Breaking Bad Code : A new threat for security?

?Ben Addley, Managing Partner Heligan Strategic Insights & Head of Research

The recent CrowdStrike global IT outage, affecting 8.5 million computers and crippling networks across businesses and critical national infrastructure sectors such as finance, health and transport, wasn’t caused by a security breach, or even a malicious attack.

It was caused by bad code and bad processes.

In case you haven’t read about this (unlikely), or weren’t affected by it (more likely), we thought it timely to try and answer two critical questions about the whole debacle: what actually happened and what are the impacts?

Is this a new threat vector?

To the first question of what happened. Windows computers all over the world suffered system outages after CrowdStrike, an American cybersecurity company that provides threat intelligence and endpoint security, pushed out a flawed software update. The result was a “blue screen of death” failure, a throwback to the 1990’s and early 2000’s that we all though had been left behind. On reflection it has also resulted in us collectively having a serious wake-up call regarding a new threat vector in our cyber resilience.

Some might argue the incident was over-hyped. Afterall, this was an outage that only directly affected less than 1% of all Windows computers worldwide. It is however the kind of incident that left unchecked, could become more dangerous and more common as the global economy increasingly relies on complex, interconnected, cloud-based IT services to carry out almost every critical task.

Major outages are becoming more frequent

Of course, this is not the first time an outage of this sort has occurred. In 2017, weaponised code released by Russian hackers unintentionally spread beyond its intended target, crippling IT systems globally and causing tens of billions of dollars in damage. It wiped out the entire IT system of Maersk, the global shipping giant, which had to coordinate movements of ships with phones, pen, and paper for days afterwards.

What’s different this time? The CrowdStrike failure was not a result of hacking by bad actors or hostile state adversaries, but of a basic testing failure. What this event demonstrates is that perceived trusted systems like CrowdStrike, can make mistakes if their own protocols fail and when they do, the knock-on effects of security-privileged updates can be more disruptive than any hack.

Bad actors seek to capitalise on problems

Of course, bad actors are capitalising on the chaos caused by CrowdStrike and we have seen reports of hackers sending phishing emails, offering promises to remediate failed systems to trick people into installing malware. We should expect to see an increase in attempts to compound real-world issues emerging from cascading digital ones, especially if more sophisticated hacks can take advantage of the instability caused by other failures borne out of ‘honest’ errors.

The importance of digital resilience

In the aftermath of this latest crash, we will likely need to revisit whether national policies are creating the right incentives for firms to invest in the rules and resilience needed to manage these types of disruptions when they arise. We will also need to see greater investment into enterprise level security and look for new opportunities to get ahead of unintended threats. Instinctively this feels like a role AI and LLM's (Large Language Model’s) will inevitably need to play a part in.

One thing we can be certain of is that we live in an increasingly complex and volatile world, and as we have seen, digital resilience will become even more vital for commerce and security.

If you found this perspective of interest, why not visit our website for more insights: Blog | Heligan Group