The risks that come from the emerging cyber-energy-production plexus
Professor John Bryson reflects on the CrowdStrike/Windows global IT outage and what this means for the future of our IT systems.
Professor John Bryson reflects on the CrowdStrike/Windows global IT outage and what this means for the future of our IT systems.
"A single update from an anti-virus company based in the US has resulted in global havoc. Today, the world has experienced its first digital pandemic. There will be more such digital pandemics as these emerge from enhanced global economic integration. Global economic integration was also behind the Covid-19 pandemic. Over the last decade, I have argued that we have seen the formation of a cyber-energy-production plexus that is forming around “multiple connections between telecommunications, energy and production networks”. This comes with many advantages, but a plexus is a very complex system. The human body is a plexus which means that any disruption to one part of the body impacts elsewhere. The same holds for the emerging cyber-energy-production plexus. A minor software update can result in a major digital outage that impacts countries, companies and people across the world. The key learning point is the dangers that come from this plexus. Many advantages come from this plexus, but the degree of system integration also leaves all on this planet exposed to unknown disruptions. A core problem is that the plexus is so complex, and the implication is that a failure in one element may have unexpected negative impacts elsewhere. These are complex systems in which failure is never linear. With a linear system, an incident can be directly linked to an impact. With complex systems there might not be a direct linear relationship between an event and its impacts. This means that a problematic software update can have unexpected domino effects across the planet.
An IT disruption of this scale is highly unusual. This is a once-in-a-decade occurrence, or we all hope that it is a once-in-a-decade occurrence. For companies, it highlights the importance of backing up computer systems. But a critical issue is ensuring that there is a backup that is then 'air-gapped’ or isolated from the cyber-energy-production plexus. This means that a company can reset its systems, and its digital information, to the time at which the air-gapped backup was made. Such air-gapped backups should occur throughout the 24-hour day.
This IT failure is not linked to a security failure or cyber-attack but to a problem with a regular cybersecurity software update. Such updates occur all the time as cybersecurity must keep up with those trying to infiltrate our IT systems. The only real issue in terms of financial security is the disruption that comes from finding that online payment services are not operatable for a time. Payments will have been delayed and disrupted. Of course, this level of IT disruption provides an opportunity for cyber criminals to exploit, and this type of exploitation might be occurring now.
For companies and individuals, the key issue is for firms to consider IT system vulnerability and the need for backups. A core issue is the ability of a digitally enabled service function to switch immediately to manual. Thus, all companies should expect and plan for this type of disruption. Staff should be trained to provide a service manually using analogue rather than digital approaches. In other words, there needs to be an ability to provide services using paper rather than digital solutions. The real danger is that we all forget how to live and work in a pre-digital environment. Many have no idea how to work without computers and this makes it very difficult for companies to have paper-based backup systems in place."