Start your day with intelligence. Get The OODA Daily Pulse.

Recently, a major IT outage impacted the global community.  In the midst of global geopolitical conflicts, and states waging war on one another, the major disruption was not the result of hostile state cyber assets, or enterprising nonstate hacktivist enclaves engaged in digital struggle.  This unprecedented glitch was caused by a faulty software update from CrowdStrike, a trusted U.S. cybersecurity vendor who has been a leader in the cybersecurity space for several years.  Per the company’s statement, a defect in a content updated to its software for Windows hosts caused the disruption.  As a consequence, the company’s global customers across government services, emergency call centersairlines, hospitals, banks, to name just a few, found themselves in a predicament, facing Microsoft’s dreaded “blue screen of death.”  In the United States alone, nearly 3,000 flights had been delayed or canceled, and some organizations are still trying to recover from the fallout.  

Though the issue was fixed shortly thereafter, problems continued to persist with the blue error screens globally.  Worse, cybercriminals have been quick to leverage this mishap to their advantage.  Soon after its disclosure, reports circulated regarding cybercriminals distributing scam emails using the outage as content lure top entice recipients into clicking malicious links and/or attachments.  Additionally, according to another source, financially motivated threat actors are currently trying to exploit the situation to deploy Remcos remote access Trojan to the company’s customers in the Latin American region.  Fraudulent domains disguised as sites to help victims “fix” their machines have also started appearing in an attempt to get users to pay for remediation.  There is little doubt that nation states are also trying to figure out how to take advantage of the situation as any successful exploitation could facilitate cyber espionage activities. 

While thankfully the incident was not the result of malicious intent, it does underscore a major problem an interconnected global community has when it relies on the same products for its tech solutions.  Microsoft is one of the most recognizable tech brands with a global footprint commands 21% market share worldwide, establishing its’ industry dominance.  Similarly, CrowdStrike has jumped to global prominence with its security devices and solutions, controllingapproximately 18% of the market for modern endpoint protection, and protecting more than half of Fortune 500 companies, as well as governments, and other critical infrastructure industries.  Microsoft has a history of having a history of a multitude of vulnerabilities, and over the past ten years, saw a 650% spike in Elevation of Privilege Vulnerabilities, a key for hostile actors to penetrate deeply into compromised networks.  Ironically, in 2023, CrowdStrike’s Chief Security Officer criticized Microsoft for its cybersecurity lapses.  

What’s become abundantly clear is that the interdependence of these two companies’ software as well as an increasing global reliance on these offerings created a perfect scenario where a mistake had a catastrophic impact.  And as companies fight for global market share and more organizations utilize their offerings, this creates the potential for another one of these events to occur, calling into question what – if anything – organizations have learned about such reliance.  The recent outage and its effect on a multitude of public and private sector entities bears similarities to the 2020 SolarWinds breach.  That incident demonstrated the dangers of supply chain compromise as more than 30,000 public and private organizations were compromised when a nation state had exploited Orion network management and delivered backdoors into a new software update distributed by SolarWinds.  While that compromise was nation state-driven, it’s frightening to think what could have happened in the recent mishap if a state exploited the cybersecurity’s update process to cause purposeful disruption.

Interestingly, a couple of countries went unscathed – notably China and Iran – which isn’t surprising given how both countries focus on developing indigenous tech solutions.  In the case of Iran, current sanctions against Tehran worked in its favor as they barred Iran from receiving this type of technology, forcing it to develop and rely on indigenous capabilities.  China has been trying to prioritize domestic suppliers for years, thereby minimizing its dependence on foreign technology.  One thing seems pretty clear: both countries were spared major problems because they did not depend on a single company for their cloud or security needs.  Diversification – whether forced by sanctions or by strategic decision – has proven to be a silver lining in the cybersecurity ecosystem.  This makes sense as it adheres to the “don’t put all your eggs in one basket” philosophy, thereby mitigating the fallout from a single point of failure.  

A recent article countered this opinion, pointing out that there isn’t a lot of trusted providers available for organizations.  This argument rings weak in the face of a robust cybersecurity market full of companies providing similar products and services.  To believe the article, just a handful are to be trusted.  That seems fanciful to say the least.  What this fiasco has taught us is that cobbling customers under one umbrella is an easy streamlined solution for both provider and customer – it’s profitable for the supplier and less financial and materially taxing on the part of the customer.  But it has also shown that one mistake can reverberate across the globe.  The costs from what has been termed the “largest IT outage in history” are estimated at USD $ 1 billion, and it remains uncertain if the company will recompensate its customers for financial losses that occurred because of the software update failure.  And what about tangential costs suffered by individuals tangentially impacted?  Will they receive compensation and if so, by whom?  Seems unfair that an airline should reimburse its patrons for cancellations caused by the fault of another company.

CrowdStrike is being applauded for transparency, which is laudable.  But the fact that a company is being praised for doing the right and responsible thing seems disingenuous.  All companies trusted to with these responsibilities should do that, and the fact that people seem impressed that it happened in this case points to a much larger problem, and one that needs to be solved in the legislature.  And while that possibility germinates (CrowdStrike is being called to testify before Congress), perhaps organizations should take this opportunity to reassess how diversified their own security mechanisms are, especially the security offerings they subscribe to, and conduct a rigorous third party risk assessment that includes possible scenarios like the one that just happened.  Even the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency Director suggested that tech companies should be held responsible for selling vulnerable products.  That seems like a necessary step in the right direction.

At the end of the day, this IT outage is not the end of the world, but it is a warning bell of what could happen in a cyber threat landscape that is growing only more sophisticated and dangerous. And if the next incident at the hands of belligerent threat actors brings about purposeful disruption of this magnitude, the victimized tech company’s apologies are just not going to cut it.  Neither will a ten-dollar gift card.

Tagged: Cybersecurity
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.