Guess how long the Spritzler Report was down during the crisis. Exactly 2.5 milliseconds. Why? Because we don't use Crowd-F-cking-Strike. We have our own team of 20 pencil-neck computer geeks that stand guard over our 3-acre data center located under a mountain in an undisclosed location.
CrowdStrike Is Too Big to Fail
Learn from the 2008 financial crisis and pay attention to systemically important tech companies.
By Jonathan Welburn, WSJ
July 22, 2024 5:19 pm ET
If you couldn’t use your laptop last week, you weren’t alone. A computer system disruption swept the globe on Friday, grounding flights, stopping trains, and bringing businesses to a halt. Worse, the outage was traced to a single security update, underscoring the risks of global interconnectivity, particularly among firms critical to public safety, economic stability and national security.
The blackout came courtesy of CrowdStrike, a cybersecurity company that reportedly serves some 29,000 customers. They weren’t the only ones affected; when a CrowdStrike software update went awry, the computers and tablets of millions of people using Microsoft Windows went kaput.
This isn’t the first time we’ve experienced a domino effect like this. The enduring lesson of the 2008 banking crisis was that failures in one corner of a market can cascade through the entire economy. That’s why Congress deemed certain banks “too big to fail” and subsequently adopted new regulations and oversight in the financial system. The government has identified “global systemically important banks,” which it consistently monitors through stress tests.
The CrowdStrike outage makes clear that this problem isn’t unique to finance, and it isn’t the first such warning. Dual cyberattacks in 2017 exploited a Windows vulnerability and unleashed ransomware on thousands of organizations across the world. The attacks brought down businesses, hospitals and schools.
Shipping giant Maersk reported up to $300 million in damages as the incident triggered supply-chain disruptions that affected its customers, its customers’ customers and so on. In a 2021 research paper,Aaron Strong and I modeled these losses and estimated that the Maersk disruption alone may have cost more than $10 billion across the global economy. Other cyberattacks—such as the 2020 SolarWinds breach and 2021 Colonial Pipeline attack—also revealed how strikes on interconnected firms can spark devastating chain reactions.
Fortunately the U.S. is alert to the danger. In a 2020 report to Congress, the Cyberspace Solarium Commission, a bipartisan interagency outfit, recommended measures to strengthen U.S. defenses against cyberattack. The government has already implemented several of these, such as establishing a new national cyber director and a collaborative cyberdefense collaborative.
The Cybersecurity and Infrastructure Security Agency is pursuing another recommendation: developing a list of systemically important entities across the economy. This is essential given our constantly evolving geopolitical and economic environment. Today’s list might include highly concentrated and interconnected firms in technology, communications, energy and finance. Tomorrow’s may focus on an even smaller set behind cutting-edge artificial-intelligence models and systems. As the agency proceeds, it should make its updated list public.
Last year RAND outlined an approach to identifying and prioritizing these entities. We sought firms that are so big, interconnected or hard to replace that one’s failure would create significant, wide-ranging and potentially long-lasting consequences for the U.S. if not the world. Our report highlighted how the government might discern “systemic importance” by measuring a company’s size, role in global supply chains and market share.
The CrowdStrike outage underscores that the global economy and U.S. national security are vulnerable to attack. Thousands of firms operate across sectors and jurisdictions. Managing their risks will require intragovernmental, and perhaps international, coordination.
This work will begin with identifying industries of concern, opening channels of communication for information sharing, and requiring disclosures where necessary. Policymakers ought to use tools like stress tests to identify potential sources of failure, plan for disruption, and ensure that any regulation doesn’t distort the market.
The world has changed since 2008. Washington must be alert not only to banks but a variety of organizations whose collapse would disrupt the economy and threaten our security. Planning for such possibilities today can strengthen our resilience and ensure we aren’t stuck in the dark again.
Mr. Welburn is a senior researcher at RAND.
Comments