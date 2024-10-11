Imagine a fortress made of impenetrable material, designed to repel attacks before they even begin. Inside lies valuable treasure: data, trade secrets, the heartbeats of corporations and countries. All guarded by layers of this defence-ware.

One such fortress was CrowdStrike, a company thought of as a titan in the world of cybersecurity. Its systems were thought of as insurmountable. No matter what the digital world threw at it, the promise was, its walls would hold.

This July, the unthinkable happened. No enemies breached the walls. No hacker found a flaw. Instead, the fortress faltered.

It wasn’t sabotage or cyberwarfare. It was silent failure that crept in, like a shadow in the night. A simple software patch — routine, but essential; built to order but not adequately tested — caused a crash. It was replaced in 90 minutes. But, by then, the damage was done.

The shield splintered. The devastation was swift.

Major clients, dependent on the reliability of CrowdStrike’s protection, were suddenly exposed. Businesses that had placed their faith in the fortress were left vulnerable.

An embarrassing blue screen took over the world.

In what is being called the largest IT outage in history, computers crashed at hospitals and airports, government agencies and banks. Colossal companies were brought to their knees.

Businesses and governments lost an estimated $5 billion in downtime costs.

What really stung was the blow to confidence. Was this a wake-up call?

As the factors behind the failure emerged, the picture became more concerning.

“The reason the crash occurred was because the patch was tested by Artificial Intelligence (AI) and not humans,” says Anuradha Rao, a former deputy managing director and chief digital officer at State Bank of India. “The last quality check must be done by a human. This is because AI has not learnt enough to prevent what may happen in the future. This is one of the pitfalls of technology relying on technology.”

That is a sobering thought: AI can only make assessments based on events of the past; it cannot accurately predict outcomes, even in a near future.

Now for a scary one.

What if the July CrowdStrike crash had been more than a matter of oversight? What if a sophisticated cyberattack took down one such system, or two or three?

Instead of businesses grappling with a disruption, entire industries could be eroded.

In the longer term, what this means is that a simple outage is now an invisible battlefield where the stakes are astronomical, and the consequences, potentially irreversible.

Thoughts such as these keep Huzefa Motiwala and his team awake at night. In cybersecurity, there are three vectors, or pillars, on which digital defence stands: confidentiality, integrity, availability.

When these pillars falter, or fall, it goes beyond computers and becomes about trust.

Speaking from his Mumbai office, Motiwala, a senior director of technical solutions at the California-based cybersecurity company Palo Alto Networks, explains the pillars.

Confidentiality: This is not just about protecting what is sacred: identity, personal information, intellectual property and other data entrusted to a database.

It is about the real and perceived instability — financial, personal, geopolitical — of a post-breach world. Patients’ records exposed; financial institutions with their logs in the hands of cybercriminals; protected scientific, defence and corporate information released.

Lives, reputations, the fabric of a world that is held together a certain way, would be compromised.

It is easy to forget, in our seemingly transparent age, that veils of secrecy and carefully crafted perception have always held rulers, companies and people in place.

It is a key part of why the right to privacy is so deeply enshrined in our laws. It would, quite simply, be chaos — in the Ancient Greek sense of the term — if everyone’s secrets were known.

Integrity: Hackers might not simply steal and trade in information. They could alter it.

The integrity of data is what makes it reliable. A world of unreliable data would be only a shade less chaotic than a world of not data at all.

Everything from stock markets and medical prescriptions to prison systems and air-traffic control would become unnavigable. This, Motiwala says, could the future of terror.

Lives could be lost, economies shaken, the work of decades derailed.

Availability: Availability of online systems has become so core to the infrastructure of modern life that compromised access can shake trust almost as badly as compromised data. Preventing access alone could cost lives, and billions, and erode trust — which is sort of what happened when CrowdStrike failed.

When seen from this perspective, the fallout of damage to the three pillars wouldn’t just be personal, financial and organisational — it would be existential.

The disruption to our interconnected systems — where everything from banking and healthcare to aviation and public safety depends on digital trust — would be profound.

This is the nightmare scenario cybersecurity experts dread. And the truth is, it isn’t just hackers, failures or malicious actors we need to fear. It is the fragility of our systems.

***

That fragility has worried people like Motiwala for a long while.

When it comes to cyberattacks, companies like his spend millions of dollars and man hours tracking known threats: hacking groups such as Fancy Bear as well as common malware and ransomware. Security systems are taught to recognise their signatures and behaviours. That’s how the fortress repels attacks before they begin.

But… there is always the danger of the unknown. This could be a new type of cyberattack that exploits a vulnerability no one has seen before.

The recent invasion of WazirX, one of India’s major cryptocurrency exchanges, in July, resulted in the loss of about $230 million worth of digital assets, and was likely orchestrated by unknown attackers. Some experts have speculated that North Korean hackers were behind it; but shadowy agents from isolated states are a common bogey, standing in for the more complex realities of the world of digital warfare.

Take a simple example from a long time ago, says Motiwala.

In May 2000, the ILoveYou virus that swept the world. Millions of users received, and opened, emails with the subject line “I love you”. The virus contained in these emails activated a script that overwrote files, stole passwords and automatically sent itself to everyone on the recipient’s contact list.

The simplicity of its approach — exploiting the universal emotional appeal of that phrase — made it particularly devastating. The creator of the virus turned out to be a 24-year-old computer-science student from the Philippines.

What has changed in the decades since, Motiwala says, are the stakes.

Each of us holds in our hands the key to multiple linked fortresses: personal, work, banking, e-commerce, gaming… the list goes on.

The “attack surface area”, he points out, has grown so dramatically that, in the battle for digital security, the frontline is everywhere.

So, he must work with his team, all the time, to keep his database updated on known attackers and work to identify unknown threats. In a landscape that is constantly shifting. To place this in perspective, of the 11 billion attacks that occur every day, 2.75 billion are from unknown attackers.

The challenge is to detect and neutralise these attacks before they occur, or in real time, or, in a worst-case scenario, as soon as possible after the damage has begun.

Meanwhile, the enemy is moving fast too.

Rao offers a simple example. Financial fraud has evolved to the point where money stolen is immediately split up across different jurisdictions — because a scammer knows that law enforcement has still not found a way to unite in retaliation.

“The only way effective change can happen is if they come together,” she says.

This is where public policy comes into play, and a conversation has yet to begin here. Domain experts believe this is where actors such as the Reserve Bank of India (RBI) must step in and facilitate evolution and change.

As we discuss all this, somewhere, a hacker is testing cracks in the digital walls, waiting for a fissure to open, a flawed line of code, a forgotten update.

It could be a breach, or a reckoning. It could lead to attacks that come in waves. The question isn’t: Will they come. It’s: How ready will we be when they get here?

(Charles Assisi is co-founder of Founding Fuel and co-author of The Aadhaar Effect)