This is a transcript of the podcast Alice Wallbank from Shoosmiths on data privacy and cyber security issues, a discussion between GRIP’s commissioning editor Jean Hurley, and Alice Wallbank of Shoosmiths.
[INTRO]
Jean Hurley: Hello listeners. I’m Jean Hurley, commissioning editor at GRIP. Today on the GRIP podcast, we are joined by Alice Wallbank of Shoosmith.
We are here to discuss cybersecurity in the context of major global incidents, including the CrowdStrike outage and the infamous Ashley Madison Affair. Welcome, Alice. I’m delighted you could join us. Please introduce yourself and give our listeners a brief overview of what you do and your expertise.
Alice Wallbank: Thanks very much, Jean. I’m delighted to be here. My name is Alice. I’m in the privacy and data team at Shoosmith, which is a UK law firm. I’ve been a lawyer for many, many years, but I’ve spent the last eight years, I would say, specialising in cyber and data law. As part of my job, I do a lot of horizon scanning and thinking about data and digital markets globally. And it’s a really exciting part of my job.
Jean Hurley: Excellent. Thank you. So, shall we start with CrowdStrike? Can you briefly give us an overview of what the company does?
Alice Wallbank: Sure. It’s a provider of cybersecurity software and systems. It’s been around for some time. It was founded in 2011. It’s a US company based in Texas. And it’s a pretty well-known brand. It’s a trusted brand for cybersecurity, I would say.
And in certain markets, in particular, in endpoint security, which is the security of devices, if you like, that’s laptops and phones and so on. It has a pretty big market share in some markets, up to 25%. So, quite a big player.
Jean Hurley: So, how dependent would you say companies are on CrowdStrike and other similar cybersecurity providers?
Alice Wallbank: Well, of course, I mean, the first thing to say is that cybersecurity covers a lot of individual services and it depends what aspect of cybersecurity you’re talking about. There is threat intelligence, endpoint security, we’ve just talked about, authentication systems, incident response, and so on and so on.
For individual companies using a service of the type that CrowdStrike provides, I mean, potentially, they are very dependent on them. But kind of looking from a bigger perspective at the market as a whole, I would say it’s a pretty competitive market. I mean, for example, in endpoint security, which is probably their biggest market, there are five or six big household name players who they are in competition with. So, it is a reasonably competitive market.
Another important aspect of this is that CrowdStrike is a business to business service. So, it does not do business to consumer security, if you like, which is why my laptop and your laptop didn’t suddenly fade on July the 19th. But that was an interesting aspect of why this was a particularly disruptive incident.
Jean Hurley: Thank you. So, if we go back to July 19th, when did you first become aware of the outage?
Alice Wallbank: Well, luckily for me, it was a day I was working at home. So, I wasn’t stuck in the airport waiting room, as some other people were. And I watched it unfold as the day progressed and as the next day progressed, of course. But I was lucky enough not to be personally affected.
Jean Hurley: And can I ask you to explain what actually went wrong?
Alice Wallbank: The million dollar question. They rolled out an update, which had not been properly tested, is the short answer.
Two parts of the mistake, I think we could possibly say, depending on obviously what transpires ultimately. But it looks as if there were two parts of the problem. There was an error in the coding, if you like, which interfered with Windows machines. That’s number one.
Number two, they had done some pre-release testing of it, which is obviously where you test whether or not it’s going to interfere with other systems. And there was a bit too much reliance, it seems, on previous tests in order to do the pre-validation testing. In other words, the testing procedure wasn’t rigorous enough. And that caused what everyone was calling the blue screen of death.
The screen that says nothing’s happening here because the interference meant that the machines needed to reboot, which had to be done manually. And of course, because it was business to business, it wasn’t like I could reboot, you could reboot.
There were individual people in charge of a lot of these systems. Also it was compounded by the fact that sometimes the codes needed to reboot were themselves locked into systems that needed rebooting. So you get this kind of domino effect.
Jean Hurley: So is it fair to CrowdStrike for us to say that, what they were doing was really in step with normal procedures, or were they missing completely this time?
Alice Wallbank: I mean, gosh, I’m not a cybersecurity technician. So I’m just relying on the reports of this. But it seems to me that actually, basically, this was normal practice.
