Is antivirus software critical infrastructure? What about endpoint detection and response software?
Not today. But it should be. Too often, we’ve thought of critical infrastructure as something whose use is critical to a nation’s functioning. But the lesson from the CrowdStrike outage is that while we need ubiquitous software to work every day, we also need it to not break the things around it.
Many years ago, I was a study group member of the National Infrastructure Advisory Council’s Cross-Sector Interdependencies Working Group, which looked at how different critical infrastructure sectors relied on each other. At the time, the NIAC worried that "companies didn’t understand their reliance on the internet, and that the critical infrastructure model – focused on failures – didn’t really capture a medium whose most devastating attacks are from worms and viruses that infect systems."
The most widespread “infections” today are all of the legitimate agents deployed at wide scale on so many systems as to be near-ubiquitous. One wouldn’t normally think of these pieces of software as critical infrastructure – after all, if they went away right now, it would impact few businesses – but catastrophic failures are around the corner when those systems fail in ways that cause other systems to break badly.
Deploying antivirus, or its modern day successor, endpoint detection and response, or EDR, onto one machine doesn’t make that piece of software critical. But as it reaches critical mass, the blast radius of its explosive failure makes it sufficiently adjacent to critical infrastructure as to become critical in and of itself. We've all heard the reports of the critical infrastructure that was down last Friday – from hospitals and 911 services to airlines. I’m thankful I get to write this sitting in my own basement where the internet still works. Those reports in the wake of the CrowdStrike outage make it blindingly obvious that any widespread piece of software is now critical infrastructure.
I hesitate to write those words, as being critical infrastructure brings with it a whole host of regulatory oversight and compliance burdens, sometimes bringing benefits, but most often bringing unhelpful burdens. In industries that are natural or regulatory monopolies such as water, power, healthcare, and transportation, those burdens are often directly passed onto the consumer. But in competitive markets, the critical infrastructure burden may inhibit competition, either by burdening major players, or creating hurdles that prevent new players.
Either way, it’s time to accept that endpoint security software has become critical infrastructure. But what does that mean?
In the wake of Loper Bright, which overturned Chevron deference for federal agencies on regulatory cases, it’s hard to conceive of a way to cover end-user software as critical infrastructure. But given last Friday's outage, Congress should act, using the same model they originally used in HIPAA with the business associate agreements: requiring vendor companies that deploy software into critical infrastructures to become regulated, needing to meet cybersafety rules to ensure the safety of all of our critical infrastructures.
Too often, we overfocus on cybersecurity rules, applying massive regimes from ISO 27002 to the NIST Cybersecurity Framework in focusing on ensuring that software systems aren’t exposed to adversarial attacks. Instead, we should step-up a level, and consider regulating safety more heavily – ensuring that the software distributed and managed at scale is reliable, and isn’t going to someday shut down our nation’s airlines, 911, and hospital systems … ever again.
Cyber safety would look like a set of requirements organized as complex system safety, possibly based on MIT Professor Nancy Leveson’s STPA/STAMP methodology: companies would need to document the unacceptable losses that they need to defend against, identify the hazards that make those losses possible, and then report what controls they’ve implemented to mitigate the risk of those hazards. Some of those hazards are often pretty standard across multiple software industries, and we should expect some reuse of compliance-based reporting, but a complex systems safety approach might not only give us confidence in our software, but actually help improve the state of software safety in our critical infrastructures.
I'm the last one to call for more regulation, but while many of us may disagree on the need for regulating EDR software, we can't afford more days like last Friday
Andy Ellis, operating partner, YL Ventures