Crowdstrike: Cybersecurity Accidents and Designs

Last week’s collapse is a long overdue reminder of our greater vulnerability to cyberattacks.

Fragility is dangerous. That’s the lesson of last week’s computer crashes, caused by a carelessly written update to CrowdStrike’s widely used Falcon Sentinel cybersecurity software. It crashed millions of Windows computers and caused havoc in air travel, financial services and healthcare, with enormous financial and human costs.

But it could have been much worse. Few users realize that by enabling automatic updates, their computers and other devices are actually being remotely controlled. In other – more nefarious – contexts, we would call the mass hijacking of computers a botnet. These are at the heart of the cybercrime industry. In May, the U.S. Department of Justice and the FBI arrested Chinese national YunHe Wang, who illegally and secretly gained control of millions of computers around the world running Windows software. He then rented them out to cybercriminals, earning nearly $100 million, according to the Justice Department.

Organized crime must be viewed as a threat to national security. It undermines public confidence in the integrity of the state administration. The Kremlin is increasingly outsourcing its murder and sabotage campaigns to gangsters.

But it would be even worse if China, Russia or Iran could turn legitimate software updates into a de facto botnet. Their spies and saboteurs could exploit our trust in legitimate software companies and steal our data, encrypt it or make it inaccessible on computers and networks around the world.

Western policymakers and opinion leaders are deeply concerned about the phantom threat posed by Russia’s nuclear weapons. We all pay far too little attention to these far more pressing national security threats to the fragile but tightly interconnected computer systems that underpin our economies, public services and societies.

Few noticed, for example, the most horrific near-miss in the history of the Internet, which was revealed earlier this year. The target was far less well-known than CrowdStrike or Microsoft. It was compression program xy. These open source tools, written and maintained by volunteers, are the workhorses of the software world. Anyone can review them and suggest improvements. If you can gain the trust of other experts, your suggestions will be implemented – and become the building blocks of countless other programs.

We still know shockingly little about the perpetrator of this attack. He or she first appeared in November 2021 under the username JiaT75 and made expert contributions to other open source projects. No one has ever met this person in person or verified their identity, but they gradually took over the task of updating xy until they were able to issue an update that would have made virtually any computer that installed it tamperable: effectively a master key for hundreds of millions of machines.

By chance, a diligent Microsoft engineer named Andres Freund noticed that a test version of xy was using slightly more memory than intended. Shortly before the general release, he was able to diagnose the error. Outside the cybersecurity world, hardly anyone noticed.

The sophistication and patience of the attack likely points to the Russian foreign intelligence service SVR. But the clues left behind could be a clever double bluff designed to divert attention from the real culprits: China, Iran or North Korea.

The attacker’s near-success and the difficulty of attributing him stem from the same simple fact: The Internet was not designed with security in mind. We have no easy way to verify the identities of the people we interact with. And we trust most of the information that ends up on our computers.

This cavalier attitude has produced amazing technological innovations and reduced many costs to almost zero. But it comes with huge, hidden costs. We need to update not only our software, but also our online security culture.

Edward Lucas is a non-resident Senior Fellow and Senior Adviser at the Center for European Policy Analysis (CEPA).

Europe’s edge is CEPA’s online journal covering major foreign policy issues in Europe and North America. All opinions are those of the author and do not necessarily reflect the position or views of the institutions he represents or of the Center for European Policy Analysis.