There were mistakes made. But gosh, we live in a world where businesses are going to make mistakes. That happens all the time. I think what was unusual here was the extent of the fallout happened from it.
Jean Hurley: The other thing I was reading is, you know, perhaps there should have been a phased rollout, which I know some companies will do when they introduce new software.
Alice Wallbank: Yeah, they faced a lot for not doing a phased rollout. But I think they’re caught in a bit of a catch 22 here. Because of course, as soon as you do a phased rollout, what you’re doing is you’re highlighting a potential problem, and only giving a subset of the recipients the solution. So that in itself is a is a bit of a difficulty.
And so there are reasons why sometimes you don’t do a phased rollout, because it’s exposing the flaws before you’ve got a fix. So I have some sympathy for them.
Jean Hurley: So now we know what happened. Looking back, I mean, how huge was it really?
Alice Wallbank: It’s been called the biggest outage ever. I think, I mean, the biggest, I guess, individual impact probably was on flights, particularly in the US, I think there were 5,000 flights globally, of which 4,000 or so we’re in the US grounded, and 40,000 flights delayed as a result of this, which, you know, has a lot of knock on impact and it is a sort of big ticket bit of disruption.
And there was all sorts of other things going off. There was stuff going on with healthcare systems in the UK and the US. There was some disruption to electronic payment systems.
Certain services could only accept cash for a while. I think the London taxi drivers could only do this. There was some visibility for broadcasters because it disrupted some information systems. So we had Sky News and ABC having to, you know, use pen and paper and all that sort of stuff. The information systems on the London Stock Exchange went down, which is, of course, alarming, even though the sort of underlying systems are fine.
And there were various other, you know, transport, retail closures and so on. What I would say is, individually, none of these were cataclysmic, I think, but we were at the real risk of reaching a sort of tipping point, a sort of panic tipping point when there’s enough going on, even if individually these things are containable and are not huge.
There’s kind of that feeling of, oh my goodness, what is this? Has the world come to an end? And I think that was the danger here.
Jean Hurley: Yeah, absolutely. I mean, like many people when I heard about it, I thought, oh my gosh, is it some cyberattack from an unfriendly government? I mean, do we get many of those?
Alice Wallbank: Loads and loads. And I think that was everybody’s first response. Oh, of course, this must be some sort of malicious attack. Which often come, of course, in tandem with ransomware. And the company was very, very quick to say, no, this is not a cyberattack. This is nothing to do with ransomware.
There are lots and lots of recent examples. Ironically, they are tracked by companies like CrowdStrike, who will, you know, give you as much detail as you want on exactly what’s going on. And in fact, there are some really interesting websites you can see where you can see world outages, you can see big attacks and so on, almost in real time.
There’s a couple of interesting things to look at. I mean, if people are interested in stuff, there’s lots of surveys of cyber security breaches. A couple of particularly interesting things recently, we’ve had the government’s cyber security breaches survey from earlier this year, which has a lot of sort of detail about the sorts of things that are going on. Phishing attacks, obviously, are by far the most common attack. Ransomware attacks, much less common, but very, very impactful, if you like, in response.
There’s also a thing called the JCNSS, that is the Joint Committee on the National Security Strategy report which is called a hostage to fortune. It’s a UK parliamentary report all about ransomware, which is some pretty exciting reading, if you want to be, you know, a little bit worried late at night.
Jean Hurley: Would you say that CrowdStrike was actually in breach of regulation?
Alice Wallbank: Yeah, that’s a really interesting question. I mean, when we’re talking about in breach of regulation, just to be clear, I guess we’re talking about those rules that might put fines in place, regardless of any sort of contract breach or anything like that. I’m not here to say that there are no specific sectoral or global jurisdictional rules about that they may have been in breach of. They may have been. But there is no big obvious contender for me at the moment as we speak.
The most obvious contender, certainly from a European and UK perspective, which there has been quite a bit of commentary on, is about the GDPR, the General Data Protection Regulation, you know, which is the foundational data protection piece of legislation. And whether or not this type of outage would constitute an infringement of that, which obviously can lead to fines and so on.
A lot of argument. It all comes down to what you think about the wording of Article 32, if you want to know. So it’s quite a technical thing. I would say not only is it technical, there’s also lots of problems of causation and so on linked to it. So I would say at the moment, probably not.
