On July 19th, 8.5 million devices buckled under a faulty software update issued by cybersecurity provider CrowdStrike—many bearing the dreaded ‘blue screen of death.’ The internet shook as flights were grounded, surgeries were cancelled and payment systems malfunctioned around the world. For Canadians delayed in airports or hospital waiting rooms, the experience may have reminded them of the 2022 Rogers outage.
Thankfully, a fix was issued quickly, and IT professionals were able to contain the magnitude of the incident in relatively short order—but organizations need to prepare for the aftershocks driven by cybercriminals seeking to take advantage of the chaos.
While the outage made CrowdStrike a household name overnight, many people had never heard of it before. This sudden infamy, without much understanding of what the company (or its service) does, has made it easier for scammers to trick people.
Unfortunately, hackers never let a crisis go to waste, and we’re already seeing targeted, sophisticated campaigns preying on the outage. Criminals have developed convincing (but fake) websites masquerading as CrowdStrike and pretending to offer support or compensation for the disruption. They’re also impersonating CrowdStrike employees and contacting users by phone and email to trick them and gain remote access to sensitive information.
In a scenario like this, users may feel compelled to disclose personal information such as their username and password to somebody they believe is working in their best interest but is actually a scammer.
Once obtained, bad actors can use our information in a range of ways. In a corporate context, they could steal sensitive customer data and hold it for ransom, exfiltrate business plans, or sell your information on the dark web to other criminals.
In the cybersecurity domain, these are typically described as ‘social engineering campaigns’— hacker trickery that relies on human interaction to deceive people into handing over confidential information.
Unfortunately, organizations will also have to watch out for a range of technical threats that involve direct attacks on the systems and networks affected by the outage.
For example, cyber criminals are capitalizing on the crisis to infect affected devices with malicious software, or malware. Threat actors have begun circulating a misleadingly named file that purports to provide a fix to the issue. Unfortunately, it contains a remote access trojan—a malware that can secretly access a device without the user’s detection—that allows bad guys to surveil the device, steal your data and wreak havoc on your networks down the road.
Given the costs of a cyberattack, the aftershocks from the CrowdStrike disruption could be worse than the incident itself. Between legal fees, customer support, crisis management and recovery factors, the average cost of a data breach in Canada is $6.32 million. This is just the tip of the iceberg. Experiencing a cyberattack can also be a big hit to an organization’s reputation—negative publicity and backlash on social media can be very challenging to counter, and if consumers have doubts about an organization’s ability to deliver services or safeguard their information, they may be inclined to take their business elsewhere.
Over the coming weeks, organizations and their staff will need to be vigilant. Now is a good time for organizations that were directly affected to have their staff take cybersecurity awareness training refresher courses. An informed workforce is an organization’s best defence against cyber threats. The cost of implementing cybersecurity protections and training is far less than the cost of recovering from an attack.
If there’s any silver lining, it’s that we’re having important conversations about how to best strengthen our cyber defences. Several organizations publicly shared that their operations were affected by the CrowdStrike outage. While naming security vendors could potentially attract the attention of cybercriminals, sharing that your organization has been affected is a responsible move.
Transparency is powerful and important, and uncommon in the cybersecurity domain, which has historically favoured security through obscurity. Incidents like this drive collective learning, and helps customers and partners understand what they need to do to protect themselves moving forward.
Organizations affected by the CrowdStrike outage need to stay vigilant. While it may seem that the worst is over, we may continue to feel the ground rumble for some time. This is a teachable moment for all of us in the industry, and a reminder that it’s not a question of if one of us will be taken out by a cyber incident, but likely when.
Byron Holland (MBA, ICD.D) is the president and CEO of the Canadian Internet Registration Authority (CIRA), the national not-for-profit best known for managing the .CA domain and developing new cybersecurity, DNS, and registry services.
Byron is an expert in internet governance and a seasoned entrepreneur. Under Byron’s leadership, CIRA has become one of the leading ccTLDs in the world, with over 3 million domains under management. Over the past decade, he has represented CIRA internationally and held numerous leadership positions within ICANN. He currently sits on the Board of Directors for TORIX, and is a member of the nominations committee for ARIN. He lives in Ottawa with his wife, two sons, and their Australian shepherd, Marley.
The views expressed in this blog are Byron’s opinions on internet-related issues, and are not necessarily those of the organization.
