Airline passengers stranded for days. 911 systems down for hours. Retail stores closed because of failing POS systems. Global supply chains disrupted. The fallout from Crowdstrike’s ill-fated content update is difficult to quantify and even comprehend. Yet despite its devastating impact, the real, long term unwelcome ramifications of this episode could exceed last week’s initial pain.
By now, even those outside the cybersecurity community know that Crowdstrike pushed a content update which caused over 8 million Windows devices to crash, something Crowdstrike does frequently, and has done for “many, many years” according to Crowdstrike’s CEO. What’s important to appreciate is that the update was not the result of a security vulnerability, but rather Crowdstrike modifying its intelligence to account for new threats to its customers’ endpoints, precisely what an EDR product does. This is equivalent to an antivirus vendor releasing a new version of its signature base to add additional protections to new threats, and is demonstrably different from a traditional “patch” that’s released to close specific gaps in software that can be exploited by threat actors.
Why does that matter?
Political operatives often talk about candidate behaviors being consistent with the “narrative” the public associates with them. If a politician perceived to be intelligent uses a word incorrectly or is unfamiliar with the details of a particular issue, it has limited impact on their image. Conversely, however, if a candidate is perceived to be less than intellectually impressive, making exactly the same errors reinforces the “narrative” surrounding them, and can be devastating to their political prospects, especially over time.
The Crowdstrike episode has the potential to do just that. In short, it will be common to conflate the Crowdstrike content update disaster with disruptions caused by security updates, and contribute to the well-established – albeit inaccurate – narrative that patches break stuff…a lot. Nevermind that 1) the Crowdstrike update was not a patch, and 2) patches rarely break stuff in contemporary IT operations.
So the real long-term danger of the Crowdstrike calamity could be that it will give IT operators – already paranoid about patch-induced disruptions – permission to delay the deployment of actual security patches, giving bad actors more time to exploit the vulnerabilities those patches are designed to eliminate.
Twenty years ago, the risk calculation with respect to patching favored a cautious approach: patches frequently caused disruptions and threat actors were both fewer in number and their tools and communities were much less sophisticated (not to mention monetizing a successful compromise was infinitely more difficult without crypto-currency). Fast forward to today, and that calculation is inverted, as both the type and number of threats have exploded, and patches very rarely cause operational issues. Mis-characterizing the Crowdstrike incident as the result of a “security update” (common especially among the mass media) will only serve to reinforce commonly-held misconceptions about modern patching.
More than a few pundits have asked the hypothetical question, “what if this were an actual cyber attack?” Ignoring the reality that this outage had nothing to do with a cyber attack, it’s a question that accidentally stumbles on the very real possibility that a knee-jerk reaction to this incident will result in many more opportunities for threat actors to exploit unpatched vulnerabilities, potentially generating more chaos, over time, than the incident itself.