Jean Hurley: So could you give some examples of other major outages that have taken place?
Alice Wallbank: Well, there have been lots and lots and lots. And as I say, you can track them. I mean, there have been some pretty high profile ones on social media, for example, we had on Super Tuesday, which is a key sort of election date in the US in March. We had a big social media outage and there was a lot of sort of chat and, you know, worries about, oh, gosh, is this politically motivated in some way? And there was a follow up one in April, which was another one that attacked media platforms or that affected social media platforms, I should say.
We’ve also had search services and messaging services and AI services attacked this year. So, a lot of outages.
And it’s one really interesting aspect of this is that you and I may think, well, you know, does it matter if I can’t send pictures of my marvellous holiday to you on WhatsApp straight away? You know, what’s the harm? But of course, that’s forgetting that in some markets, these messaging services are economically very, very significant. I mean, if we look at India, for example, and we see that WhatsApp and other messaging services, but particularly WhatsApp are used for shopping, for banking, for accessing medical records, for marketing and so on. There’s a whole ecosystem attached to them. So these outages can be really significant.
Jean Hurley: So switching topics slightly. Another famous incident was the Ashley Madison data breach. Now you wrote about this for GRIP. It would be great if you could tell our listeners about the case.
Alice Wallbank: Sure, yeah. It was inspired by this recent Netflix documentary about reminding us all of the Ashley Madison breach.
Just to remind everyone, Ashley Madison was a Canadian website that was a dating website whose USP was it was for married people who wanted to have a secret affair, basically. And so it contained the information of 36 million people at the time, this was in 2015, wWho had decided that they wanted a secret affair. So you can imagine how sensitive that data was. There was a massive dump of encrypted data onto the open web. Again, looks as if it was not really a ransomware attack.
There’s a lot of theory and conspiracy theory about quite what caused it. But the effect was that this information was dumped, which of course was, you know, first of all, we should say it was personally devastating for many people. But also, from our point of view, it was, I would say, the first really headline news cybersecurity incident that we had in the world, when everyone suddenly said, oh gosh, wow, cybersecurity, that’s the thing. So, so, so hugely culturally important, if you like.
Jean Hurley: Yeah, I think people certainly started to think about giving their personal information away so readily. And I remember the tagline actually was quite funny. I just had to look it up. It was “monogamy is monotony”. So, have an affair. Amazing.
So do you think a similar breach could happen again? And have we come a long way since 2015?
Alice Wallbank: That’s a very good question. And one that I really in this article, from my point of view, and I think there are certain aspects certainly where we have come a long way. One of the aspects is around cyber resiliency and reporting rules, which are better developed than they were at the time.
And of course, the underlying technologies have changed massively. And we have all the, you know, the input from AI for good and bad, which has completely changed or is completely transforming the world of cybersecurity in some senses.
However, fundamentally, I would say there’s plenty that hasn’t changed. To take just one example of the many in the article, let’s think about default passwords. Or password security generally. One of the reasons that all this encrypted data could be decrypted so quickly within days when this stuff landed was the fact that default passwords or very insecure passwords have not been managed and changed properly on the website, which meant that the decryption was very, very much quicker and easier.
Gosh, let’s roll forward to 2023. The UK is putting in place legislation about connected products. And what it’s saying is, we don’t trust members of the public to change the default password settings on connected products that we buy. We’re going to make manufacturers do it because you lot can’t do it. So here we are all these years later, still encountering the same problem. NIST, the US standards agency, has just changed its guidance again, or is in the process of doing that on passwords because it’s such a hot topic.
And it’s one of those fundamental problems that doesn’t really go away. I mean, remember what I was saying about the domino effect in CrowdStrike, that part of the problem was that people couldn’t access the information they needed in order to access the reboot.
It’s that fundamental problem that you need to keep things simple for users and difficult for everyone else, which is a kind of a paradox that will always be with us, I think.
Jean Hurley: So when we think about large tech companies, I’ve heard of Meta and Facebook, but until the outage, I hadn’t heard of CrowdStrike. I was wondering how many big companies are there that can actually disrupt our daily way of life, would you say?
