Glitch or Attack: Either Way, Be Ready for Disruptions
Small Glitches can lead to big problems
Cloud computing giant, Fastly, recently was compromised resulting in outages for The New York Times, CNN, Twitch, and even some UK government sites. This only months after an online organized crime group completely shutdown the Colonial Pipeline in the United States, leaving thousands without fuel. For many, this sews seeds of doubt about the digital age we find ourselves in. For others, it breeds room for growth in data security and defense technology. Fastly claims an internal glitch caused the outage that lasted less than an hour, however, many are skeptical of this and suspect foul play at hand. For Fastly, falling victim to a cyberattack could negatively affect their reputation in space and mean even more financial damage than what already has occurred.
According to a statement made by Fastly their team isolated the bug to an update to a system made on May 12 that resulted in a vulnerability in their system under “specific customer configuration under specific circumstances.” Fastly claims a customer unknowingly triggered the glitch, resulting in the outage across multiple systems totaling about 85 percent of Fastly’s network. This begs the question, could this glitch then be intentionally exploited by hackers under similar circumstances? In this scenario, a customer triggered the outage by happenstance, but similar outages could easily occur with the knowledge of these exploitable bugs existing within the system.
Exploitable Vulnerability make it easy for hackers
This would actually fall under a very common form of cyberattack known as an “exploitable vulnerability” where a hacker identifies a weak point in the system and uses it to gain access to other parts of the internal framework; a sort of hole in the wall approach. It is the result of a hacker actively looking for exploitable weak points in a companies online infrastructure whether it be a coding error or circumstantial glitch as Fastly is claiming. Because of how common this method of cyberattack is, many are skeptical on whether or not this bug was much more.
Why would a company hide a glitch?
You may be asking yourself why Fastly would feel the need to be dishonest here? A bug at such a large scale is pretty embarrassing as it is for a data services company. And while a bug might cause customers to question Fastly’s competence in the space, worst case scenario a bug is a minor inconvenience. A cyberattack typically results in loss or theft of data as well as puts the customers at risk. So while some might argue a bug is more damaging to a company's reputations against its peers, an attack results in far greater damage for everyone involved. Fastly would lose far more in customer confidence in the event of a cyberattack versus just a bug in the system. While both don’t necessarily instill confidence, for a company that engages in managing data a breach of security would have a serious impact on their credibility and marketability within the space. In statements to the press, Fastly did acknowledge that the bug was an unacceptable oversight, and that more robust security was necessary. However, there is much more at stake here than just splitting hairs over why the issue occurred.
GDPR Breach Protocol
In some cases, Fastly may have a legal requirement to disclose to their customers if a breach has occurred. Under the GDPR (General Data Protection Regulation) of the UK breach reporting is required under penalty of law. Under GDPR companies can be fined up to $11.03 million dollars or 2% of global revenue, whichever is greater. The Information Commissioner’s Office (ICO) is the governing body that enforces GDPR compliance and has a much greater presence in the UK than that of the governing bodies of HIPAA in the United States. GDPR violation serves as a revenue center and American legislation seems to be following suit.
HIPAA Breach Protocol
With regard to protected health information (PHI) in the United States, businesses are required to report breaches under that fall under HIPAA to the Department of Health and Human Services (HHS). Under HIPAA, fines can result in up to $50,000 per breach and cap at $1.5 million per year. Violating HIPAA could leave Fastly’s business associates subject to penalties and audits, further damaging their already tainted reputation. At the end of the day, Fastly has some further explaining to do in regard to what exactly happened and the steps they are taking moving forward to strengthen their systems.
Data Security is a moving target
With multiple breaches of security to start off the first half of 2021, this should serve as a wake-up call to those in the industry who may be lacking safeguards that at this point should be an industry standard. It is no longer enough to wait for legislation to catch up and hope to get by with the bare minimum. Industry best practice should always be the end goal of data security as legislation is often years behind what the industry’s best have been implementing for years. Businesses stand to lose much for than the financial penalties associated with data breaches and buggy servers. In a world of canceled culture and viral marketing, a company’s entire reputation could be at stake.
Whether we like it or not, we live in a world where modern business happens on a digital landscape. We live in the age of Docusign and Zoom. Groundbreaking business deals can happen with the click of a button and without the physical shaking of hands anymore. In many ways this has streamlined business and created a world that doesn’t seem quite as big as it used to. However, as we navigate this digital landscape, like anything there will always be challenges to overcome and problems to solve. Some of these challenges might be self-inflicted errors and others more malicious and while businesses at large seem to be adjusting to these online transactions in the wake of a year of almost completely remote business, even the largest corporations face these same roadblocks. At the end of the day, legislation can only go so far to enforce bare minimum requirements on corporations. The real work comes in holding the businesses we utilize accountable to best practice standards and create a demand for transparency and accountability across all industries.