{"id":87973,"date":"2024-07-23T06:00:28","date_gmt":"2024-07-22T20:00:28","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=87973"},"modified":"2024-07-22T23:54:05","modified_gmt":"2024-07-22T13:54:05","slug":"cyber-security-means-sticking-with-trusted-not-any-providers","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/","title":{"rendered":"Cyber security means sticking with trusted, not any, providers"},"content":{"rendered":"
\"\"<\/figure>\n

The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services\u2014causing significant inconvenience for millions of people worldwide.\u202f<\/span>\u00a0<\/span><\/p>\n

It has prompted many to marvel that so many global operations and organisations rely on so few cybersecurity companies\u2014and hence a bungle at a single firm means blue screens, grounded flights and frozen financial transactions across the world.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Yet the well-meaning calls to have a wider range of cybersecurity providers to avoid single points of failure overlook the fact that there aren\u2019t a lot of truly trusted firms out there. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Much like the 5G dilemma in the late 2010s\u2014in which two Scandinavian firms were considered the only safe options\u2014once you search beyond the big, mostly United States-based cyber security companies, many of the alternatives are unpalatable or even unthinkable, such as big Chinese providers. Diversification of cybersecurity services to spread the risk around isn\u2019t so easy, at least immediately.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Yes, more trusted providers would be ideal. But the emphasis must be on trust, not simply availability. Australia should continue to entrust our critical infrastructure, technology and services only to proven providers that don\u2019t pose long-term and deeper risks than occasional mistakes causing outages.<\/span>\u202f<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

There is no perfect system or product. All require regular maintenance and will therefore have vulnerabilities. The risks are twofold: the first is unforced errors either through human failure or technical glitches, and the second is the threat from malign actors and malicious software. There are ways to mitigate both\u2014but not to eliminate them altogether.\u202f<\/span>\u00a0<\/span><\/p>\n

A temporary outage should be seen as a known risk of our digital world, just as we accept that floods and fires are realities in the natural world. Inconvenience isn\u2019t the same as catastrophe.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Malign threats ultimately pose the bigger problem, and the best way to safeguard against those is to stick with trusted providers. To turn hastily to providers from high-risk countries\u2013whether China or Russia given the shadowy connections of the US-banned Kaspersky\u2013would amount to solving the reliability issue by creating an even worse security weakness.<\/span>\u202f<\/span><\/p>\n

In 2018, allowing Chinese companies to supply Australia\u2019s 5G infrastructure would have brought a degree of immediate convenience. But we, followed by many Western and partner nations, resolved that only Nokia and Ericsson could ensure long-term security and sovereignty.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

That episode was a wake-up call that, over time, we need industry policies, involving collaboration with friendly nations, to ensure we have resilient sectors across critical technologies and won\u2019t ever be left with our only choice being Chinese or other high-risk vendors.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

And that goes for cybersecurity as well. Greater choice of trusted providers would of course be in the national interest, but that is a longer-term challenge. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Trust is everything. This doesn\u2019t just mean trust that nothing will go wrong\u2013it means trust when something does go wrong. At no stage was there a security problem with Crowdstrike. There are, of course, flow-on safety effects, with criminals seeking to take advantage of people who are trying to get back online as quickly as possible. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

But the transparency Crowdstrike showed has helped mitigate these risks. We knew within minutes what the problem was, Crowdstrike produced a fix in under 80 minutes and its CEO posted a public apology for the disruption within hours. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

We couldn\u2019t possibly expect such transparency from operators in countries like China. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Compare the situation with the COVID outbreak; imagine the digital equivalent of Beijing\u2019s cover up of the origins of the virus\u2014even if it was a technical error and not a malicious action.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Compare also the Crowdstrike disruption with another major event this year that exposed the world\u2019s dependence on software\u2014the XZ attack uncovered in late March. The China-based hacker who privately claimed responsibility spent two years infiltrating and infecting Linux compression tool XZ\u2014software that is used by organisations globally, including by Australia\u2019s intelligence agencies. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

The malicious infection would have spread across the world had it not been for a US-based engineer who, working in his private time, noticed that software relying on XZ was operating about half a second more slowly than it should, and reported the anomaly. His post meant the Five Eyes intelligence agencies were able to prevent the attack. Of course, the added irony is that if the public-spirited engineer had lived in China, he could never have made such a disclosure.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

While Crowdstrike was criticised for taking almost six hours to apologise for a fault, the XZ hijacker was only sorry that his plot to covertly infect hundreds of millions of computers was disrupted.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Cybersecurity firms need to enjoy a special type of trust because they require privileged access to our computer networks to be effective. We let them in so they can protect us. <\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Imagine if a cybersecurity company was controlled by a foreign state and could be compelled to insert or spread a malicious update.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Beijing passed a law in 2021 that requires any business operating in China to report any coding flaws to a government agency before patching the vulnerability or revealing its existence publicly. A <\/span>report from the Atlantic Council<\/span><\/a> makes clear that the information about the bug is then shared with China\u2019s state-sponsored hackers, who exploit them.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Consistent with this, our own Australian Signals Directorate just this month led a group of allied intelligence agencies in declaring that China\u2019s Ministry of State Security was behind major cyber attacks on Australian networks.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