Alice Wallbank: In a word, plenty. But actually, you raised a really interesting point. For me, thinking about CrowdStrike, it’s not really about CrowdStrike. What this is about is about Windows. Because let’s remember that the CrowdStrike problem did not affect non-Windows machines. So machines running on Linux, MacOS, all the machines in Russia were unaffected because they don’t use Windows.
So really, actually, it depends. It’s a problem because there’s an ecosystem here that has a number of massive concentrations, massive dominant players somewhere along the supply chain, if you like. And it is really interesting to see. I mean, action in this area has ramped up massively over the past two, three, four years in the EU, in the US.
What I’m talking about is trying to control digital markets via competition law, which is, of course, all about trying to make sure that the market is working fairly. So it’s coming at it from a different aspect, if you like. It’s trying to create consumer trading fairness. But it’s also a very useful tool for trying to improve cyber security indirectly, if you like, by ensuring that we don’t have these massive concentrations. So as I said, I mean, there’s some massive cases going through at the moment. We’ve got a couple of enormous ones in the US with Google, antitrust cases, as they call them.
We’ve got several in the EU. And in fact, only earlier this week or last week, I think it was, Google managed to overturn part of a huge competition decision that’s going on in the EU. But nevertheless, there’s a whole mass of these going on.
We’ve got new laws trying to address the problem. We’ve got the Digital Markets Act in the EU. We’ve got something similar in the UK called the Digital Markets Competition and Consumers Act, which will enable the competition regulator to identify what it calls companies with strategic market status in digital markets.
India is doing a similar sort of thing. And so we see regulators beginning to try and get a grip on the effect of this, of having very, very dominant players in the digital market.
Jean Hurley: So we discussed how reliant businesses are on just a few large digital companies. But what can happen when there is a problem? How do firms and individuals get redress?
Alice Wallbank: That’s a big question. When we’re thinking about firms, I think the starting point is contract terms, if there is a contractual relationship.
And there’s a lot of this chat at the moment about whether, for example, the exclusions of liability that CrowdStrike had in its contracts will affect claims for compensation under contract. And it’s a bit of a wake up call for tech lawyers, I think, who over the past 10 years or so have got quite used to signing off contracts with these vast exclusions of liability, which have come over from the US basically, all in capital letters in a box saying, you know, we ain’t giving you anything. You know, there can be a point where actually that does matter. And this is a brilliant illustration of it. So that is contract terms for companies.
The other aspect of this is, of course, insurance. Is there cyber insurance in play? And I mean, just harking back to that government survey I mentioned earlier that says that even amongst large companies, only 54% of them reported having any cyber insurance at all.
And of course, remember that that insurance may not cover all risks. It may have massive excesses, hidden conditions and all the rest of it. So this is a potential problem. And there are discussions in various jurisdictions about whether or not there should be some reinsurance model in place for cyber risks. So something like flood re for flooded properties. That some of these risks are just too big for the insurance market to bear itself because they’re so potentially catastrophic.
So that’s from a company point of view. I mean, for individuals, again, we’re looking at contract terms. Again, we’re looking at exclusions of liability. As a general rule, consumers will be better protected from that by consumer law. You know, it’s much harder for a company to say, well, I’m going to sell you this thing, but I’m not going to take any liability for it when you’re selling to an individual.
Interestingly, coming down the track. It’s not there yet, but we’ve got a new product liability directive in Europe coming down the tracks, which will include possible claims for loss of data which will include losses related to the use of software and digital services related to software. So that is coming down the track, but it’s not in place yet.
As we discovered under the GDPR, as far as personal data is concerned, these claims are problematic. We don’t really have a class actions system properly up and running in Europe or the UK yet. In the US, the picture is rather different. I think there are potentially more claims possible in the US, partly because the US model basically is to let the disaster happen and then regulate the market via class actions. Whereas the European/UK model basically is that you regulate in advance, if you like.
Jean Hurley: So how resilient would you say is the digital world? And are we really safe from cyberattacks? I mean, I’m thinking particularly of energy companies and financial services.
Alice Wallbank: Well, I mentioned earlier that JCNSS report, if you want to keep up at night, I’ll just give you one quote from it, which will give you a flavor. “There is a high risk that the government will face a catastrophic ransomware attack at any moment.” There you go. And then it goes on and on and on and on. That severe damage to the economy in everyday life, large swathes of critical national infrastructure remain vulnerable. I could go on and on.
