CrowdStrike Chaos Highlights Key Cyber Vulnerabilities with Software Updates US GAO

pUS Government Accountability OfficeppEarlier this month a software update from the cybersecurity firm CrowdStrike caused Microsoft Windows operating systems to crashresulting in potentially the largest IT outage in historyppDisruptions were widespread Around the world businesses and services were unable to operate as computers crashed and some critical infrastructure sectors like transportation healthcare and finance were disrupted For example commercial flights were grounded critical hospital care was interrupted and financial institutions were unable to service clientsppHere at GAO we have long highlighted concerns for Congress about IT vulnerabilities a lack of security awareness poor cyber hygiene and a need for more cyber preventative measures to combat disruptions like the CrowdStrike outage In our prior work we have identified risks to the nations critical infrastructure sectors and in the supply chain of software supporting IT systemsppTodays WatchBlog post looks at this work including our June update to the High Risk ListppSo far what we know about the CrowdStrike crash is that it was caused by human error and not a cyberattack or malicious intent But the crash highlights the same vulnerabilities we saw during the SolarWinds attack in 2019 Instead of attacking systems directly malicious actors targeted the software used to support themppSolarWinds attack Beginning in September 2019 the Russian Foreign Intelligence Service led a campaign of cyberattacks breaking into the computing networks of SolarWindsa Texasbased network management software company The software was widely used by the federal government to monitor activities and manage devices on federal networksppHackers injected trojanized hidden code into verified SolarWinds software updates When SolarWinds released the software updates to its customers the threat actor gained a backdoor or remote access to customers networks and systems The attack was discovered more than a year later in November 2020ppWe provide a timeline of these attacks and the response in our April 2021 blog postppProtecting the software supply chain As we saw with CrowdStrike and SolarWinds faulty or manipulated software updates can have cascading widespread impacts on IT systemsppIn our prior work weve identified 7 practices to manage and protect federal IT against these risks But when we looked at how agencies 23 of them implemented these practices we found that few had Learn more by listening to our podcast with GAOs Carol Harris about supply chain risksppMany manufacturers of IT products and services are located overseas which also creates vulnerabilities for the United States The federal government needs to take action to better monitor the global supply chain against emerging threats These threats include those against the Department of Defense which we reported on in May 2023ppMalicious cyberattacks on the federal government and the nations critical infrastructureslike that on SolarWinds and othersare growing in number impact and sophistication This issue is so significant that in June we updated our High Risk designation for cybersecurity This update includes descriptions of the major challenges facing the federal government in its efforts to protect against attacks Some of these challenges are related to the vulnerabilities seen during the CrowdStrike and SolarWinds software updates and responsesppNational Cybersecurity Strategy Last year the White House issued a National Cybersecurity Strategy outlining steps the government is taking to address the longstanding cybersecurity challenges facing the country But when we looked at the strategy we found it needed outcomeoriented performance measures for its various initiativesppIn addition the federal government needs to take action to ensure it is monitoring the global supply chain confirm it has the highly skilled cyber workforce it needs and address risks associated with emerging technologiessuch as artificial intelligenceppWeve made nearly 400 recommendations to strengthen the National Cybersecurity Strategy and agencies ability to perform effective oversight As of May 170 of our recommendations have not been acted onppCritical infrastructure sectors remain vulnerable Attacks on critical infrastructure sectors continue to grow and could seriously harm human safety national security the environment and the economy For example a February attack on Change Healthcare a health payment processor resulted in nearly 874 million in financial loses and widespread disruptions for providers and patient care Healthcare is just one of the 16 critical infrastructure sectors that are vulnerable to cyberattacks All of these sectors rely heavily on IT systems to operate ppThe federal government has taken some steps to address the challenges with protecting these systems from cyberattacks But we see persistent shortcomings in these efforts Weve made 126 recommendations to better protect the cybersecurity of critical infrastructure Action is still needed on 64 of themppLearn more about our work on federal cybersecurity and critical infrastructure protection by reading our June High Risk update reportppGAOs mission is to provide Congress with factbased nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people GAO launched its WatchBlog in January 2014 as part of its continuing effort to reach its audiencesCongress and the American peoplewhere they are currently looking for informationppThe blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms Posts will tie GAO work to current events and the news show how GAOs work is affecting agencies or legislation highlight reports testimonies and issue areas where GAO does work and provide information about GAO itself among other thingsppPlease send any feedback on GAOs WatchBlog to bloggaogovpp
Stay informed as we add new reports testimonies
p