Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,750 words, this briefing is about a 7-minute read.
At a Glance.
- CrowdStrike is seeing increasing pressure in the aftermath of a faulty patch.
- China implements new updates to its state secrets law.
CrowdStrike faulty patch details continue to emerge in wake of global incidents.
The News.
Late last week, an update to CrowdStrike’s widely used Falcon Sensor software caused machines operating Microsoft Windows to consistently crash and display the infamous “Blue Screen of Death.” During this outage, roughly 8.5 million Windows devices were negatively impacted causing significant global outages in a variety of business sectors including the banking, media, healthcare, and airline industries. While operations to each of these industries have largely resumed at this point, details and updates have continued to emerge regarding the incident as investigations and questions have further developed.
While this update was originally aimed at improving CrowdStrike’s Falcon sensor software, faulty code in the update files caused one of the most widespread tech outages ever. Reports have now emerged that this patch was not thoroughly tested before being released. Patrick Wardle, a security researcher, analyzed the patch code and discovered that the problem was in a file that contained configuration information or signatures. Wardle commented that given the frequency of these patch types, it was “probably the reason why [CrowdStrike] didn’t test it as much.” While it is clear what caused the crashes, it remains unclear how this faulty code got into the patch file.
The Knowledge.
While experts now understand what caused this security incident, organizations and governments are still dealing with the fallout of this event. This Monday, the United States (US) House of Representatives Homeland Security Committee sent a letter to CrowdStrike requesting the company’s CEO, George Kurtz, to testify on the outage. In this letter, the Representatives wrote that “while we appreciate CrowdStrike’s response and coordination with stakeholders, we cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history.” CrowdStrike has responded to this request stating that the company is actively in contact with relevant Congressional Committees.
However, the US Congress is not the only body beginning to respond to the incident. The US Department of Transportation has also launched an investigation into Delta Airlines and how it has handled the CrowdStrike incident. With this investigation, the Department is investigating why the airline struggles to return to normal operating capacity despite the incident being largely resolved. Additionally, Malaysia’s digital minister stated on Wednesday that he requested that both Microsoft and Crowdstrike consider compensating companies that suffered losses during the outage. With some estimates citing that the outage will cost just Fortune 500 companies over five billion dollars, more lawsuits and investigations will likely be launched over the coming months.
The Impact.
Despite this outage being largely contained and remediated at this time, the fallout from this incident is likely to continue to unravel further as investigations and lawsuits are filed. Given the large scope of this incident and the high number of business sectors negatively impacted, the number of impacted individuals and businesses is substantial, and fines and lawsuits are likely to occur. Impacted parties should continue to monitor these events to see if they are entitled to any financial compensation either from CrowdStrike directly or a company that was utilizing their services.
However, one concern that needs to be addressed in the wake of this incident is the heavy dependency on singular systems. Given how one untested patch was able to cripple numerous business sectors for days, questions should be asked regarding how sustainable this business model is and what steps or regulations can be implemented to prevent similar events from occurring again. While this question is large, complex, and will not be answered for some time, it is critical to avoid building entire global networks that rely solely on single points of failure.
For more information on the CrowdStrike incident, you can look to CyberWire’s additional coverage on the subject below:
- CyberWire CAVEAT Podcast CrowdStrike Coverage
- Understanding the CrowdStrike-induced Microsoft outage: impact, response, and lessons learned.
- CyberWire Daily Podcast CrowdStrike Coverage
China unveils new laws that expand on state secrets and data security.
The News.
On Wednesday, China revealed its revised version of its state secret law that would change how its government officials handled confidential information and would ban those entrusted with secrets from going abroad without prior approval. With these new regulations, the state news agency, Xinhua, quoted officials stating that “with the popularisation of information technology, state secrets have become increasingly digital and networked and the risks of leaks and thefts have become more diverse and hidden.”
More specifically, these new amendments would broaden the police’s power to conduct investigations into breaches and would require private companies to take stronger steps to protect state secrets. Additionally, these new regulations would require every central Communist Party and government unit to set up a secret-keeping office and require each unit to create its list of state secrets. Lastly, any staff that is charged with managing classified information cannot leave the country without prior approval from the state and must complete confidentiality education training. The State Council issued these new regulations this past Monday and these regulations would go formally into effect in September.