Yes, I think there is considerable concern about that we’re in. We talked earlier about attacks from governments. That report identifies Russia as the biggest player. Russian speaking people. Although are also concerns about North Korea, about China and about Iran. Those together, those four territories are also identified under US national security laws as being the four places of concern.
You talked about in energy and financial services sectors. I mean, yes, energy infrastructure. We’ve seen some really interesting cyberattacks over the past few years. We had one on an oil pipeline in 2021, which caused flights to be grounded and all sorts of things in 17 US states. We’ve had attacks on water companies. There was one in the UK in 2022 where the attacker claimed to have seized control of the water treatment plant, which of course has devastating implications for mass infection of people and so on.
Financial services. Financial services is a little bit interesting. It’s a little bit of an outlier in the sense that it has benefited, I would say, from earlier and stronger regulation generally, particularly on cyber standards and reporting. But certainly, no need for complacency. I mean, the IMF only earlier this year said cyberattacks were a serious threat to global financial stability. It’s perfectly clear why that would be. And there are high street banks attacked. There was one in May this year. The other thing to say about financial services, which is interesting, is about cryptocurrency because of course, cryptocurrency is a major enabler of ransomware generally.
So there’s a bit of a complicated interplay in financial services going on.
Jean Hurley: So if you said, you know, the devastating effects you can get from cyberattacks, how do we regulate for this? Is there anything in place? So anything, any plans?
Alice Wallbank: There most certainly are. There’s an enormous body of law, which I think is being known as cyber resiliency, which is all directed at trying to pick apart and prevent these kinds of issues from getting out of hand. How do they help? They help by, for example, imposing mandatory reporting, because one of the problems is that for obvious reasons, commercial companies can be very reluctant to report these things.
And so a lot of these pieces of legislation include mandatory reporting requirements. They include mandatory risk assessment, mandatory cybersecurity standards, mandatory audit, often external audit. And all aimed at preventing this kind of single point of failure catastrophe.
To be a bit more specific, we’ve got in Europe the things called NIS, that’s the Network and Information Security rules. They’ve been in place for some time and the UK is part of that. That was pre-Brexit. They’ve just been updated in the EU under something called NIS2. That’s due to come into Member State Law this month. And this is a framework for cyber resilience in critical infrastructure, basically. So we’re talking utilities, transport, food, energy, all the rest of it.
And it includes an expansion to cover managed security services providers, which is what we’re talking about. The UK no longer has been sort of bound by NIS2 post-Brexit, but in the King’s Speech, it sounds as if the government is basically going to bring in a UK, something like an equivalent NIS2 for the UK. It’s just announced that data centers are going to be critical national infrastructure. Again, another recognition that this is all very, very important.
When it comes to financial services of course, a little step ahead, as I said, we’ve got DORA, which I’m sure lots of people will have heard of. That’s in effect from January next year. We’ve got something sort of similar in the UK. That’s the FSMA Financial Services and Markets Act 2023, which has been passed, and the details of that are in consultation at the moment. In the US, we’ve got increased reporting requirements coming through the Securities and Exchange Commission. We’ve got plans to update rules on critical infrastructure all along NIST lines. So you can see there is a whole host of stuff which is coming down the track. And so I suspect that the picture may be somewhat different in two, three, four years’ time.
Jean Hurley: Thank you. So that ties into my final question. So looking to the future, do you think we will become more resilient as cybersecurity improves? Or do you think perhaps we’ll become more vulnerable as more of our lives take place online?
Alice Wallbank: Both of those things. Both of those things. It’s an arms race, isn’t it, really? As new technology develops, those tools are available to the goodies and the baddies, if you like, to put it simply. We’ve seen that in AI. And it will continue to be so. So I don’t think us sitting and talking and thinking about this stuff is going anywhere.
Jean Hurley: Alice, it’s been great having you on the GRIP podcast. Thank you for your time and sharing your insight on cybersecurity, data breaches and cyber resiliency.
Alice Wallbank: Thank you so much. It’s been great.
Jean Hurley: It’s been really fascinating and we hope to have you back on again soon. And finally, thank you to our listeners. If you’re hearing this, you probably know all about us. But please tell your friends about GRIP. You can find us at grip.globalrelay.com and you can follow us on LinkedIn. Until our next podcast or article, farewell.