The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services, causing significant inconvenience to millions of people around the world.
Many are surprised by the fact that so many global operations and organizations rely on so few cybersecurity companies. As a result, a mistake at just one company can result in blue screens, canceled flights, and frozen financial transactions around the world.
Yet well-meaning calls for a broader range of cybersecurity vendors to avoid single points of failure overlook the fact that there aren’t many truly reliable companies out there.
Much like the 5G dilemma in the late 2010s, when two Scandinavian companies were considered the only safe options, once you look beyond the big cybersecurity companies, mostly based in the US, many alternatives are unattractive or even unthinkable, such as the big Chinese vendors. Diversifying cybersecurity services to spread the risk is not so easy, at least not immediately.
While it would be ideal to have more reliable suppliers, the focus must be on trust, not just availability. Australia must continue to entrust its critical infrastructure, technology and services only to trusted suppliers who do not pose long-term risks beyond occasional errors that cause outages.
There is no perfect system or product. All require regular maintenance and therefore have vulnerabilities. The risks are twofold: the first is unforced errors, either due to human failure or technical issues, and the second is malicious actors and malware. There are ways to mitigate both risks, but not to eliminate them completely.
A temporary outage should be considered a known risk in our digital world, just as we accept that floods and fires are realities of the natural world. An inconvenience does not mean a disaster.
Malicious threats are ultimately the biggest problem, and the best way to protect yourself is to stick with trusted vendors. Rushing to vendors from high-risk countries—whether China or Russia, given the shady ties of US-banned Kaspersky—would solve the trustworthiness problem by creating an even bigger security hole.
In 2018, allowing Chinese companies to supply Australia’s 5G infrastructure would have provided some immediate comfort. But we, followed by many Western countries and partners, decided that only Nokia and Ericsson could guarantee long-term security and sovereignty.
This episode was a wake-up call: over time, we need industrial policies, involving collaboration with friendly countries, to ensure that we have resilient sectors in critical technologies and that we are never faced with a single choice: Chinese suppliers or other high-risk suppliers.
And this also applies to cybersecurity. A greater choice of trusted suppliers would of course be in the national interest, but this is a longer-term challenge.
Trust is paramount. That doesn’t just mean you have to trust that everything will go well, but also that something will go wrong. At no point have there been any security issues with Crowdstrike. There are of course security implications, with criminals looking to exploit people trying to reconnect as quickly as possible.
But Crowdstrike’s transparency helped mitigate these risks. We knew within minutes what the problem was, Crowdstrike delivered a fix within 80 minutes, and its CEO issued a public apology for the disruption within hours.
Such transparency could not be expected from operators in countries like China.
Compare the situation to the COVID outbreak; imagine the digital equivalent of Beijing’s cover-up of the virus’s origins – even if it was a technical error, not a malicious act.
Also compare the Crowdstrike incident with another major event this year that exposed the world’s reliance on software: the XZ attack discovered in late March. The China-based hacker who privately claimed responsibility for the attack spent two years infiltrating and infecting the Linux compression tool XZ, a software used by organizations around the world, including Australian intelligence agencies.
The malware infection could have spread worldwide if a US-based engineer had not noticed, in the course of his private work, that the software based on XZ was running about half a second slower than it should and reported the anomaly. His message allowed the Five Eyes intelligence agencies to prevent the attack. Of course, the added irony is that if this public-spirited engineer had lived in China, he would never have been able to make such a revelation.
While Crowdstrike was criticized for taking nearly six hours to apologize for a mistake, hacker XZ only expressed regret that his plan to secretly infect hundreds of millions of computers had been foiled.
Cybersecurity companies must be given a special kind of trust because they need privileged access to our computer networks to be effective. We let them in so they can protect us.
Imagine a cybersecurity company being controlled by a foreign state and being forced to insert or distribute a malicious update.
Beijing passed a law in 2021 that requires any company operating in China to report any coding flaw to a government agency before patching the vulnerability or disclosing its existence publicly. Atlantic Council Report It is clear that information about the bug is then shared with Chinese state-sponsored hackers, who exploit it.
Against this backdrop, our own Australian Signals Directorate this month led a group of allied intelligence agencies in declaring that China’s Ministry of State Security was behind major cyber attacks on Australian networks.
It’s hard to imagine a major Australian bank, airline or other critical infrastructure operator turning to a Chinese cybersecurity company. But, as with 5G, many countries might see it as an acceptable alternative.
For Australia, the lesson is that we must accept, for now, the risk of occasional and widespread outages due to our reliance on a few trusted companies. In the longer term, resilience can come from incentives to build and strengthen our own cybersecurity sectors. In the face of a bushfire season, we would never turn to arsonists simply because they know pyrology. Similarly, we should not learn the wrong lessons from the Crowdstrike blackout.