Last Week’s Cybersecurity Disasters
There are decades when nothing happens, and weeks when decades happen. Last week was definitely one of those latter periods for CISOs, internal auditors, compliance officers, and anyone else charged with worrying about cybersecurity.
Just consider what happened last week:
- On Tuesday, UnitedHealth reported spending nearly $1 billion on recovery costs from a ransomware attack the company suffered in February, thanks to a basic cybersecurity precaution one of the company’s subsidiaries failed to take.
- On Thursday, a federal judge ruled that, no, the Securities and Exchange Commission can’t rely on rules requiring companies to have strong internal accounting controls as a vehicle to enforce better standards for cybersecurity.
- On Friday, companies around the world came to a screeching halt thanks to a flawed software update from cybersecurity firm CrowdStrike, which crashed critical IT systems those companies used to run their business.
Can you see how this all fits together? Corporations all over the place have poor internal controls for their cybersecurity. The SEC at least tried to hold companies accountable for such weakness using its powers under the Exchange Act, until a federal judge shot down that idea last week. Said companies, however, still have those poor cybersecurity practices, which can inflict tremendous disruption. We need some mechanism to force them to do better — and right now, we don’t have one.
That’s the state of affairs brought into painfully sharp relief last week with the CrowdStrike disaster.
Let’s start with the facts of what happened. Last Friday, CrowdStrike pushed out a software upgrade intended to improve a certain piece of code in Microsoft Windows software. Thousands of companies promptly implemented that patch. Except, the upgrade didn’t improve Windows software; a glitch in the code caused Windows to crash. Chaos ensued around the world.
Now appreciate all that from an internal controls perspective. Thousands of companies had IT systems that allowed a third party to push a software update without proper testing. That is a terrible practice for IT general controls.
So in theory, every publicly traded company that fell victim to the CrowdStrike disaster should disclose a material weakness in their IT general controls when their next quarterly filing rolls around. Every audit firm inspecting those IT general controls should issue some sort of qualified opinion. Right? Right?
From CrowdStrike to SolarWinds
Now let’s jump backwards in time to the SolarWinds cyberattack of 2020. Russian interests hacked into the company and implanted spyware in its Orion software product. SolarWinds then pushed out that contaminated software update to thousands of corporate and government customers, who promptly implemented the patch — and thus infected themselves with Russian spyware.
It was the same fundamental IT general control failure, four years apart. Yes, in the SolarWinds case the infected software was planted there by outside actors; while the CrowdStrike case was caused by sloppy software engineering — but from an internal controls perspective, that’s not relevant. The flawed IT general control was the same in both instances.
According to the text of the Exchange Act, that shouldn’t have happened. The Exchange Act directs publicly traded companies to
- Devise and maintain a system of internal accounting controls;
- Sufficient to provide reasonable assurances so that;
- Access to assets is only permitted in accordance with management’s authorization.
And how do we define “reasonable” assurance? The answer is right in the statute. Internal controls must be of “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Well, all those companies that fell victim to the CrowdStrike disaster already knew something like this could happen, because they either witnessed or outright experienced that exact same IT general control failure with SolarWinds in 2020. When some disaster befalls you in the conduct of your own affairs, don’t you increase the precautions in your life so it doesn’t happen again?
So why did this CrowdStrike screw-up — or UnitedHealth’s screw-up for that matter, since it was a simple failure to implement multi-factor authentication — happen now, today, after the lessons of SolarWinds in 2020? Why were management, internal control teams, and corporate boards unable to address this clear, well-defined threat for four years?
What Do We Do Now? Nothing
Even worse is that regulators might now be powerless to do anything about this clear crisis in corporate risk management.
The SEC had tried to use its powers under the Exchange Act to sanction companies for poor cybersecurity; it even claimed a scalp earlier this month when R.R. Donnelley paid $2.1 million to settle charges that it bungled its response to a cyber attack in 2021. That case used the internal accounting control provisions as we described above: IT systems are corporate assets, so if hackers gain access to them without management’s authorization, that means the company has poor internal accounting controls.
But now a federal judge just nixed that argument in the SolarWinds case. He quite fairly noted that a “system of internal accounting controls” means the controls were only expected to apply to, well, accounting. If Congress wanted companies to have a system of internal cybersecurity controls, it should have said so in the law.
So if the SEC can’t take enforcement action over poor cybersecurity practices through its internal accounting control provisions — what then? Does anyone really believe the SEC will adopt a new rule requiring companies to maintain a system of internal cybersecurity controls? Even if the agency did, does anyone really believe that it wouldn’t be challenged in court, and that some Trump judge wouldn’t toss it immediately thanks to the newfound freedom judges have since the death of the Chevron doctrine?
Maybe some cybersecurity failures could be addressed by the Federal Trade Commission, but the FTC is a consumer protection agency that typically waits until after an incident to bring enforcement actions. So I wouldn’t be surprised if the FTC eyes UnitedHealth’s breach, since UnitedHealth promised consumers it would keep their health data secure and some of that data is now available on the dark web.
But CrowdStrike doesn’t collect consumer data, and its failure only resulted in operational disruption and financial damage, not a privacy breach. So even while CrowdStrike is clearly the bigger, worse event, the FTC likely doesn’t have any jurisdiction here.
Nor does CISA, the Cybersecurity and Infrastructure Security Agency. CISA can recommend best practices and quasi-rules, but it certainly doesn’t have the authority to impose sweeping rules across the business sector or to launch enforcement actions against scofflaws.
No, folks. Thanks to the Supreme Court’s recent wave of anti-regulatory agency rulings, addressing this problem will literally take an act of Congress. And if you believe Congress has either the attention, wisdom, or appetite to do so, consider this: federal regulators first identified the potential for cloud-based technology providers to be a risk to the banking system and the economy writ large in 2017. They expressly said they likely don’t have the power to address this risk themselves, and asked Congress to enact new legislation. Nearly a decade passed where nothing happened.
Then came last week, and all our cybersecurity shortcomings were made painfully clear. I suggest we expect them to stay that way.