CrowdStrike is blaming a bug in test software for taking out 8.5 million Windows machines. That’s according to a preliminary post-incident review published Wednesday, July 24, by the company.
No one appeared to have it as bad as the airline industry with nearly 3,000 canceled flights. However, the outage stretched across health care systems too. Banks experienced a hiccup in comparison. But what does it look like if an IT incident hits banking and credit cards harder?
People like Bloomberg Opinion columnist Paul Davies are warning that the CrowdStrike outage is another sharp warning for banks.
Federal Trade Commission Chair Lina Khan posted on X, “All too often these days, a single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers. Millions of people and businesses pay the price. These incidents reveal how concentration can create fragile systems.”
How concentrated is the banking industry? And how fragile are the systems that hold everyone’s money? To answer these questions, Straight Arrow News interviewed Thomas Vartanian, the executive director of the Financial Technology and Cybersecurity Center and author of “The Unhackable Internet: How Rebuilding Cyberspace Can Create Real Security and Prevent Financial Collapse.”
The following has been edited for clarity. Watch the full interview in the video above.
Simone Del Rosario: How vulnerable do you think the banking sector is to an IT outage or a hack?
Thomas Vartanian: Let me just say, I think at the end of the day, it is vulnerable. It is not as vulnerable as many of the other critical infrastructures in the country. In fact, after defense, it is probably the least vulnerable of all the critical infrastructures in the country. But that said, you have to remember we’re using a highly insecure, highly vulnerable cyberspace internet infrastructure that is insecure basically at its core.
Simone Del Rosario: What makes it insecure?
Thomas Vartanian: In 1969, the internet was started as a network between four universities to share research and information. And since then, the security aspects of it were never added. It was never meant to be secure. Security has never been added. So we’ve tried to add it afterwards as we have loaded on every piece of data and every piece of value in the world onto a structure that was never meant to be secure.
To say that the internet is secure is a myth in my view, and I think it’s something that we should have fixed 25 years ago. And I think all of these things we’re seeing today suggest we should fix it today. Because at the end of the day, this could have happened in the banking business. It could have stopped people from being able to reach their money. And that is catastrophic, frankly.
Simone Del Rosario: The impact to airlines, this latest CrowdStrike issue, it was so visual. You could see the effect of airlines not being able to access their systems. What would it look like if something goes wrong and banking can’t get online? What would we see?
Thomas Vartanian: That’s a great question because I wrote a chapter about that in my book. I said, ‘What would happen if you couldn’t reach your money?’ And I laid out a scenario that actually started with somebody getting a virus on their phone that they transmitted throughout the system. And the problem is, think about not being able to reach your money. How long would it take you to become alarmed? How long would it take you to become panicked?
The second question I raise in the book, and this is a real problem because there’s no governance, there’s no enforcement online, it’s the Wild West: If your money was gone tomorrow morning, who would you call? I’ve been in banking almost 50 years. I don’t know who to call. That’s a problem.
We’re living in an ungoverned world. And here’s the real issue, I think, in terms of cyberspace. We have taken everything from the analog that is secured, we have borders, we have fences, we have locks on doors, and put them into cyberspace where we have none of that. Absolutely none of that.
So ask yourself the question, do you take all your personal papers and personal effects and put them on your front lawn for anybody walking by to rifle through? Absolutely not. But that’s what we do in cyberspace. And that’s the problem. That’s the problem with all of these incursions. They should be telling us something about the vulnerability of cyberspace and what we ought to be fixing.
Simone Del Rosario: I’ve been putting a bunch of thought into this. It’s really a trust system that I have with my financial institutions to even say, ‘This is the money that is allocated to me.’ I don’t have a separate sheet that shows what I see my balance to be, so if it got wiped out tomorrow, I’d have no idea what I was owed. And we’re getting into the age of online-only banks as well. Should people be concerned?
Thomas Vartanian: I think when it comes to financial services, the concern I would have would be a lot less than most of the other critical infrastructures in this country, such as power and water and things like that. I think we have come to understand that the enormous amount of work that the financial services business has done has paid off in terms of them having a high level of security. And why? Why is that? Well, that’s because largely they’re highly regulated.
They’ve got people pushing them to make sure they are secure. But second of all, they live and die on the trust of customers. You lose the trust, you lose the customer. And so they have a great incentive and they have done an enormously good job, as I say, to secure an insecure world.
