News — A worldwide technology outage Friday morning brought organizations across the globe to a halting stop, as flights were grounded, banks and media outlets were offline, and hospitals had to cancel procedures.
The CEO of cybersecurity firm CrowdStrike said the trouble was caused by a faulty software update that affected computers running Microsoft Windows, not by hacking or a cyberattack.
Indiana University experts can comment on the outage, how businesses can prepare for this in the future, and the latest on cybersecurity issues across the globe. For more information, contact Teresa Mackin at [email protected] or 317-274-5432 or Vic Ryckaert at [email protected].
Isak Nti Asare is the co-director of the Cybersecurity and Global Policy Program, the executive director at the IU Cybersecurity Clinic and a fellow at the Center for Applied Cybersecurity Research. His work and research are at the intersection of emerging technologies and policy.
Asare provided this comment for news media: "Although the outage should be viewed as a cyber incident in that a defective CrowdStrike content update caused major disruptions to people’s access to their technology, there are multiple other perspectives that are important to highlight here. First, from a political economy perspective, this incident underscores the risks of market centralization, revealing the dangers of heavy reliance on single entities. When one company controls essential services, any disruption can have widespread and far-reaching consequences, affecting global operations from airlines to everyday business functions. Secondly, the outage reveals the operational risks associated with over-reliance on specific technologies and vendors, emphasizing the need for robust contingency planning. Our increasing reliance on technology to deliver services underscores the need for operational measures to mitigate systemic risks in the short run. In the long run, economic diversification and regulatory measures might be needed to mitigate systemic risks and enhance global digital infrastructure resilience. Finally, as others like Bruce Schneier have argued the current patching paradigm – where companies update software as they find flaws is itself fundamentally flawed. Patching is a reactive measure that only addresses known vulnerabilities, leaving inherent software design flaws untouched. This creates what we might think of as security debt where patches pile up creating very complex systems that are hard to administer. All of this leads to more vulnerability and an increased attack service."
Xiaojing Liao is an assistant professor in the Department of Computer Science at the IU Luddy School of Informatics, Computing and Engineering in Bloomington. Her research interests include data-driven system security analysis, cyber threat intelligence, privacy compliance and enforcement.
Asaf Lubin is an associate professor of law at the IU Maurer School of Law. His research centers on the intersection of law and technology. His areas of expertise are in cybersecurity law, international law, law and technology, torts law, insurance law, laws of war, human rights law, international affairs, national security, intelligence studies, international criminal law, internet governance, data protection regulation, and informational privacy rights.
Lubin provided this quote for news media, "The need for manual reboots across numerous systems globally highlights a significant vulnerability: the likelihood that on occasion particular cyber incidents or technological errors and omissions could not be solved through an automated recovery process. It demonstrates the need to develop standard operating procedures for manual reboots to address various failure scenarios and reduce down time. Among other things we need regular training and simulations, building redundancies and failover mechanisms, and ensuring comprehensive documentation to increase resiliency.
"The incident also reveals an inherent dilemma in cybersecurity policy design which concerns the tension between centralized vs. decentralized architectures and concentrated vs. distributed software markets. Events like Crowdstrike and Solarwind, highlight the ways by which certain software solutions have such a wide reach globally that their fall could trigger significant economic losses and interruptions to critical infrastructures and businesses alike. It demonstrates that the greater there is competition and multiple operating systems and software solutions, the greater redundancy and resiliency there is within the market. At the same time, centralized and concentrated markets also offer greater ability to control software designs and incidents when they do happen. Consider in this regard the relative permissiveness of Microsoft’s Software Development Kit (SDK) versus a company like Apple which is known for far stricter controls on its SDK. The greater control you have on the development of software on your operating system, while leading to greater concentration of market power, also entails greater ability to manage security and safety risks and enforcing against design mishaps like the one from today," said Lubin.
Bipin Prabhakar is clinical professor of information systems, chair of Information Systems Graduate Programs and the Plus Kelley program and holds the Fettig/Whirlpool Fellowship at the Indiana University Kelley School of Business. In these roles he leads one of the most highly regarded Master of Science in Information Systems degree programs in the country as well as the school’s initiative to provide a pathway for arts, humanities and sciences students to access Kelley’s specialized master’s programs. Prabhakar’s research interests are in the areas of technology adoption and the evolution of IS job skills.
Scott J. Shackelford is Cybersecurity Program chair, director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, and associate professor of business law and ethics at the IU Kelley School of Business. He is a senior fellow at IU’s Center for Applied Cybersecurity Research, academic director of the IU Cybersecurity Clinic and a term member at the Council on Foreign Relations.
Shackelford provided this quote for news media, "This incident underscores the importance of moving beyond a ‘move-fast-and-break-things’ mentality in the tech industry. Pushing out updates without any accounting for liability has made it very challenging for firms and users to have confidence in the software ecosystem.
In the EU just this year, regulators have extended products liability to software. If you buy a defective toaster and it burns down your home, you should be able to sue the manufacturer. The same is now true if it’s a smart, Internet-connected toaster. The US could, and should, follow suit. It’s time to move slow, and fix things."
Shackelford points to on the topic.
David Wild is an expert in the application of data technologies including Artificial Intelligence (AI) into complex areas including healthcare, drug discovery, emergency response & management, risk assessment, and cybersecurity & privacy. He is Professor in the at , founder of , a lab dedicated to use of technology in adverse and crisis environments, and is CEO of , a first-wave AI company solving a foundational problem in disaster management.
Wild provided this quote for news media, "Today's events highlight the need for better digital resilience for companies, governments and importantly for individuals. Our technology infrastructure is amazing but also complex and vulnerable, and the steps people need to build resilience are not always obvious."
is an associate professor of computer science at Indiana University Bloomington. He directs the System Security Foundations lab at IU. Research he led has significantly and extensively changed security design (access control, authentication) in apps/systems that people use everyday, across Android, iOS/iPad/MacOS, Chrome, Apple Home (HomeKit), Google Home, SmartThings, Facebook, AWS IoT, Azure IoT, etc.​, which have implemented and deployed their security designs/protections. His research has led to the discovery of 60+ new types of vulnerabilities in the design of commercial and open-source systems, uncovering novel attack techniques.