Reflecting on this morning’s computer problems that grounded flights on United, halted trading on the NYSE, and took The Wall Street Journal website offline for a short period, cybersecurity experts commented :
Jonathan Sander, Strategy & Research Officer at STEALTHbits Technologies (www.stealthbits.com):
“United Airlines and NYSE both made strong statements via Twitter that their outages were not security related. There’s no reason to doubt them. But what does it say that this is the first thing everyone assumes? If you went to a clothing store on Main Street and there was a “we’ll be back” later sign in the window, would you assume a thief had broken in? It’s very clear that the good guys are not winning the PR battle in the digital security world. We all assume the bad guys can take down any sized company at any time.”
Tim Erlin, Director of IT Security and Risk Strategy at Tripwire (www.tripwire.com):
“There is virtually no part of our global economy that isn’t dependent on interconnected technology today, and the level of interdependence continues to increase steadily. That means that any failure, malicious or not, has the potential to create economic repercussions.
There are many layers of technology between the consumer and the services we depend on, from the individual smartphone that you use to access a service, to the vendor who provides the networking equipment used by the telecommunications company to provide connectivity to the company providing the service. The level of complexity can be staggering, and this means an error made by a developer half-way around the world somewhere in the supply chain of a service can impact the operations of major businesses like United.
Collectively our goal should not be to eliminate errors, instead we should focus on providing resiliency in the face of known instability.
From a cybersecurity perspective, the obvious disruptions to service might not be what we need to worry about. Instead, we should be detecting the nearly invisible infiltration of valuable systems.”
Igor Baikalov, Chief Scientist at Securonix (www.securonix.com):
“If the DHS and FBI are correct in ruling out a cyber attack as a cause of outages at United Airlines, NYSE, and WSJ – all happening this morning in the span of a few hours – and it’s not an aftershock of the recently concluded “Cyber Guard” war games, then our technological foundation is in a really bad shape. It’s our critical infrastructure we’re talking about! To have vital transportation, financial, and media companies, that are heavily dependent on technology, experience disrupting “glitches” in their busiest hours is something that only global war game scenario can envision. It’s just not something that one plans for in real life.
What every enterprise should plan for is business continuity and disaster recovery – remember “A” in CIA (Confidentiality, Integrity and Availability) attributes of Information Security? The problem is that High Availability (minimum downtime) and especially Fault Tolerance (no single point of failure) is very expensive, and for as long as the cost of implementation exceeds the cost of outage, businesses are not going to do it. Something has to be said on the maturity of change management processes too: it’s not the first rodeo for NYSE, and why there were no staged rollout and rollback plans in place is hard to comprehend. Was it really that much cheaper to deploy system-wide changes right before the opening bell, and bring the whole thing down, than to execute a careful deployment overnight, with sufficient time for testing and reversing the changes if needed?
I mean, these are serious companies with smart people doing expensive stuff – it’s not some low-life “Internet of Things” – how could the basic principles of Information Security be so ignored? Perhaps, I stick with the conspiracy theory of nation-state retaliation for the market crash, or alien invasion.”
Pierluigi Stella, Chief Technology Officer of Network Box USA (www.networkboxusa.com):
“These 2 stories (UA and NYSE) do not seem immediately related to hacking as I’d previously thought; although if a hacker wanted to disrupt operations, this would’ve been a good way to do it. The general issue here is, we depend so much on technology that when something malfunctions the effects cascade broadly and affect large numbers of people.
The reports seem to point to a router issue.
A router is a device that operates like an intersection, deciding where traffic goes based on multiple parameters. If a router’s configuration is incorrect, you get a traffic jam, computers can’t talk to each other, and things stop working. A website would typically talk to a database server; if the router breaks and the two can’t talk, when you try to check in, the server can’t find your information, and you end up grounded.
Now, in a case like this, I’d assume there are multiple redundancies to avoid interruptions of such critical functions. Meaning, you don’t install only 1 router at every intersection; you use at least 2, with mirrored configurations, so if one breaks, you can replace it without anyone even noticing.
I’m afraid the only reason why such a disruption might happen (that I can think of) would be human error – someone, somewhere made a mistake and broke the configuration of the router – or so it’d appear. Therefore, the issue isn’t really our dependency on technology, but rather, our dependency on those who maintain and configure said technology.
The internet is so interconnected that a small error in one place can rapidly bring many other things to a screeching halt.
In 2005, someone in the Czech Republic made a small mistake on a router and took down half the internet for several hours. Yes, we are _that_ interconnected. In this morning’s case, the issue affected only United, so it was an internal router; but it still demonstrates the fact that technology needs to be operated with caution, and that, ultimately, the human element is always the weakest link. No matter how many redundancies you set in place and how much money you invest, if someone makes a mistake in a configuration, you end up with some serious problems.
I don’t know at this point what happened at NYSE, but there too, I’m fairly certain, there are plenty of redundancies so that if a computer breaks, you have at the very least, 2 more doing the same work. Certain major disruptions don’t happen because a disk broke in an organization of this scale; they happen because someone made a mistake.
So please, let’s not blame technology. Yes, we do depend on it, but that isn’t going to change. In fact, it’s only going to be more and more so. And the more we depend on it, the less these issues happen because technology on its own doesn’t make mistakes and can be set to be redundant (alright, technology sometimes does make mistakes, but they can always be traced back to the human who configured or built them!) to avoid issues when something breaks.
Humans make mistakes ergo it’s the human element which needs to be vetted the most in this dependence of our world upon technology.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.