CrowdStrike: Are Regulations Failing to Ensure Continuity of Essential Services?

Total security is Utopia

In recent years, regulations have been enacted that intend to ensure the continuity of essential services and mitigate security and availability risks. These regulations include the Digital Operational Resilience Act (DORA) and Network and Information Systems Regulations (NIS Regulations). In light of the recent incident involving CrowdStrike's Falcon system, it is legitimate to ask whether these regulations are truly effective. The chaos generated at airports and in payment systems could lead us to think that these regulations are failing. While it is true that the company acted in good faith, with full transparency, and did everything in its power to quickly repair the problems caused, the damage was enormous.

The first thing we must understand is that there is no such thing as absolute security. This is something that those of us who have been involved in cybersecurity for many years are keenly aware of. It is impossible to protect anything 100%. Even the planet Earth can be destroyed by a meteorite, although the probability is remote. On average, every 10,000 years, there is a chance that asteroids larger than 100 meters can hit the Earth and cause local disasters or generate waves that flood coastal areas. NASA also estimates that every "several hundred thousand years," an asteroid larger than one kilometer could strike the Earth.

The philosophy of regulations

Beyond looking at each article and paragraph of the regulations enacted, we need to understand that, in general, the purpose of these regulations is to minimize, to the greatest extent  possible, the probability that a security incident will lead to the total or partial disruption of essential services or, if a disruption does occur, to ensure that the service is restored as quickly as possible. So, it is clear that yes, these regulations are not only useful but also absolutely necessary, even if we do not avoid 100% of potential incidents. Just imagine for a moment if they did not exist. How many serious incidents would occur then? It is true that there are many responsible companies committed to providing the best service to their customers. They implement controls and solutions with this objective in mind. But what about the rest?

Interconnection of IT services

One of DORA’s key areas of focus is on the evaluation of services provided by third parties, which is inherently what the CrowdStrike-related service outages were about. In an increasingly interconnected and interdependent IT world, this concept is especially relevant for regulatory purposes. These regulations make clear that, even if we outsource certain services, we still have the responsibility to control and monitor them.

How Broadcom can help

At Broadcom, we provide solutions capable of monitoring the status of services and detecting anomalies and potential failures before they occur. We identify the root cause and provide the relevant  information needed to restore availability as soon as possible. Details on our observability solutions can be found here.

Regulations focused primarily on security objectives require not only monitoring but also the testing and validation of services. They also mandate the development of contingency plans and resilience testing, among other measures.

At Broadcom, we are able to provide our customers with effective solutions to meet these requirements. Additionally, Broadcom's extensive range of security solutions deliver many of the controls required by the latest security regulations, making  us one of the best partners for compliance.

Broadcom has published numerous articles detailing how we can assist in addressing regulations like DORA and NIS across various security disciplines to secure business services for our customers, and these publications are well worth reading.

Broadcom has a long-standing history of serving financial institutions, banks, telecommunications companies, government agencies, and other providers of critical services. This extensive experience equips us with the products and expertise necessary to help our customers implement the controls and security measures mandated by these and other active safety and security regulations.