Foreseen Accident: Targeting the Software Supply Chain
At 4 a.m. (UTC) on July 19, 2024, the London Stock Exchange and the Malaysia Stock Exchange experienced severe service outages. Numerous customers of South Africa’s largest bank, Capitec Bank, faced transaction rejections, and some of Tesla’s production lines were temporarily halted, sending employees home early. In Washington, D.C., the subway system was delayed, and airport counters around the world were rendered inoperable. The UK’s NHS also faced system disruptions, with medical record storage and appointment systems going down, halting all medical activities such as new patient bookings, consultations, and prescriptions. Additionally, point-of-sale (POS) systems malfunctioned across various industries, including broadcasting, gaming, sports, and other service sectors, restricting store operations.
All these disruptions occurred simultaneously, and the root cause was traced to a malfunction in CrowdStrike’s Falcon Sensor EDR (Endpoint Detection and Response) security software, running on Microsoft Windows. While this is both shocking and frightening, it was also something that could have been anticipated.
This incident, which caused problems for about 8.5 million PCs worldwide, only affected users running Microsoft’s OS; Mac and Linux users were unaffected. CrowdStrike claimed that the issue was due to a content update failure, not a security breach or cyberattack.
However, the real problem came next. Following CrowdStrike’s technical error, cases of malicious code distribution arose, and phishing emails impersonating CrowdStrike support started tricking users into entering personal information. More importantly, this incident gave hackers ideas for new attack methods. Recently, cyberattacks targeting software supply chains from North Korea have surged. Unlike ransomware, which targets specific companies, the main targets here are software developers providing security or application software, with the goal of mass distribution through update servers. Although the CrowdStrike incident was a serious and widespread failure, it feels like just the beginning, and the risk of similar incidents is rapidly increasing.
Still Complacent About Security… “Another Safe Day”
“Ring~” It was a call from the Chairman.
Kim, the Chief Information Security Officer (CISO), who was conducting an emergency internal review meeting after the CrowdStrike incident, hurriedly answered the phone.
“Mr. Kim! What about this CrowdStrike incident? Are we affected?”
“No, Chairman! We’ve checked, and since we use a Linux OS and a top-tier domestic security software instead of CrowdStrike, we’re not affected.”
“Oh, really? So, we’re not at risk? And we’re prepared for similar incidents in the future, right?”
“Yes, that’s right! We are thoroughly prepared with the latest security software and daily security management checks.”
“Good. As the company’s dependence on IT grows, make sure to manage everything thoroughly.”
“Understood, Chairman.”
This conversation was typical of many companies in the country. It may seem like there’s nothing wrong with the dialogue. As everyone knows, investment in information security is never-ending. Deciding how much to invest to prepare for unforeseen security incidents is always a challenge for CISOs and management. Security investments often end up at the bottom of the priority list, especially when business performance declines, because it’s difficult to apply a strict ROI (Return on Investment) measure to security.
“Black Hackers Study Harder Than White Hackers”
One thing to remember: While black hackers (attackers) aren’t necessarily smarter than white hackers (defenders), they certainly study harder. White hackers and security solution developers focus on known attack methods and how to prevent them, but black hackers are always researching unknown methods and sharing them with each other. While the CrowdStrike incident was not a security breach but rather a human error during the software update process, it has undoubtedly provided hackers with new ideas, increasing the likelihood of similar incidents.
Even if your company doesn’t use Microsoft environments or relies on different security software, you can’t let your guard down. You must examine all potential vulnerabilities that could lead to similar security failures and establish response systems. This is not limited to security software alone but extends to all applications used in cloud environments.
I don’t mean to criticize the CISOs of the country’s top companies, but there’s a strong chance that they inadvertently report inaccurately to senior management regarding information security management. This doesn’t mean they’re lying, but the likelihood is high that they will report from a “we’re safe today” perspective. When an incident happens to a neighboring company, they will tighten up and run inspections, but since the incident didn’t directly affect them, they tend to report, “We are handling this well.”
It’s difficult for senior management to be fully aware of this situation. And it’s even harder to justify significant investments in security for incidents that may never happen. The key, however, is ensuring that employees, the CISO, and senior management are all fully aware of these potential risks. Information security training shouldn’t be just a box-ticking exercise; everyone should understand that if the IT system goes down, the company’s operations could be paralyzed.
Security Is a Management Task, Not Just an IT Responsibility
I believe that a company’s security department shouldn’t be part of the IT team but should operate under the risk management team within the strategy division. In today’s era of IT governance, almost all work, except field operations, is conducted in front of a PC. Most of the company’s assets are stored within IT systems, and interactions with customers rely heavily on IT systems. IT isn’t merely a support function for the company’s management and operations; IT is the company’s operations. Furthermore, the rapid rise of generative AI is quickly transforming the way we work, and hackers are also arming themselves with new tools.
From a technical perspective, IT-related departments should handle security, but decisions need to be made from a company-wide perspective, involving top executives. This is why we need information security committees, where CISOs, CEOs, and other senior executives participate. However, there also needs to be a shift in focus: the executive overseeing the strategic division should be even more deeply involved in decision-making and analysis than the CISO.
A Matter of Sustainability for Security Companies
The CrowdStrike incident is not just a technical issue; it’s a prime example of the vulnerabilities in the global IT ecosystem. Although this was a technical failure during a software update and not a security breach, the impact was vast. Such incidents can happen at any time, and preparing for them is not merely the responsibility of the IT department; it’s a company-wide responsibility.
Company executives must recognize the importance of information security and ensure proper investment in it. Additionally, employees must be made aware of the significance of security, with regular training and inspections to maintain readiness. Most importantly, information security should not be seen as just the IT department’s job; it’s a matter of company-wide importance. Ultimately, this is an issue tied directly to the sustainability of the business.
Therefore, senior management should not leave security solely to the IT department but treat it as a part of the company’s strategy. By collaborating with the risk management team, a company-wide security framework can be established to better prepare for potential future threats and strengthen corporate stability.
Note
The above content is an English translation of a series on cybersecurity written by Bruce Lee, published by IFS (The Institute for the Future of State). The copyright of the content belongs to Bruce Lee and IFS, and any citation should include proper attribution to the original source.
