‘We’re losing our resiliency as a nation,’ a cybersecurity consultant says.
As companies and government agencies around the world scramble to restore their computer systems following last week’s global outage from a faulty software update, questions are being raised about whether proper protocols for updates were followed.
Simultaneously, technology analysts are raising concerns about the extent of America’s increasing dependence on an oligopoly of cloud computing firms.
An antivirus software update issued on July 19 by CrowdStrike, one of the largest cybersecurity companies, caused more than a billion Windows-based computers to crash, taking down essential operations at airports, hospitals, 911 centers, police departments, trains, jails and other municipal services, as well as corporate operations.
The company has issued multiple apologies since the event and pledged to resolve the issues, much of which cannot be done through system-wide updates but requires fixes on individual computers.
CrowdStrike Chief Security Officer Shawn Henry stated on a LinkedIn post: “On Friday we failed you, and for that I’m deeply sorry.
“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Mr. Henry wrote. “But this pales in comparison to the pain we’ve caused our customers and our partners.”
Cybersecurity experts have raised questions about whether CrowdStrike may have circumvented best-practice procedures when it circulated the July 19 update.
“The cautionary tale, to me, is the basics—for patches, updates, and on critical business systems, take the 10 minutes to test them,” Robert Thomas, owner of 180A Consulting, a cybersecurity company, and a former Defense Department staffer, told The Epoch Times.
“You take one minute and you download the patch; you take another minute, you install the patch on a test system; one more minute, you reboot the system, and then you run tests against your business-critical software applications.”
The Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) have created standard protocols regarding how software updates should be conducted. Had they been followed, Mr. Thomas said, the flaws in the update should have become apparent before it was circulated to users.
