So…
That little computer “incident” on Friday…
What did you think of it?
I truly hope none of you were flying. Or had a medical emergency – or even a medical nuisance.
I didn’t experience any problems personally. But I know far too many other people did. Texas-based cybersecurity firm CrowdStrike (CRWD), it turns out, has a hand in a whole lot of pots around the world.
It also turns out that the company needs more oversight when implementing updates.
That, we’ve been told, was what crashed so many important and critical systems around the world. According to Fortune, more than half of Fortune 500 companies use CrowdStrike, along with a long list of small- and medium-sized businesses.
It’s one of the world’s biggest cybersecurity providers, with airlines, hospitals, and news sources among its clients. That’s why, as risk-management software company Interos noted on Friday:
The outage impacted 674,620 direct customer relationships of CrowdStrike and Microsoft, and over 49 million indirectly, according to Interos data. While the U.S. was the most affected country, with 41% of impacted entities, the disruption was also felt at major ports and air freight hubs in Europe and Asia. Ports from New York to Los Angeles and Rotterdam reported temporary shutdowns, while air freight suffered the hardest blow, with thousands of flights grounded or delayed.
The outage exacerbates existing supply chain challenges amid rising global demand and freight prices, highlighting the potential long-term implications for global trade and finance.
All this to say that CrowdStrike’s abject failure was exceptionally unsettling, at best. And I expect this breakdown will prompt it, its clients, and many non-clients as well to evaluate how vulnerable they really are.
It’s Scary Out There
We’ve known for years now how powerful hackers can be.
That’s why companies like CrowdStrike exist in the first place, after all.
How many businesses have had to send out alerts that their data was compromised in the last decade? Just in 2024 so far, Nissan, Dropbox, the BBC, Advance Auto Parts, and AT&T have all had to acknowledge breaches.
Then there are the organizations that are completely shut down until they pay to be released. JBS, the world’s largest meatpacker, still comes to mind when I think of ransomware… even though that attack happened in 2021. Other notable attacks the same year included those against the Colonial Pipeline, the Steamship Authority of Massachusetts, and the Washington D.C. police department.
That year may have seemed epic for ransomware. But the U.S. Cyber Threat Intelligence Integration Center reports that this problem is ongoing and increasing.
While 2022 was a much quieter year:
The number of ransomware attack claims worldwide in 2023 rose 74% as compared with 2022… Attacks increased – by more than 40% – against the agriculture, defense and government, energy, healthcare, IT, and transportation sectors….
Now, CrowdStrike has sworn up and down that a cyber-attack of any kind was not responsible for bringing it to its technological knees. The company’s official story is that it issued a faulty update for one of its platforms.
Who knows. That may be the case. Though, one way or the other, it’s an enormous black mark on a business that’s supposed to be both tech-savvy and secure.
I imagine many of CrowdStrike’s small business customers – some of which experienced irrevocable damage on Friday – are rethinking their cybersecurity choices. And I’m sure the same is true of some larger organizations as well.
But here’s a client category that most people aren’t talking about, as far as I’ve seen: government entities.
Because, along with Fortune 500 companies, CrowdStrike directly markets itself to both state and federal groups. This includes the Social Security Administration, which had to shut down all of its offices on Friday.
NASA wasn’t as affected, but it still had issues. The same went for the Federal Trade Commission.
Oh, yeah, and the Department of Homeland Security wasn’t operating at full power either.
This isn’t good, my friends. It’s not good at all.
And mark my words: It’s going to warrant a response.
Bring on the Money!
I’m not saying that everyone abandons CrowdStrike, mind you. But I’m with the investors who sent it down 13.46% yesterday: The company is going to lose business because of this mishap.
My big takeaway on this story, however, isn’t to sell CrowdStrike. Instead, it coincides with data I recently read about government spending on cybersecurity.
While researching COPT Defense Properties (CDP) – a real estate investment trust that caters to defense and IT tenants – I discovered that the federal government’s defense budget for fiscal year 2024 is a whopping $831 billion.
That’s up from $799 billion in 2023 and $729 billion in 2022.
That is defense in general, mind you. But go to the official White House page, www.whitehouse.gov, where you can find the Biden administration’s specific stance on information technology.
Back on March 11, it published the proposal for “spending $75 billion on IT at civilian agencies in 2025” – a category that very much includes cybersecurity. Moreover, it specifically calls for “departments and agencies” to “continue to increase the safety and security of public services” through cybersecurity efforts that:
-
Defend critical infrastructure
-
Disrupt and dismantle threat actors
-
Shape market forces to drive security and resilience
-
Invest in a resilient future
-
Forge international partnerships to pursue shares goals
That agenda was part of the $1.2 trillion government spending bill Biden signed into reality at the end of March – way before federal government workers were greeted by the “blue screen of death” this past Friday.
Controversial though it was, that funding is in effect through March 2025. And while the presidential administration that takes over in January could (and should) slash that amount intensely…
I think Republicans and Democrats alike can agree that our need for proper defense is only increasing. Everyone realizes that, if we want to protect our country, our economy, and our very way of life, we need to keep Friday’s “mishap” from happening again.
Recognizing that, countries and companies that can afford it won’t think nearly as hard about upping their cybersecurity spending going forward.
It’s just a matter of how much of that spending won’t go to CrowdStrike.
Regards,
Brad Thomas
Editor, Intelligent Income Daily