Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, commented on July 20th local time regarding the global large-scale IT failure, stating that the incident was caused by a bug update on Crowdstrike's Falcon platform, which triggered widespread crashes of certain versions of Windows systems worldwide. This is a major event that seriously affects the operation of critical infrastructure worldwide. Although this is not malicious, it is a serious mistake.
Eastley said that the critical infrastructure in the United States is highly digitized, highly interdependent, highly interconnected, and highly fragile, largely due to the fragile software ecosystem that has historically placed less emphasis on security and more emphasis on functionality and speed to market. Ironically, one reason why companies like Crowdstrike and other cybersecurity providers exist is to provide security for software that is full of vulnerabilities.
But Eastley also stated that this is not Microsoft's problem. She said that any company should prioritize significantly reducing the number of defects when designing, testing, and delivering any type of software - defects that may be intentionally exploited by bad actors or inadvertently cause critical global service paralysis. Eastley said that therefore, governments at all levels and critical infrastructure organizations of all sizes must double their efforts to enhance resilience, ensure effective response and rapid recovery capabilities, and minimize disruptions to critical services.