That said, I am very careful when I’m online. I have a number of habits I follow. For example, I use one computer for banking and I don’t use it to go online for anything else. And there are ways that you can protect yourself, but you have to understand you’re dealing with insecure networks and structures and the banks have done as great a job as anybody can with that, but the fact of the matter is, we’re all relying on those networks and structures to work the way that they’re supposed to.
There was a press release that went out from the Department of Homeland Security, I guess it’s now maybe a month or two ago, from CISA, the cybersecurity agency, And it said that the Chinese, through Volt Typhoon, had infected every critical infrastructure in this country. Think about that. They’ve infected every critical infrastructure in this country with theoretically means they can bring them to a halt and bring them down at any time they want.
That tells me it’s a system we ought to be fixing. That tells me that’s a system that has enormous impacts on the systemic stability of the country that we ought to be changing. And we’re not.
I think there are a lot of reasons why we’re not. And it ranges from consumers not wanting the internet to change to leaders not understanding how to change it. But the fact of the matter is we’ve got a highly insecure network and highly insecure systems. You really have to run a thousand miles an hour to protect yourself online, whether you’re a business or an individual.
Simone Del Rosario: Would you say the banks are too concentrated in too few of these third-party providers? And if that’s the case, what is the alternative?
Thomas Vartanian: Yeah, it’s a good question. I think that many people don’t understand, Simone, that when you walk into a bank, you’ve walked into a front door that basically opens up to a panoply of outside service providers that the bank uses, whether it’s credit cards or whatever the case may be.
And there are a lot of providers out there. But the problem, I think, from a technological point of view, and this applies to every industry, is there are too few suppliers of these kinds of services that make systemic stability an issue in almost every industry, not just banking.
So you look at the number of people that CrowdStrike with servicing, and you say to yourself, globally, that’s a real problem. Now, why weren’t there checkpoints? Why weren’t there moderators and governors on this system? And maybe they will be in the future. But the fact of the matter is it’s not a regulated technology.
And the question I think that this all raises is, should it be? You can have the banks and financial services companies regulated as much as you want, but when they’re dealing with unregulated entities who are providing the back-end services in that financial institution, they’re dealing with people who don’t have the same sensitivity that the banks do to the kinds of things that regulators are going to want to be sensitive
Simone Del Rosario: What would you say is the solution to all of this? I mean, it’s hard to solve a problem as big as an insecure internet, but I know that you have some ideas.
Thomas Vartanian: Yeah, I do. That’s what I put in my book, about a hundred solutions and you can take them with a grain of salt because a lot of those are not going to be done. No. 1, we have to secure cyberspace. The CrowdStrike issue was, as far as we know, unintentional. Think about what if it was intentional? What if it was intentional and someone could could bring down technology throughout the world? I mean, that shouldn’t be the case.
So we need to begin to secure cyberspace. We need to build checkpoints throughout cyberspace. There needs to be greater liability for people who are creating software. I mean, that’s a huge problem. I think the absence of liability throughout systems, that there can be a breach and people will just say, well, you know, we had a breach, you should look at your credit reports and take care and we’re off to do something else.
And the reason for that, I think, is what I found when I was doing my work in the area and then researching for the book, is that we live in a launch first, patch second environment. And the reason for that is, first to market is the first to the profits, right? So we need to change that ratio.
We need to segment important businesses into more companies. We can’t have reliance on just one or two companies for these technologies. We wouldn’t allow that in a financial services business. We shouldn’t allow it in the technology business. And lastly, I think, and one of the things I proposed in my book, is that we have to start thinking about regulation differently.
I have come to believe, as a former regulator, that regulation by government only is going to fall short. I think regulation from now on has got to be a cooperative effort between the government and the private sector. We’ll have to deal with whatever conflicts we have to deal with. But I think the government and the people with the expertise in the government desperately need the expertise from the private sector. If they don’t get it, they’re always going to be running behind in terms of trying to deal with problems.
We continue to try to solve digital problems with an analog mindset. We take the way we solved problems 50 years ago and we try to apply them to a digital world. It’s not going to work. It’s just not going to work. So we need a change in mindset. We need a change in liability. We need a change in governance. And these things should have been done over the last 30 years. And none of them have been done, quite frankly.
