GAO-24-107733 Cybersecurity
Snapshot
Cyber Resiliency: CrowdStrike Outage Highlights Challenges
GAO-24-107733 · September 2024
Challenges in supply chain risk management, testing, contingency planning, and cyber information
sharing make it more difficult to mitigate cybersecurity risks to IT systems. GAO’s work in these areas
highlights the need to mitigate them.
The Big Picture
In July 2024, a software update from the
cybersecurity firm CrowdStrike caused Microsoft
Windows operating systems to crash—resulting in
potentially one of the largest IT outages in history.
The outage disrupted critical infrastructure operations
by grounding commercial flights and interrupting
critical hospital care, among other impacts.
Depiction of CrowdStrike Outage Effect
CrowdStrike’s investigation of the incident found that
a faulty security update caused widespread system
failures, affecting millions of Windows systems.
Although the CrowdStrike crash was caused by
human error and not a cyberattack, it highlights
similar vulnerabilities we saw during the SolarWinds
attack in 2019. In that event, instead of attacking
systems directly, malicious actors targeted system
support software. That software, SolarWinds Orion,
was widely used by federal agencies to monitor
network activity and manage network devices. This
allowed the threat actor to breach several federal
networks. Cyber incidents at federal agencies and
the nation’s critical infrastructure sectors, such as
transportation and healthcare, are growing in
number, impact, and sophistication. Federal entities,
such as the Cybersecurity and Infrastructure Security
Agency (CISA), lead efforts to coordinate national
cyber policy and critical infrastructure cybersecurity.
What GAO’s Work Shows
GAO has long reported on the importance of supply
chain risk management, testing, contingency
planning, and information sharing to help manage
and mitigate cybersecurity vulnerabilities.
•
Supply chain risk management. Organizations
have increased their reliance on complex
,
i
nterconnected, and global supply chains that ca
n
i
nclude multiple tiers of outsourcing.
The
ex
ploitation of IT products and services thr
ough
the supply chain is an emerging threat.
In 2020
, we identified seven practices
to
manage and protect federal IT against these
r
isks. We made recommendations for
improving supply chain risk managem
ent
pr
actices including detecting counterfei
t and
c
ompromised technology products prior to their
deployment.
• Testing. Testing and approving new and
m
odified systems and software (including critical
security patches) before their implementation are
essential to help ensure systems’ hardwar
e and
pr
ograms operate as intended and that
no
unauthorized changes are introduced. Our work
has found that federal agencies do not always
adequately address issues found in testing befor
e
depl
oying new systems or software. This makes i
t
mo
re difficult to protect against cyber risks and
system failure.
In 2021, we recommend
ed that the
D
epartments of Defense and Veterans Affairs
improve testing processes for their electronic
health records systems to verify the systems
perform as intended and meet users’ needs
.
•
Contingency planning. Contingency planning
hel
ps ensure that if operations are interr
upted,
