The recent disruption in cloud computing service provider Fastly resulted in swaths of the internet becoming inaccessible. Many of the world’s largest websites including CNN, the New York Times, Twitch, and websites of the UK government went down.
The incident did not last for that long, but it left many alarmed. Unsurprisingly, the immediate suspicion was that it was another cyberattack. After the high-profile SolarWinds, Colonial Pipeline, JBS, and several other attacks at the start of the year, it is understandable why many are quick to attribute IT problems to hackers or cybercriminals.
Fastly put out a statement regarding the outage, saying that it was “due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change.”
Some are not convinced that there was no attack, though. After all, it is common practice for many organizations to not admit that they have become victims of cybercriminals. “It’s not good publicity, which can negatively impact the company or organization in many ways,” said American cybersecurity researcher Roel Schouwenberg in an interview with Mashable on why companies refuse to admit they were hacked.
More on the Fastly outage
In Fastly’s statement, the outage was characterized as broad and severe but it lasted for only less than an hour. The company attributes it to a software deployment on May 12 this year that is said to have introduced a bug in the company’s system. This bug can then be triggered by a “specific customer configuration under specific circumstances.”
The trigger happened on June 8, when a customer entered a valid configuration but with specific circumstances aligning with the trigger Fastly described. The triggering of the bug resulted in network errors that disrupted 85 percent of the company’s network.
The problem was not a DDoS or some other attack typically used on content distribution systems to overload their servers. If that had been the case, an effective global load balancing and geo-targeting solution would have easily averted the disruption or significantly reduced the noticeable service interruption.
Without accusing Fastly of lacking adequate measures to mitigate or prevent disruptions from cyber attacks, it bears pointing out that it would not look good for a company to be caught in a situation that reveals their lack of effective solutions to stop hackers from creating problems. This is one of the reasons why some are skeptical when companies say they did not suffer a cyber attack.
Exploitable bug
It is also worth noting that the bug Fastly described has the hallmarks of an exploitable vulnerability. As described by the company, a customer unintentionally triggered the bug. A bad actor could have done the same and exploited the vulnerability further with considerably worse outcomes.
The company itself admits that its code’s safety still needs improvements. “Even though there were specific conditions that triggered this outage, we should have anticipated it. We provide mission-critical services, and we treat any action that can cause service issues with the utmost sensitivity and priority,” Fastly wrote in a statement.
Many companies fail to undertake enough measures to make sure that their codes are properly optimized and that bugs are kept at the lowest end of the minimum range possible. There are those that proceed with the deployment of their web services or platforms even without satisfying established benchmarks of quality.
As the State of Code Review 2020 bears out, only 49 percent of the respondents said that they are satisfied with their respective code review processes. The same survey reveals that companies consider code review as the best way to improve code quality. Unfortunately, they admit to being unable to meet their own standards.
Customer confidence
So why does it matter whether disruption is caused by a cyber attack or a technical glitch? For customers, this detail is important because it says a lot about the ability of companies to deal with persistent cyber-attacks that are only growing in complexity year after year.
Forbes cybersecurity thought leader Chuck Brooks reviewed recent cybersecurity statistics, and described them as “alarming.” The pandemic did not have any impact on reducing cybercriminal activity. Things have even become worse.
Companies that cannot keep up with the volume and sophistication of cyber-attacks cannot be regarded as reliable or trustworthy. Cyber attacks are now a reality of modern life. Companies are expected to take them seriously and make sure that they put in place enough measures to reduce cyber defense penetration, mitigate successful attacks, and promptly implement effective remediation procedures.
Some would probably say technical glitches are not that different from cybersecurity failure. They may even be worse as they can demonstrate a lack of competence that a company is getting interrupted by its own doing or failing to do something in eliminating or minimizing bugs. However, it is important to highlight the major difference: cyber attacks entail serious consequences to customers such as data theft while technical glitches are rarely associated with outcomes that go beyond temporary service disruptions and inconveniences for customers.
Legal requirement
Moreover, it is important that companies reveal whether or not they suffered a cyberattack because it can be legally required. The General Data Protection Regulation of the European Union, for example, legally obliged companies to inform the Information Commissioner’s Office if they fall prey to data breaches.
Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) of the United States, as well as the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, requires companies to reveal details of data breaches they may encounter. Under the HIPAA Breach Notification Rule, businesses and organizations that maintain health records should send out data breach notifications to the persons affected as well as the Department of Health and Human Services.
The United States Congress is also mulling the passing of a law to require companies to report major cyber attacks. Cybersecurity experts advising lawmakers are saying that the severity and scope of recent cyberattacks especially on US institutions make it crucial to come up with legislation that ensures cooperation between the government and private sector when it comes to addressing cybersecurity threats.
Cyberattacks have become too big and serious a problem to be dealt with by organizations or businesses on their own. In a piece on Computer Weekly, cybersecurity expert Elisabetta Zaccaria pushed sensible arguments to advance cooperation in the fight against cybercrime. “We now see rising consensus at the institutional level that no individual stakeholder can address the breadth of security challenges we face today,” Zaccaria wrote.
In conclusion
It may sound like plain nitpicking, but it definitely matters if a company suffered a cyberattack or suffered from a simple technical glitch. The two have different difficulties of resolution and outcomes especially in terms of the impact on customers and stakeholders. There are also laws that make it a legal obligation for companies to divulge the details of data breaches and similar cyberattacks that involve customer data.
