Does the “CrowdStrike” Crisis Motivate Cybersecurity Localization?
On July 19th, the cybersecurity solutions company “CrowdStrike” announced a technical malfunction in its “Falcon” threat detection system, which led to the disruption of 8.5 million devices worldwide running Windows, according to Microsoft estimates. The screens of these devices turned blue, displaying a warning message about processor incompatibility. This had widespread economic and social impacts, especially on devices used in critical facilities.
Although the company confirmed that the malfunction was due to a faulty update and not a cyberattack, it renews the discussion about the impacts of monopolizing the global tech landscape, particularly in the cybersecurity market. This giant monopolistic entanglement, guarded by unified systems, means that a single unintended error can lead to significant losses. This not only draws attention to the consequences of this massive malfunction but also revives many issues related to global cybersecurity.
Significant Losses:
The “Blue Screen of Death” (BOSD) that appeared on devices running Windows caused panic among essential services affected by the faulty update to CrowdStrike’s “Falcon” security system, including government agencies, banks, airlines, payment systems, emergency centers, TV networks, and healthcare systems. These services rushed to implement fixes ranging from simple reboots to complex recovery procedures. The global cybersecurity company issued a statement acknowledging the malfunction, including instructions on the procedures to be followed and how to restart affected devices in “Safe Mode.”
Although this malfunction affected only 1% of devices running Windows worldwide, its impact led to widespread losses, ranging from minor inconveniences to severe economic losses, particularly among airlines that had to cancel flights, resulting in lost revenue, fuel costs, insurance, and other expenses. More than 5,000 flights were canceled globally. Companies had to issue handwritten boarding passes for some passengers, and rail services, payment systems, banking services, healthcare, and media were also affected. This led to travel disruptions and business interruptions from retail sales to parcel deliveries to hospital procedures, in what was described as the largest tech disruption in history.
The security system’s clients were not the only losers; the producing company also suffered immediate losses. CrowdStrike lost a fifth of its value in pre-market trading in the United States, dropping by 21% in unofficial trading, meaning a loss of $16 billion in its valuation in one day. Microsoft shares also fell by 0.53%, not to mention the compensation expected to be paid to the affected parties, which is expected to exceed $1 billion at the very least.
Renewed Issues:
CrowdStrike, a cybersecurity company founded in 2011 and headquartered in Texas, has built a broad network of nearly 24,000 clients in just 13 years. The company has been involved in investigating several major cyberattacks, such as the 2014 hack of Sony Pictures by a group called “Guardians of Peace” and the hacking of Democratic National Committee computers during the 2016 U.S. elections. By 2023, the company’s value had reached $80 billion, with annual revenues of $3 billion, making it one of the most valuable and widely used cybersecurity companies.
This significant growth and large market share in cybersecurity bring to the forefront numerous issues related to the monopoly of major tech companies and its impact on digital security and business continuity. On a smaller scale, the six-hour outage of Meta’s social media apps in 2021 caused global disruption and concern, especially with many institutional communications relying on these platforms, as did the Twitter outage in 2019, the Amazon outage in 2021, and the 2020 Google outage when many of its services, including Gmail, YouTube, and Google Docs, were down for several hours due to an issue with Google’s identity and permissions management system.
The 2020 hack of the American systems and network management software company SolarWinds also allowed attackers to access the systems of several U.S. government agencies, including the Departments of Defense, Treasury, Commerce, and Energy, as well as many major companies due to the widespread use of the company’s services, which had more than 300,000 clients worldwide.
Statistics indicate that the telecommunications and information security technology market is dominated by several major companies, led by Palo Alto Networks, with a market value of $107 billion and serving more than 80,000 companies worldwide, followed by CrowdStrike, and then Fortinet with a market value of $44.7 billion, claiming on its website to serve more than 755,000 clients globally.
This monopoly is part of the global tech monopoly phenomenon, represented by giant tech companies like Microsoft, which is connected to this crisis. Windows holds 72% of the global operating system market as of February 2024. Microsoft is also the second-largest tech company globally in terms of market capitalization, valued at $3.3 trillion, and the third in annual revenue, with $236.6 billion.
The crisis also raises issues regarding the access and control powers that these systems possess and their reliance on “deep integration,” which gives them immense influence over the devices they protect. For instance, the Falcon sensor relies on Endpoint Detection and Response (EDR) technology, which detects and blocks attacks and threats, requiring regular system updates to respond to new threats as they arise. This also requires wide access to the protected device, including its most central and sensitive components, making the new update glitch enough to disable devices due to the extensive access the system enjoys.
On the other hand, the CrowdStrike malfunction raises questions about the efficiency of globally prevalent security systems. While the company specializes in solving technical problems, a faulty update to its system caused issues, appearing to overlook the basics of system updates in terms of simulation, auditing, verification, safety, comprehensive testing, rollback mechanisms, and, above all, gradual implementation to minimize the impact of errors.
This also relates to the immunity of these systems against breaches and the severity of the consequences if a breach occurs, especially as these systems become more widespread and complex. This risk increases with reliance on AI systems, which may themselves be susceptible to “poisoning attacks,” where an attacker modifies the training data of an AI system to achieve the desired outcome during inference. By manipulating the training data, the attacker can create backdoors in the model, where input using a specified trigger leads to specific outputs, allowing them to poison the model itself to benefit the malicious entity. Likewise, “prompt injection” attacks occur when an attacker crafts malicious prompts as inputs to a Large Language Model (LLM), causing the model to behave in unintended ways. These “prompt injections” are often designed to make the model ignore aspects of its original instructions and follow the attacker’s commands instead.
This leads to another issue related to “reliability” and the ability to entrust security tasks to a single, sometimes comprehensive, service provider and the implications of this on the efficiency, flexibility, and independence of the cybersecurity system. While relying on unified systems speeds up integration processes, facilitates training system design, and activates exchange and collaboration programs within and across institutions, it simultaneously exposes this interconnected system, reliant on a single system, to collapse or disruption in case the provider makes a mistake, experiences a technical glitch, or is attacked.
Localization and Diversification:
The crisis brings to mind calls for cybersecurity localization and the importance of relying on national security systems, building professional capacities, and avoiding over-reliance on global systems that, despite their efficiency, raise numerous issues related to the influence and control of these large companies and their wide access and control powers. It also highlights the need for diversification between systems from different sources, ensuring that cybersecurity systems are aligned with local context and needs. This ensures that tech investments in the cybersecurity sector are worthwhile and consistent with internal and external risks and threats, according to national priorities and resource allocation. Building national capacities should be paralleled with establishing external partnerships and adding national qualification requirements when contracting with global tech companies.
This also involves implementing Business Continuity Management (BCM) systems to ensure proactive management of cyber threats and dealing with their consequences, ensuring the continuity of tech systems, preserving data, and responding to attacks. This must be done while considering regulatory, human, and technical factors within a strategic framework based on quick response, prioritizing national interest, enforcing law, and balancing national capacity building with global partnerships. It also involves developing and activating tech emergency centers ready to intervene quickly in case of major disruptions and working to solve problems in collaboration with the concerned companies.
It is not only important to choose the best system for protection and cybersecurity but also to formulate a system for analyzing and evaluating risks, ensuring business continuity, and drafting recovery plans. Regularly reviewing and updating policies and procedures based on lessons learned from actual incidents and anticipated scenarios is equally crucial.
