System Failure | WORLD

MARY REICHARD, HOST: Next up is the global technology that’s in disarray.

On Friday, Microsoft computer systems around the world went down, and employees at airlines, banks and hospitals saw their screens turn blue with error messages, causing everything from canceled flights to delayed medical prescriptions.

NICK EICHER, HOST: The culprit wasn’t a cyberattack or a power outage, but a glitch in the system update. The company responsible is a cybersecurity firm called CrowdStrike.

Joining us now to talk about what went wrong is Mark Montgomery, a cybersecurity expert at the Foundation for Defense of Democracies.

REICHARD: Mark, good morning.

MARK MONTGOMERY: Good morning and thank you for having me here.

REICHARD: Well, we’re so glad you’re here. What can you tell us about CrowdStrike, the software company at the center of this story?

MONTGOMERY: CrowdStrike is a pretty respected cybersecurity company. They build some of the cybersecurity tools that you’ll find in our .mil or our military domain, our intelligence community domains, and also in, you know, three or 400 of the Fortune 500 companies. So I mean, they’re really a ubiquitous company with a large global footprint, and our reputation is typically for high levels of security, reliability, and performance.

REICHARD: What do we know so far about why this software update failed so badly?

MONTGOMERY: What strikes me is that this was probably a bad patch. I think we’re starting to understand that, which is a routine, automated push of edited software into existing cybersecurity systems. This one very specifically, you know, affected Windows because of the way Windows accepts changes, and that had an even greater impact on them. But you know, it’s fundamentally human error, but it’s human error that really exposes the vulnerability and the fragility of our overall cybersecurity networks in the United States and among our developed allies and partners.

REICHARD: Well, when we talk about that, I mean this outage has affected a lot of businesses and services. What other changes should industries make to prevent these kinds of problems in the future?

MONTGOMERY: I think most companies now have to take a very questioning attitude toward automatic updates. The idea that something isn’t getting some kind of due diligence from the customer, and I think customers have gotten used to this system over time where patches come in, they’re validated by the cybersecurity company that’s delivering them, and they let the systems deploy themselves. There’s going to be a much more questioning attitude toward those kinds of processes and procedures going forward.

REICHARD: Is there another aspect of the story that you think deserves more attention from the general public?

MONTGOMERY: I think you have to tie that story together with a story that we heard about three months ago called Volt Typhoon. Volt Typhoon was a Chinese operation to plant malware in our national critical infrastructure, you know, railroads, ports, aviation, power grids, financial services, water. The intelligence community, our intelligence community reported that it happened in Guam, Hawaii, the West Coast of the United States — believe me, China has a map, they know there’s a Midwest and an East Coast, you know, this malware was planted in those networks as well. So we got a taste of the impact of malware in this unintended cyber incident, and we know that our adversary is thinking about, how do you use that in the right way to inflict the maximum damage to the ability of the United States to, as I said earlier, to conduct military mobility of our forces, but also economic productivity so that we can compete in a crisis or emergency, or even public health and safety, so that people lose confidence in the credibility, the credibility of the government to provide basic services? All of this is at risk because of our vulnerable network system, which is not sufficiently secured and reliable. As long as we do not solve this, events like the CrowdStrike problem or the previous problems with Microsoft will continue to happen.

REICHARD: It seems especially scary that we have a generation that can’t remember what it was like before we had all these conveniences, and then you have my generation that doesn’t know what to do when those conveniences fail. So how do we fix that?

MONTGOMERY: Well, you know, you’re not the only one who thinks that way. Two members of Congress, you know, two weeks ago, Representatives Crenshaw and Magaziner from Texas and Rhode Island, Republican and Democrat, actually introduced a bill that asks the government, what does it take to go back to manual? And they were talking very specifically about the electric grid, but you can apply this to almost any major critical infrastructure. What does it take if we have a significant decommissioning of our cyber networks in an industry or infrastructure? That’s a fair question to ask. Some of us have asked that question about how do we do what’s called the continuity economy. How do we keep the economy going after a major cyberattack? How do we restore systems quickly? Maybe the answer is you go back to manual. Now I’ll tell you, the problem with manual is that manual requires people, and the people who were doing that manual work 25, 30 years ago are long gone from the industry. So when the industry needs to switch from automatic to manual, there is no labor available to do it.

REICHARD: Last question here: what can companies and individuals do about this?

MONTGOMERY: When you ask, what’s the next step? You know, first of all, there’s a personal level where you have to protect yourself from cyberattacks. Make sure you have good passwords. Make sure you have good multi-factor authentication. Make sure you’re not answering emails from Nigerian princes, right? Don’t have a phishing problem. But when you think about businesses, what can they do? It’s about resilience. It’s about assuming that bad things are going to happen, and when they do, how do I recover quickly, not in days or weeks, but in minutes or hours? How do I get my system or my business system up and running quickly? First, to save money, second, reputational damage, and third, to provide that service that our customers and our country expect. So, building that resilience, building that redundancy, building that reliability, that’s what businesses have to do.

REICHARD: Mark Montgomery is the senior director of the Center on Cyber ​​​​and Technology Innovation at the Foundation for Defense of Democracies. Mark, thank you for your time!

MONTGOMERY: Thank you for having me here, Mary.

WORLD Radio transcripts are produced expeditiously. This text may not yet be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of WORLD Radio programming is the audio recording.