Friday afternoon felt a lot like the 12-minute mark in a disaster movie.
Choked airports, crashed payment systems, news anchors improvising, and the sudden ubiquity of Microsoft’s now famous blue screen of death, with its strangely ominous sad face.
The difference of course is that in the movie, there’s a villain pulling the strings — a hostile foreign power, a money-hungry cyber gang, or even a fanatical cult, intent on bringing entire nations to their knees.
In the version we witnessed yesterday, the culprit was in some ways more dangerous; it was our own systems.
Cyber security experts all over the world are still scrambling to understand what caused the largest outage in history.
It may be weeks or even months before we have the full picture, but what’s certain is that two separate systems — Microsoft’s cloud service, Azure, and a software update from cyber security company CrowdStrike — malfunctioned on the same day.
CrowdStrike has since apologised and taken a large measure of responsibility, saying a software bug in one of its updates triggered the problems for Microsoft too.
Both are thoroughly woven into the fabric of the world’s digital ecosystem.
CrowdStrike has an almost 18 per cent share of the global market for anti-virus protection, while Microsoft’s Azure enjoys a 25 per cent share of that cloud services market.
Felling two giants like that had a catastrophic effect, and the resemblance to the long-running nightmares of governments and movie fans alike was uncanny.
As the crisis was unfolding, UNSW’s sober-minded and well-respected cyber security expert, Professor Richard Buckland, named it as such on national TV.
“It is playing out how an attack would play out,” he told the ABC.
“We could be getting a taste now, even if it is just a dress rehearsal for what a cyber warfare or cyber terror attack would look like.”
All the world’s a stage, but are the players ready?
If yesterday was an inadvertent dress rehearsal for anything more sinister that may come down the line, the obvious question is: how did we go?
Using Hollywood as a benchmark, not appallingly. Flights were cancelled, but none dropped from the sky, and at the time of writing, not a single government has fallen.
But life doesn’t always imitate art.
And cyber security experts are emerging from the past 24 hours more worried, not less.
“The key to resilience is not in predicting the future, but in being prepared to adapt,” said Shane Ripley, a senior threat analyst at cyber security firm Recorded Future.
“Yesterday was a clear indication that the collective ‘we’ is certainly not ready to adapt”.
On top of that, we may have sleepwalked into a what Dr Ripley calls a “shadow risk” as great as those that dominate our nightmares and screenplays.
That risk, he argued, is the over-reliance of the world’s critical systems on a shrinking pool of service providers, such as Microsoft and CrowdStrike.
Put simply, there are too many of us using too few of the same tech companies — all in the name of cost-saving and convenience.
“There is a cost to that convenience and we all paid that yesterday,” Dr Ripley said.
Many in the cyber security field, including Professor Buckland, are now questioning whether it’s even been a wise trade.
“It gives us all of the benefits of using this great software from [these] companies but it is a risk,” Professor Buckland said.
“With airlines using it, banks using it, we do have to think: what other risks are we accepting as well as the benefits?”
If we want to stop short of the 13th minute in every single disaster film, we might have to change.
“Better legislation and guidance is needed … the smallest deed is better than the greatest intention,” Dr Ripley said.
“We need action, not ideas, to stop this re-occurring.”
Loading…
Posted , updated