News: Should the CSRB take on CrowdStrike?

Monday, July 29, 2024

Should the CSRB take on CrowdStrike?

Jul 29, 2024

Driving the Day

— MC interviewed Cyber Safety Review Board veterans and other cyber experts to see if they would open an investigation into the enormous CrowdStrike outage — and why.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Congress is out, the Olympics are in and spirits are high.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find Joseph on X at @JGedeon1 or email him at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Pro Briefing: Kamala Harris and the World. What we expect on foreign policy and trade. Join POLITICO Pro for a deep-dive conversation with our specialist reporters about the vice president’s approach to foreign policy. Register Now.

Today's Agenda

It’s Day 4 of the 2024 Olympics in Paris, France.

At the Agencies

CSRB VS. CROWDSTRIKE? — In a little over three years, the Cyber Safety Review Board has proven it has the chops to take on some big issues in security, from vulnerabilities in open source code to the culture of corporate giants like Microsoft. Could CrowdStrike be next?

— Officially, we don’t know: The Department of Homeland Security, which chooses what incidents the after-action review board will investigate, did not respond when asked whether it would open a formal review of the July 19 IT outage, triggered by the cybersecurity giant sending a defective update to Microsoft customers around the world. For its part, a spokesperson for CrowdStrike said it would be “happy to work with them on any inquiry that they may have.”

— Unofficially, many support it: MC spoke with former Cyber Safety Review Board members and other security experts, a majority of whom said they strongly support that idea.

— A clarion call for resilience and accountability: Former National Cyber Director Chris Inglis said he “put[s] the event in the same category as SolarWinds,” the late 2020 Russian hack that is regarded both as one of the U.S.’ worst intelligence failures — and a wake-up call on supply chain security.

Inglis argued the incident carries important lessons about digital resilience and the legal liability of software providers. CrowdStrike’s error grounded thousands of flights, disrupted 911 services and pushed some hospitals to cancel elective medical procedures. It’s still unclear how much of that the security provider will be on the hook for.

“Changes in expectations, accountability, and behavior are needed on all sides,” said Inglis, who served on the board before he resigned from government in February 2023.

— Watching the watchmen: Another former CSRB board member, Katie Moussouris, said she strongly supports a review of CrowdStrike because the firm’s preliminary post-incident analysis revealed there were both “technical bugs” in its software and “process bugs” in the way it tested and rolled it out.

The firm did not test the defective update on simulated Windows computers, for example, and many CrowdStrike customers were surprised at the level of deep access it had to the Microsoft operating system.

“This was a definite risk of how they choose to deploy their tech,” Moussouris said, and the CSRB "could look at what kind of culture the company had, and whether it contributed to this disaster."

— Training ground: Brian Fox, the chief technology officer at supply chain security company Sonatype, echoed Moussouris’ and Inglis’ points on software liability, resilience, and CrowdStrike's technology practices.

But Fox said he thinks the review is a good idea first and foremost because the outage was “the perfect tabletop” for what a major attack from a U.S. adversary would look like — especially one that targets a company so much of the digital economy relies on.

“Identifying ways that we might be able to contain the damage of a malicious attack on a monoculture piece of tool I think is something that would be worthwhile investigating,” he said.

— Not so fast: One cyber expert MC reached out to, Trey Herr, voiced skepticism of such a probe. Herr, who is the senior director of the Atlantic Council’s cyber statecraft initiative, argued that the key issue in the CrowdStrike outage isn’t what happened — but how we got to a place where “8.5 million machines are failing because of a single cause.”

That isn’t something the CSRB is well-positioned to address, said Herr, who has testified before Congress about the board. “There are far more complex failures for the CSRB to work,” he added, citing the recent theft of nearly all of AT&T’s customer records.

— One thing to watch: Several of the CSRB’s members recused themselves from its recent investigation of Microsoft due to conflicts of interest. And that would be an issue again in a CrowdStrike probe, since the deputy chair of the public-private board, Dmitri Alperovitch, was one of the firm's co-founders. Other board members work for CrowdStrike competitors.

The International Scene

FROM PYONGYANG WITH LOVE –- North Korea may be the king of stealing crypto. But the FBI wants America to know that’s hardly the only cyber skullduggery they should be on guard for from Pyongyang.

“You hear more about North Korea’s revenue generation activities, but it’s really important to understand how sophisticated and skilled they are at cyberespionage,” Cynthia Kaiser, the deputy assistant director of the FBI Cyber’s Division, told me in an interview Thursday night.

Kaiser spoke with MC in the aftermath of a multifaceted U.S.-led enforcement action against a prolific North Korean hacking group known as APT45. APT45 specializes in two alarming types of hacking, according to the U.S. government: It extorts hospitals in order to bankroll spying activity against nuclear facilities and other military targets.

