The Crowdstrike Fiasco And The Regulation Angle

With all the political news over the weekend, some may have already forgotten what would otherwise be a neverending news item: the global outage of IT services that occurred on Friday, which is called the largest in history, freezing the operations of countless companies and banks, forcing all planes in the United States to land, causing an estimated $1 billion of damage and, perhaps worst of all, forcing your correspondent’s favorite bakery to revert to pen and paper for a day.

An automatic update to Microsoft’s Windows operating system caused computers affected to be stuck in a boot loop, where they would start and restart over and over. Eventually it was determined that the update did not come from Microsoft directly, but from Crowdstrike, a large, publicly-traded cybersecurity company.

Crowdstrike provides cybersecurity software that requires root, kernel-level access to operate. The type of software in question is called EDR, for Endpoint Detection and Response. EDR is supposed to be more sophisticated than a simple antivirus and protect against more elaborate threats, but that means it requires a great depth of access to operate. The kernel is the heart of an operating system, the part of the software on which all the other parts of the software run. A “root” account is an account which has all privileges and power on a system. Therefore, a botched update to Crowdstrike’s software had the ability to break all computers with that software in the most fundamental way.

The fact that third-party software, and software that its publisher can decide to update remotely, had such levels of access on the critical systems of many important industries, immediately appeared as a blindingly obvious vulnerability and a gigantic oversight.

It also didn’t take long for people to notice that most of the outages occurred in heavily-regulated industries: banks, airlines, health care, and so on.

It turns out that Crowdstrike–the last time you heard from them may have been the time when they were the company hired by the DNC to investigate the infamous hack of their emails, which eventually determined the breach to be the act of government-sponsored Russian hackers–has positioned its products to solve a regulatory, rather than a technical, problem.

The key culprits here seem to be FISMA, the Federal Information Security Management Act (updated as the Federal Information Security Modernization Act), and the NIST Cybersecurity Framework. NIST is the National Institute of Standards and Technology.

While no NIST rule mandates that cybersecurity software have kernel access, its rules nevertheless imply it. At issue is NIST Special Publication 800-53 (NIST SP 800-53), which is a big document setting out rules and guidelines that Federal information systems, contractors, and others must abide by.

Specifically, at issue are the following sections of NIST SP 800-53: SI-3, which is titled “Malicious Code Protection” and SI-4, titled “System Monitoring.” While these texts don’t specifically mandate kernel & root access for cybersecurity software, they do mandate a level of monitoring and protection of the system that renders it necessary in practice.

For Federal contractors and big companies in regulatory spaces, they must “check the compliance box” of NIST SP 800-53, and Crowdstrike have managed to successfully position themselves as the best way to meet those compliance requirements. Cybersecurity experts we have spoken to have not exactly praised Crowdstrike’s software capabilities. The CEO of a high-tech software startup we spoke to told us he refuses to use Crowdstrike’s software because he considers it to be insecure, even though doing this causes him headaches and complaints from auditors.

In short, the Crowdstrike outage seems to be a classic example of the problem of unintended consequences of well-intentioned regulation. A cautionary tale indeed.

Policy Links

#K12 – AEI’s Rick Hess, whose thoughts on education we always enjoy, has one takeaway from the Republican Convention, as it relates to education policy: the “NatCons” have conclusively won over the “Reagan-Buckley conservatives” inside the Party, and most forecasts of policy if Trump is reelected seem to underrate that fact. This is obviously a huge subject in its own right, one to which we hope to return to.

#Savings – A common complaint against the US economy is that it is too oriented around consumption and not enough around investment, or (which is equivalent in macroeconomic terms) that Americans don’t save enough. Therefore, Cato is right to inform us that “Rep. Diana Harshbarger (R‑TN-01) recently introduced an updated and expanded bill to create universal savings accounts (USAs) with an annual contribution limit of $10,000,” with much more simplified rules than the current complex of 401(k)s, IRAs, and so on. Things like this seem like a no-brainer.

#TaxPolicy – The Inflation Reduction Act would increase taxes on future purchases of wireless spectrum. The problem with that, the Tax Foundation explains, is that it could slow the build-out of 5G technology in the United States, at a time when other countries, particularly China, are not only not taxing such infrastructure, but heavily subsidizing it.

#FinReg #CivilRights – The Biden Administration has been notoriously hostile to the cryptocurrency/blockchain industry. In particular, it has jailed developers of privacy-preserving technologies. According to Luke Hogg, director of policy and outreach at the Foundation for American Innovation, an outfit whose work we strongly recommend, a second Trump Administration should simply pardon them.

#FreeSpeech – Dave Rose of AEIR uses the right analogy to understand the government’s use of Big Tech platforms to engage in censorship: the mob. Tony Soprano doesn’t outright tell you he will hurt you if you don’t do what he says, but he strongly implies it, and that’s enough. “Nice social media platform you got there. It’d be a shame if something happened to it.”

#Antisemitism – At the Ripon Forum, Rep. Mike Lawler, sponsor of the Antisemitism Awareness Act, reminds us of the scale of the antisemitism problem in the US. “Jewish citizens account for 2.4 percent of our population, yet they are the targets of about 60 percent of religious hate crimes.” The Act was criticized for its wording at the time of passage. We evaluated those criticisms here, finding them to be partly, but only partly unfair. Whatever the issues with the Act’s wording, Rep. Lawler is certainly right to point out to the alarming scale of the underlying problem–one which is driven by the noxious combination of immigration from Muslim countries and the Democratic Party’s abetting of its extreme wing.

#TaxPolicy – Vance Ginn, AEIR: “The Economic Folly of a Carbon Tax“

#BigTech – From Reuters: “Nvidia preparing version of new flagship AI chip for Chinese market“

Chart of the Day

From the great wokeness researcher David Rozado:

Meme of the Day