: if you can’t back up everything, then have a plan in place to limit the damage if things do go wrong. Because if we’ve learned anything from the software disasters of the past few decades, it’s that there’s always a next time.
[ad_2]
Source link
