LAS VEGAS — For Cybersecurity and Infrastructure Security Agency Director Jen Easterly the doomed CrowdStrike software update that took global IT systems and networks offline last month holds a "big lesson" for critical infrastructure.
“The CrowdStrike incident was such a terrible incident,” Easterly said Wednesday during a media briefing at the Black Hat cybersecurity conference, but “it was a useful exercise, like a dress rehearsal for what China may want to do to us.”
The outage was not the result of a malicious act, but rather a basic field input error that caused an out-of-bounds memory read. Yet, to Easterly, the widespread chaos it caused offers a clear example of what could occur if China-affiliated attackers make good on its efforts to cause systemic disruption to U.S. critical infrastructure.
When Easterly learned of the outage, around 2 a.m. on July 19: “What was going through my mind was ‘oh, this is exactly what China wants to do.’”
The outage highlighted the need for resilient systems to keep operations running in the wake of an incident or disruptive attack. But, for many of CrowdStrike's customers, normal operations ground to a halt.
Easterly gave the example of Volt Typhoon, a China state-sponsored threat group which has intruded and embedded in multiple U.S. critical infrastructure sectors to potentially launch disruptive or destructive attacks in the event of a conflict in the Taiwan Strait.
Federal authorities early this year warned that intrusions by the state-sponsored threat group and other China-linked groups are part of an extensive effort to maneuver in preparation for future attacks. The nation’s drinking and wastewater sector has confronted heightened threat activity from state-linked and criminal hackers targeting vulnerable water utilities.
The would-be attackers are effectively lying in wait.
Easterly and other U.S. officials worry these potential attacks could target pipelines, water systems, transportation and communications to incite panic and societal chaos.
CrowdStrike outage exemplifies unmet need for resiliency
CISA is a voluntary partnership agency, but as America’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, it played a big role early on in trying to assess the impact of the outage CrowdStrike caused and worked with CrowdStrike to release mitigation guidance.
“It just reinforced what we’ve been saying about the importance of technology vendors designing, developing, testing and deploying software that is secure by design. And we saw that cybersecurity vendors were not immune from issues around software quality and design,” Easterly said.
“And it really reinforced just how ubiquitous software is and how much we depend on it working properly,” Easterly said.
While the CrowdStrike incident is widely regarded as one of the largest IT outages in history, it could have been worse, especially if malicious attackers were involved.
Federal cyber authorities say the China state-linked intrusions of U.S. critical infrastructure, at least the ones they're aware of, are likely just the tip of the iceberg.
“There is, we believe, much we are not seeing which is why we have been very clear that we shouldn’t focus on preventing,” Easterly said.
“I mean obviously, we want to prevent, but it really is about building resilience into our networks and our systems so that we can withstand significant disruption, at least drive down the recovery time to be able to provide services.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.