A call for prudent, intelligible, and responsible cybersecurity practices.
On July 19, 2024, a catastrophic global outage occurred, rendering hundreds of thousands of Microsoft Windows systems inoperable due to a single faulty update from cybersecurity provider CrowdStrike. This incident impacted critical services across sectors, from banking and transportation to healthcare and media, underscoring the fragility of our digital infrastructure when cybersecurity is treated as a siloed, purely technical concern.
As an organization dedicated to promoting responsible, transparent, and accountable cybersecurity practices, Open North believes this crisis should be a wake-up call for governments and civil society. For too long, the prevailing “security through obscurity” mindset has allowed vendors and enterprises to keep their cybersecurity policies and vulnerabilities hidden behind a veil of technical complexity. This opacity breeds mistrust, hinders collaboration, and ultimately leaves our digital ecosystem more vulnerable.
There is no system that is infallible. Competency is a key component that needs to go hand in hand with transparency in cybersecurity. New threats emerge and evolve continuously. Most software and hardware used by governments and civil society are built by a myriad of companies and actors in fragmented and often uncoordinated environments. As the Blue Screen Friday incident shows, malicious actors aim at exploiting vulnerabilities in an ever-changing technology landscape. As such, Open North emphasizes cybersecurity competencies, as opposed to only literacy. Literacy implies a one-way intake of information. Competency, on the other hand, implies an active, critical, and creative ability to learn, adapt, and address complex issues. Competency includes the baseline skills that individuals should have to respond to cybersecurity risks regardless of their role or existing capabilities.
The Blue Screen Friday incident exposes the risks of over-relying on single points of failure and outsourcing critical security functions without adequate oversight and resilience planning in line with good data governance policies. When a cybersecurity provider’s update can bring down systems globally, it’s clear that the current model is unsustainable. We need to advocate for a better approach that balances technical expertise with the principles of prudence, intelligibility, and responsibility.
Prudent cybersecurity means managing risks holistically, engaging diverse stakeholders to identify critical assets, and assuming breaches will occur. It means investing in appropriate backup and recovery capabilities, monitoring rigorously, and regularly practicing incident response. Crucially, prudence requires organizations to vet and hold accountable the third-party security vendors on which they depend. The response by different organizations and governments to Friday’s incident shows that a mass outage event is often outside the immediate control of organizations and governments, both large and small.
Intelligibility in cybersecurity demands making policies and practices transparent and accessible to all stakeholders. Technical concepts must be translated into clear business terms. Employees at all levels should receive engaging cybersecurity training that empowers them to flag concerns. Intelligibility fosters a culture of openness and collaboration essential for effective risk management.
Responsibility means clearly defining cybersecurity roles and duties across organizations, with robust ex-ante/ex-post norms and accountability measures. It means cultivating external partnerships with institutional peers, industry collaborators, and government agencies to share threat intelligence and coordinate responses. Responsibility recognizes that cybersecurity is a collective obligation, not just an information technology (IT) function.
Cybersecurity for all
At Open North, we implement a risk-mitigation approach in assessing a partner’s cybersecurity needs. This includes understanding the nature of the partner, assessing their size, technological maturity, and financial and resource capacity. Every risk environment is different; some organizations and small governments might rely on external third-party IT vendors for their operations, while others might be able to have capacity to engage their own IT team. Other organizations might be required by law to take extra precautions to protect sensitive data they are handling – such as health data or private personal information.
Once potential risks are identified, we work closely with key stakeholders and leadership in partner organizations and governments to recommend appropriate and reasonable controls, policies, and tools to reduce the likelihood and impact of cybersecurity related threats and attacks, Competency is central in our work; our bespoke approach and collaborative process builds the skills and knowledge needed to develop and implement organizational policy, acquire appropriate resources and tools, and engage with IT and cybersecurity vendors to balance existing resources with necessary services to mitigate cybersecurity risk.
Advocacy for better cybersecurity practice
Governments and cybersecurity providers have a vital role to play in advancing towards a new, prudent, transparent, intelligible, and responsible cybersecurity paradigm. Policymakers should require greater transparency from cybersecurity providers about their practices and hold them liable for negligent failures. Procurement rules should mandate vendors meet standards of openness, resilience, and accountability. Regulators should strengthen disclosure requirements for cybersecurity incidents and risks.
At the same time, civil society organizations like Open North can continue to advocate for the public’s right to understand how their data is being protected and push enterprises to prioritize transparency and accountability. We aim to foster cross-sector cybersecurity partnerships, capacity, and information, connecting silos that are so resistant to breakdown. Crucially, we must cultivate a new generation of cybersecurity leaders who embrace prudent, transparent, intelligible and responsible practices.
The path forward seems daunting, but the risks of inaction are too high. The Blue Screen Friday incident is a stark reminder of the cascading disruptions that can occur when cybersecurity is treated as a black box. By embracing a new paradigm of responsible, transparent, and inclusive cybersecurity, we can build digital infrastructure that is more resilient, more trustworthy, and ultimately more sustainable. The time to act is now, before the issue is swept under the carpet of “strictly technical incidents.”
Sources:
https://www.theverge.com/2024/7/19/24201717/windows-bsod-crowdstrike-outage-issue
https://www.linkedin.com/pulse/paradox-transparency-cybersecurity-case-study-microsofts-bob-maley
https://enterprisedefence.com/blog/importance-transparent-cyber-attacks-safeguarding-organisations/
https://auth0.com/blog/cybersecurity-shouldnt-be-a-secret
https://noeticcyber.com/cyber-transparency-shining-a-light-on-security
https://www.pwc.com/us/en/executive-leadership-hub/ciso.html