The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services—causing significant inconvenience for millions of people worldwide.
It has prompted many to marvel that so many global operations and organisations rely on so few cybersecurity companies—and hence a bungle at a single firm means blue screens, grounded flights and frozen financial transactions across the world.
Yet the well-meaning calls to have a wider range of cybersecurity providers to avoid single points of failure overlook the fact that there aren’t a lot of truly trusted firms out there.
Much like the 5G dilemma in the late 2010s—in which two Scandinavian firms were considered the only safe options—once you search beyond the big, mostly United States-based cyber security companies, many of the alternatives are unpalatable or even unthinkable, such as big Chinese providers. Diversification of cybersecurity services to spread the risk around isn’t so easy, at least immediately.
Yes, more trusted providers would be ideal. But the emphasis must be on trust, not simply availability. Australia should continue to entrust our critical infrastructure, technology and services only to proven providers that don’t pose long-term and deeper risks than occasional mistakes causing outages.
There is no perfect system or product. All require regular maintenance and will therefore have vulnerabilities. The risks are twofold: the first is unforced errors either through human failure or technical glitches, and the second is the threat from malign actors and malicious software. There are ways to mitigate both—but not to eliminate them altogether.
A temporary outage should be seen as a known risk of our digital world, just as we accept that floods and fires are realities in the natural world. Inconvenience isn’t the same as catastrophe.
Malign threats ultimately pose the bigger problem, and the best way to safeguard against those is to stick with trusted providers. To turn hastily to providers from high-risk countries–whether China or Russia given the shadowy connections of the US-banned Kaspersky–would amount to solving the reliability issue by creating an even worse security weakness.
In 2018, allowing Chinese companies to supply Australia’s 5G infrastructure would have brought a degree of immediate convenience. But we, followed by many Western and partner nations, resolved that only Nokia and Ericsson could ensure long-term security and sovereignty.
That episode was a wake-up call that, over time, we need industry policies, involving collaboration with friendly nations, to ensure we have resilient sectors across critical technologies and won’t ever be left with our only choice being Chinese or other high-risk vendors.
And that goes for cybersecurity as well. Greater choice of trusted providers would of course be in the national interest, but that is a longer-term challenge.
Trust is everything. This doesn’t just mean trust that nothing will go wrong–it means trust when something does go wrong. At no stage was there a security problem with Crowdstrike. There are, of course, flow-on safety effects, with criminals seeking to take advantage of people who are trying to get back online as quickly as possible.
But the transparency Crowdstrike showed has helped mitigate these risks. We knew within minutes what the problem was, Crowdstrike produced a fix in under 80 minutes and its CEO posted a public apology for the disruption within hours.
We couldn’t possibly expect such transparency from operators in countries like China.
Compare the situation with the COVID outbreak; imagine the digital equivalent of Beijing’s cover up of the origins of the virus—even if it was a technical error and not a malicious action.
Compare also the Crowdstrike disruption with another major event this year that exposed the world’s dependence on software—the XZ attack uncovered in late March. The China-based hacker who privately claimed responsibility spent two years infiltrating and infecting Linux compression tool XZ—software that is used by organisations globally, including by Australia’s intelligence agencies.
The malicious infection would have spread across the world had it not been for a US-based engineer who, working in his private time, noticed that software relying on XZ was operating about half a second more slowly than it should, and reported the anomaly. His post meant the Five Eyes intelligence agencies were able to prevent the attack. Of course, the added irony is that if the public-spirited engineer had lived in China, he could never have made such a disclosure.
While Crowdstrike was criticised for taking almost six hours to apologise for a fault, the XZ hijacker was only sorry that his plot to covertly infect hundreds of millions of computers was disrupted.
Cybersecurity firms need to enjoy a special type of trust because they require privileged access to our computer networks to be effective. We let them in so they can protect us.
Imagine if a cybersecurity company was controlled by a foreign state and could be compelled to insert or spread a malicious update.
Beijing passed a law in 2021 that requires any business operating in China to report any coding flaws to a government agency before patching the vulnerability or revealing its existence publicly. A report from the Atlantic Council makes clear that the information about the bug is then shared with China’s state-sponsored hackers, who exploit them.
Consistent with this, our own Australian Signals Directorate just this month led a group of allied intelligence agencies in declaring that China’s Ministry of State Security was behind major cyber attacks on Australian networks.
Granted, it is hard to imagine a major Australian bank, airline or other critical infrastructure operator turning to a Chinese cybersecurity firm. But, as with 5G, many countries might see it as an acceptable alternative.
For Australia, the lesson is that we must accept, for now, the risk of occasional widespread outages due to our reliance on a few trusted firms. Longer term, resilience can come from incentives to build and strengthen our own cybersecurity sectors. Facing a bushfire season, we would never turn to firebugs just because they know a thing or two about pyrology. Likewise, we mustn’t learn the wrong lessons from the Crowdstrike blackout.