System failure

MARY REICHARD, HOST: Up next, global technology on the fritz.

On Friday, Microsoft computer systems around the world went down, and airline, bank, and hospital workers watched their screens turn blue with error messages. That kicked off all sorts of problems from canceled flights to delayed medical prescriptions.

NICK EICHER, HOST: The culprit was not a cyberattack or power failure, but a systems update glitch. The company responsible is a cybersecurity firm called CrowdStrike.

Joining us now to talk about what went wrong is Mark Montgomery. He’s an expert on cybersecurity at the Foundation for Defense of Democracies.

REICHARD: Mark, good morning.

MARK MONTGOMERY: Good morning, and thank you for having me.

REICHARD: Well, we’re so glad you’re here. What can you tell us about CrowdStrike, the software company at the center of this story?

MONTGOMERY: CrowdStrike is a pretty well-respected cybersecurity company. They build some of the cybersecurity tools you'll find in our .mil or our military domain, our intelligence community domains, as well as in, you know, three or 400 of the Fortune 500 companies. So I mean, they're really a ubiquitous company with a large global footprint, and a reputation normally for a high level security, reliability and performance.

REICHARD: What do we know so far about why this software update went so wrong?

MONTGOMERY: What strikes me is likely that this was, you know, a bad patch. I think that's what we're starting to understand, which is a, you know, a routine, automated push of edited software into existing cybersecurity systems. This one very specifically, you know, impacted Windows because of how Windows accepts changes in, and that more greatly impacted them. But you know, basically what it is is human error, but it's human error that really reveals the vulnerability and the fragility of our overall cybersecurity networks in the United States and among our developed allies and partners.

REICHARD: Well, speaking to that, I mean this glitch affected a lot of companies and services. What other changes would industries need to make to avoid problems like this in the future?

MONTGOMERY: I think most companies got to take a very questioning attitude towards automatic updates right now. The idea that something is not getting a kind of due diligence on the customer end, and I think customers over time have become used to this system where patches come in, they're validated by the cybersecurity company providing them, and they allow the systems to self-deploy. There's going to be a much more questioning attitude towards that type of process and procedures going forward.

REICHARD: Is there any other aspect of the story that you think warrants more attention from the general public?

MONTGOMERY: I think you have to combine this story with a story we heard about three months ago called Volt Typhoon. Volt Typhoon was a Chinese operation to install malware in our national critical infrastructures, you know, rail, ports, aviation, electrical power grids, financial services, water. The intelligence community, our intelligence community reported that it happened in Guam, Hawaii, the West Coast of the United States—trust me, China has a map, they know there's a Midwest and an East Coast, you know, this malware is positioned in those networks as well. So we got a little taste of the impact of malware in this unintended cyber incident, and we know that our adversary is thinking about, how do you properly employ that to do the maximum damage to the United States ability to either, as I said earlier, conduct, military mobility of our forces, but also economic productivity, so that we can compete during a crisis or contingency, or even public health and safety, so people lose faith in the credibility, credibility of the government to provide basic services? All of that is at risk because of our fragile network system that has insufficient security and reliability built into it, and until we fix that, you know, I think events like this CrowdStrike problem or the previous Microsoft problems are going to repeat themselves.

REICHARD: It does seem especially scary that we have a generation that doesn't remember what it was like before we had all these conveniences, and then you have my generation who doesn't know what to do when these conveniences fail. So how do we fix that?

MONTGOMERY: Well, you know, you're not the only person thinking that way. Two congressmen, you know, two weeks ago, Representative Crenshaw and Magaziner from Texas and Rhode Island, Republican and Democrat, actually put in a piece of legislation asking the government, what's it take to go back to manual? And they were talking very specifically to the electrical power grid, but you can apply this to almost any major critical infrastructure. What's it take if we have a significant takedown of our cyber networks in an industry or infrastructure? That's a fair question to ask. Some of us have been asking that question about how do we do what's called continuity economy. How do we continue the economy running after major cyber attack? How do we rapidly restore systems? Maybe the answer is you go back to manual. Now I'll tell you, the problem with manual is, manual requires people, and the people that did that manual work, 25-30 years ago are long gone from the industry. So when the industry has to shift from automatic to manual, there's not a workforce present to do it.

REICHARD: Final question here, then…what can businesses and individuals do about all of this?

MONTGOMERY: You know, first, at a personal level you do need to be protecting yourselves against cyber intrusions. Make sure you have good passwords. Make sure you have good multi-factor authentication. Make sure you don't answer emails from Nigerian princes, right? Don't commit to a phishing problem. But when you think about businesses, what can they do? It's about resilience. It's about assuming bad stuff is going to happen, then once it happens, how do I rapidly recover, not in days or weeks, but minutes or hours? How do I get my system or how does my company gets its system up and running rapidly? One, to save money, two, for reputational damage, and three, to provide that service that our customers and our country expects. So, building that resilience, building that redundancy, building that reliability, that's what businesses need to be doing.

REICHARD: Mark Montgomery is senior director of the Center on Cyber and Technology Innovation with the Foundation for Defense of Democracies. Mark, thanks so much for your time!

MONTGOMERY: Thank you for having me, Mary.

WORLD Radio transcripts are created on a rush deadline. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of WORLD Radio programming is the audio record.