The Knowledge.
With these new amendments to the state secrets law, the Chinese Communist Party (CCP) has further expanded its existing powers and requirements for handling sensitive information. For context, the original state secrets law was passed in early 2024 and officially went into effect on May 1st earlier this year. When originally written, this law broadened the state’s power to allow its agencies to be able to monitor a private firm’s “work secrets” in addition to its normal state secrets. When passed, CCP officials highlighted the need for this increase in power stating that some work secrets were critical to secure because, if leaked, could cause adverse effects. However, when originally passed, the state secrets law caused private businesses to express some concerns regarding the specifics of what power the state could have over their operations. At the time, the European chamber head, Eskelund, described the concepts of “work secrets” as vague and at odds with the CCP’s intentions to stabilize foreign investment. Eskelund stated that “if China intends to shore up foreign investor confidence, then the law’s implementing regulations need to clearly define and limit the scope of this term.”
While the “work secrets” definition has not been further defined, these amendments are likely being implemented to address some of the law's previous vagueness. The CCP is likely implementing these provisions to clearly define their expectations of state agencies when handling sensitive information and expressly outline the state’s powers when managing secrets.
The Impact.
Despite many of these new regulations focusing on better defining how Chinese agencies should handle sensitive information, these new regulations are indicative of a pattern emerging within China. As the CCP continues to implement efforts to better secure and monitor sensitive information, businesses already operating within or with plans to expand operations to China should be aware of this trend.
While these changes are unlikely to directly impact any businesses operating in China currently, these amendments are broadening the state’s powers when handling secrets and could be indicative of future policies. Businesses either working in China or partnered with Chinese businesses should understand how these measures are implemented and what information the CCP would be entitled to monitor.
Other Noteworthy Stories.
Schumer to bring kids’ online safety bills to vote.
What: Senate Majority Leader Chuck Schumer plans to bring two bipartisan bills to vote that would aim to boost online safety and privacy for children.
Why: On Tuesday, Senator Schumer announced that he will bring both the Kids Online Safety Act (KOSA) and the Children’s Online Privacy Protection Act (COPPA) 2.0 to the floor for a vote later this week. With this announcement, Senator Schumer stated that “it has been [a] long and daunting road to get this bill passed, which can change and save lives, but today, we are one monumental step closer to success.” If either bill is passed, they would then move to the House of Representatives for another vote. While the House was scheduled to perform markups on their version of KOSA in June, that markup was canceled and no new date had been announced yet.
US and European regulators sign joint statement on effective AI competition.
What: Regulators in the US, United Kingdom, and European Union have signed a joint statement to ensure effective competition in the artificial intelligence (AI) industry.
Why: On Tuesday, watchdog organizations, including the European Commission, the UK’s Competition and Markets Authority, the US Department of Justice, and the US Federal Trade Commission, signed a statement outlining their intentions to implement safeguards against tactics that could undermine the industry’s fair competition. In this statement, signees said they plan to “work to ensure effective competition and the fair and honest treatment of consumers and businesses.”
Senators express their concerns with OpenAI after the whistleblower complaint.
What: A group of Senators questioned OpenAI’s CEO, Sam Altman, about the company’s commitment to safety and its treatment of employees after whistleblowers filed a complaint against the company.
Why: On Monday, a group of Senators, led by Senator Brian Schatz, questioned Sam Altman and voiced their concerns regarding OpenAI’s practices. In a letter, the Senators wrote that “it is important that the public can trust in the safety and security of [OpenAI’s] systems” and that “this includes the integrity of [OpenAI’s] governance structure and safety testing, its employment practices, its fidelity to its public promises and mission, and its cybersecurity policies.” In this letter, the Senators also requested OpenAI to confirm whether or not the company would enforce any permanent non-disparagement agreements and if the company would commit to removing any other provision that could be used to penalize employees for speaking out.
These inquiries come after whistleblowers at OpenAI wrote a letter to the Securities and Exchange Commission earlier this month. In this letter, the group of whistleblowers, made up of both current and former employees, alleged that OpenAI gave its employees restrictive employment, severance, and non-disclosure agreements. If signed, these restrictive contracts would require employees to waive their rights to whistleblower compensation and would penalize them.