Granted, it is hard to imagine a major Australian bank, airline or other critical infrastructure operator turning to a Chinese cybersecurity firm. But, as with 5G, many countries might see it as an acceptable alternative.<\/span>\u202f<\/span>\u00a0<\/span><\/p>\n

For Australia, the lesson is that we must accept, for now, the risk of occasional widespread outages due to our reliance on a few trusted firms. Longer term, resilience can come from incentives to build and strengthen our own cybersecurity sectors. Facing a bushfire season, we would never turn to firebugs just because they know a thing or two about pyrology. Likewise, we mustn\u2019t learn the wrong lessons from the Crowdstrike blackout.<\/span>\u202f<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services\u2014causing significant inconvenience for millions of people worldwide.\u202f\u00a0 It has prompted many to marvel that so many global operations and organisations rely on so …<\/p>\n","protected":false},"author":1559,"featured_media":87975,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[52,391,95,713,2138,728,332],"class_list":["post-87973","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-china","tag-cyber","tag-cyber-security","tag-cyberattack","tag-cybersecurity","tag-hacking","tag-technology","dinkus-crowdstrike-outage"],"acf":[],"yoast_head":"\nCyber security means sticking with trusted, not any, providers | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber security means sticking with trusted, not any, providers | The Strategist\" \/>\n<meta property=\"og:description\" content=\"The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services\u2014causing significant inconvenience for millions of people worldwide.\u202f\u00a0 It has prompted many to marvel that so many global operations and organisations rely on so ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-22T20:00:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-22T13:54:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Justin Bassi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Justin Bassi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg\",\"width\":1024,\"height\":683,\"caption\":\"PARAGUAY - 2024\/07\/19: In this photo illustration, the CrowdStrike Holdings, Inc. logo is displayed on a smartphone screen. (Photo Illustration by Jaque Silva\/SOPA Images\/LightRocket via Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/\",\"name\":\"Cyber security means sticking with trusted, not any, providers | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#primaryimage\"},\"datePublished\":\"2024-07-22T20:00:28+00:00\",\"dateModified\":\"2024-07-22T13:54:05+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/5e2d55ef0c16714833ccf2506197d321\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber security means sticking with trusted, not any, providers\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/5e2d55ef0c16714833ccf2506197d321\",\"name\":\"Justin Bassi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ae57bc3216539100523eaf6e0cdfea1c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ae57bc3216539100523eaf6e0cdfea1c?s=96&d=mm&r=g\",\"caption\":\"Justin Bassi\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/justin-bassi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber security means sticking with trusted, not any, providers | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/","og_locale":"en_US","og_type":"article","og_title":"Cyber security means sticking with trusted, not any, providers | The Strategist","og_description":"The Crowdstrike software outage disrupted airlines, banks, supermarkets and other major services\u2014causing significant inconvenience for millions of people worldwide.\u202f\u00a0 It has prompted many to marvel that so many global operations and organisations rely on so ...","og_url":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2024-07-22T20:00:28+00:00","article_modified_time":"2024-07-22T13:54:05+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg","type":"image\/jpeg"}],"author":"Justin Bassi","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Justin Bassi","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2024\/07\/GettyImages-2162103744.jpg","width":1024,"height":683,"caption":"PARAGUAY - 2024\/07\/19: In this photo illustration, the CrowdStrike Holdings, Inc. logo is displayed on a smartphone screen. (Photo Illustration by Jaque Silva\/SOPA Images\/LightRocket via Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/","url":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/","name":"Cyber security means sticking with trusted, not any, providers | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#primaryimage"},"datePublished":"2024-07-22T20:00:28+00:00","dateModified":"2024-07-22T13:54:05+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/5e2d55ef0c16714833ccf2506197d321"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/cyber-security-means-sticking-with-trusted-not-any-providers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Cyber security means sticking with trusted, not any, providers"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/5e2d55ef0c16714833ccf2506197d321","name":"Justin Bassi","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ae57bc3216539100523eaf6e0cdfea1c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ae57bc3216539100523eaf6e0cdfea1c?s=96&d=mm&r=g","caption":"Justin Bassi"},"url":"https:\/\/www.aspistrategist.ru\/author\/justin-bassi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/87973"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1559"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=87973"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/87973\/revisions"}],"predecessor-version":[{"id":87978,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/87973\/revisions\/87978"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/87975"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=87973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=87973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=87973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}