— Not out for an extra buck: Some state hackers are known to “moonlight,” using their knowledge of the cyber dark arts to make an extra buck in their free time. But Kaiser said the FBI does not believe that’s what APT41 is doing. “Deploying ransomware feeds the cyberespionage on behalf of the military and nuclear program,” said Kaiser, who called the two activities “symbiotic.”

— Troubling trend: Is North Korea dipping more into ransomware, as some security experts have warned? Kaiser said the DPRK “continues to see crypto heists as bringing in more money,” and ransomware activity from APT41 is more likely just a “diversification” strategy.

— Taking action: The U.S. government unveiled a suite of actions against APT41 Thursday: It ID’d a member of the group in an unsealed indictment, announced the interdiction of more than $100,000 in cryptocurrency and put a multi-million dollar bounty on the indicted hackers’ head, amid other efforts to pass tips to defenders.

“I think that there's a difference in knowing that there's either sanctions out there or charges against you, versus knowing your friends and family could turn you in for $10 million,” Kaiser said.

At the White House

PROOF IN THE PUDDING — While there’s still plenty to learn about the CrowdStrike snafu, the White House has seen enough to distill one broader lesson, according to assistant national cyber director Anjana Rajan.

“I think [the incident] was a reminder that, you know, we have to kind of double-down on our memory safety efforts,” Rajan said in an interview with MC.

— Refresh my memory: The Office of the National Cyber Director has recently promoted the use of coding languages that have in-built guardrails around how programs access computer memory, one of the most common sources of bugs. It believes that a “building-block out approach,” as Rajan described it, is one of the best ways to improve security writ large for Americans.

— Which brings us to: CrowdStrike hinted in its preliminary analysis last week that a similar issue was partially at fault in its outage – something the company confirmed in a statement to MC.

“The kernel-mode parts of CrowdStrike Falcon’s sensor, like other software that runs in the kernel of the Windows operating system, are required to be written in C/C++ language, which does not allow for memory-safe coding,” a spokesperson said in a statement.

— More to come: Rajan artfully dodged questions about whether Crowdstrike should have known better, describing memory-safety problems as “ubiquitous.”

But she did say the incident could have the benefit of “drawing attention” to the problem. She also shared that she is speaking July 31 at the National Academies of Science, Engineering and Medicine and there will be “some big announcements” coming out of it.

The space economy is already woven into our lives in ways we don't always appreciate, creating a global backbone for communications, media, data, science and defense. It's also becoming an increasingly competitive zone among nations - and a venue for complex and important public-private partnerships. Join POLITICO on July 30 for a conversation about what Washington needs to understand is at stake – which sectors of the global economy see their growth arc in space, and what the role of government leaders is in both growing and regulating the explosion of orbital ideas. REGISTER

Election Security

DOUBTER? BECOME A DOER — One of the best ways to convert election skeptics? Invite them to be poll workers.

That’s according to Ben Hovland, a commissioner of the U.S. Election Administration Commission, the federal agency that helps state and county governments run smooth elections.

“We’ve had an increase in skeptics about the election process. And often that’s because people are less familiar with the checks and balances in the election system,” Hovland told me during an interview ahead of the Aug. 1 National Poll Worker Recruitment Day.

Poll workers are America’s frontline election workers — the friendly faces who greet you at your polling station, check you in and steer you to the ballot box. Hovland is encouraging every American to step up this November and volunteer.

Part of his pitch is that having skeptics learn the ins and outs of the election system is one of the best ways to build their trust in it. “Those people often end up being big champions of the process,” he said.

Vulnerabilities

SMS THIEFS — A large-scale malware campaign is stealing one-time passcodes from Android users across the globe, according to new research out this morning from mobile security firm Zimperium.

The sophisticated campaign, as Zimperium describes it, employs deceptive advertisements and fraudulent telegram bots to convince users to download malware that siphons off SMS messages bearing the codes — which are often used to enable two-factor authentication — for over 600 global brands.

Since February of 2022, Zimperium has identified more than 100,000 malware samples on Android users primarily in India and Russia. Zimperium does not hint at who is behind the campaign.

Tweet of the Day

Donald Trump is all in on crypto — and the crypto world reacts.

@joetidy/X

Quick Bytes

VIVE LA FRANCE — France launched a large-scale operation to preempt hackers aiming to exploit the Paris Olympics, writes The Record’s Daryna Antoniuk.

SPYWARE IN EU — A German member of the EU Parliament said his phone was targeted by spyware in May, likely from notorious vendor Candiru, reports The Record’s Suzanne Smalley.

KREMLIN THROWBACK — Rolling Stone’s Adam Rawnsley has a lengthy profile on the CIA analyst who first unraveled the Kremlin’s campaign to influence the 2016 U.S. presidential election through a combination of hacking and influence operations.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).