Imagine a world where the very companies hired to protect us from cyber threats inadvertently cause massive disruptions. Today, Steve Davenport and Clem Miller discuss the staggering irony of a global IT outage ignited by a faulty software release from cybersecurity giant CrowdStrike. This episode promises to reveal the vulnerabilities in our digital infrastructure, using historical incidents like the SolarWinds and Target cyber attacks to illustrate the critical need for stringent code reviews, even at powerhouse firms like Microsoft. By dissecting these events, we highlight the profound interconnectedness and fragility of modern cybersecurity systems.
Accountability in cybersecurity takes center stage as we examine the necessity for robust regulatory measures and the economic consequences of frequent tech disruptions, particularly in sectors like airlines and transportation. We discuss the loss of goodwill that accompanies such crises and the imperative for companies to responsibly manage their cyber needs. As the conversation pivots to investment strategies, Clem Miller shares his skepticism about a particular sector and his preferred investment avenues, offering valuable insights for our listener-investors. Join us for this eye-opening discussion on the intricacies of cybersecurity and its far-reaching impact on our world.
Imagine a world where the very companies hired to protect us from cyber threats inadvertently cause massive disruptions. Today, Steve Davenport and Clem Miller discuss the staggering irony of a global IT outage ignited by a faulty software release from cybersecurity giant CrowdStrike. This episode promises to reveal the vulnerabilities in our digital infrastructure, using historical incidents like the SolarWinds and Target cyber attacks to illustrate the critical need for stringent code reviews, even at powerhouse firms like Microsoft. By dissecting these events, we highlight the profound interconnectedness and fragility of modern cybersecurity systems.
Accountability in cybersecurity takes center stage as we examine the necessity for robust regulatory measures and the economic consequences of frequent tech disruptions, particularly in sectors like airlines and transportation. We discuss the loss of goodwill that accompanies such crises and the imperative for companies to responsibly manage their cyber needs. As the conversation pivots to investment strategies, Clem Miller shares his skepticism about a particular sector and his preferred investment avenues, offering valuable insights for our listener-investors. Join us for this eye-opening discussion on the intricacies of cybersecurity and its far-reaching impact on our world.
Straight Talk for All - Nonsense for None
Please check out our other podcasts:
https://skepticsguidetoinvesting.buzzsprout.com
Clem Miller:
Hello everybody and welcome to Skeptic's Guide to Investing. I'm Clem Miller. I'm here with my co-host, Steve Davenport. Global shortage, a global outage in basically the entire IT framework of the world hence global that arose from the uploading of some faulty software. So let me explain what happened and then we can talk about the implications. Know the implications and you know thinking about this from a practical and a philosophical basis as well. So you know, just you know, cyber attacks have been an issue increasingly over the last 10, 15, 20 years and, as such, there has grown an industry, the cybersecurity industry, which provides various kinds of contract services to businesses to try to prevent cyber attacks or to protect machines and networks and so on from cyber intrusions. You might remember going all the way back decades the Norton antivirus software and the Kaspersky lab antivirus software. You recall all that. Well, those are the beginning efforts to deal with cyber intrusions, and that whole industry has evolved. And so you've got a number of companies that are out there CrowdStrike, fortinet and others that are big providers of cybersecurity solutions of various kinds. They all have different niches. Some are focused on the individual endpoints, which are the machines that you and I have on our desks either at home or at work. Some are network solutions providers at work, some are network solutions providers. They're they're involved in trying to protect uh networks and uh and uh the cloud inputs, and so rely on these outsourced cybersecurity suppliers to provide their services, their cybersecurity services.
Clem Miller:
A few years ago I think it was 2017, maybe you had a pretty significant Russian cyber attack that affected a company called SolarWinds, and SolarWinds had a software called a business software called Orion, which was used by a number of information services companies and other kinds of companies, and so that cyber attack went in through, in effect, the back door of this Orion software and affected computer systems, worldwide software, and infected computer systems worldwide. So that was sort of the first thinking or first indication that you could have cyber attacks that came in through, in effect, the information supply chain, that is, a contractor would be infected and then that virus would then spread to that contractor's customers, and so you had that with with SolarWinds. Now you have, with this latest incident involving CrowdStrike, something that's even weirder. It didn't involve a cyber attack. It didn't involve a cyber attack? No, it did not, but what it did involve was cyber attack.
Clem Miller:
Crowdstrike created its own software called Falcon, and this was cybersecurity software, but it accidentally put some errors. It accidentally released it with some errors included in it and uploaded it, and these errors proliferated across all of CrowdStrike's customers and basically locked up machines, especially Microsoft machines. Not all Microsoft machines, but a lot of Microsoft machines were impacted and, for some reason or another, microsoft, they just relied on CrowdStrike and just assumed that CrowdStrike was doing the right thing. And what actually happened was that Microsoft they didn't check what CrowdStrike was doing or offering them. You would think they would. They're a huge company with lots of programmers.
Steve Davenport:
Well, that's what I kind of think that CrowdStrike might be taken out to the woodshed, and I'm not sure that Microsoft shouldn't be taken out as well. And I'm not sure you can blame it all on one upload and say, oh well, they had this line of code that was bad. I didn't have any kind of verification as to bad code potentially and therefore I I am completely at the whim of whatever you give me. I'm not sure that's how the largest software company in the world should react.
Clem Miller:
No, absolutely not. But they're getting a free lunch here, aren't they Right? That is the heart of the problem. The heart of the problem is that you don't have this redundant review. My son is involved in, you could say, software development in a particular industry, very software intensive, and they do all sorts of code review before they release something into the wild, so to speak, and that should have been done in this case. And that should have been done in this case, there should have been some code review by, not just by CrowdStrike itself, but by its customers, especially Microsoft, and that would have prevented these issues.
Steve Davenport:
no-transcript, that's in production. Microsoft can't suddenly say, okay, everything's stopped. We're going to evaluate the new code from CrowdStrike. I mean, do they get the code ahead of time and have the ability to evaluate it before it goes into production, or do they get it the same time everybody?
Clem Miller:
else does? I don't know. I think that's an excellent question. My guess about that is that CrowdStrike won't want to release its IP to its clients and, as a result, the clients have to basically trust their suppliers, their cybersecurity suppliers. And so I mean, basically, the irony of this whole thing is that Microsoft and other companies are relying on cybersecurity suppliers to protect them against cyber attacks and yet expose themselves to problems with these cybersecurity companies that result in the same damage as a cyber attack would. That's the whole irony to this whole thing, which I think raises the philosophical question.
Clem Miller:
Steve, quite apart from all the practical details about code and whatnot, the practical details about code and whatnot, it raises the philosophical question of whether our society and the economy is becoming too interconnected. And when you consider the fact, I mean think about Target. A few years ago, you know, Target was the subject of a cyber attack that came in through the HVAC system. An HVAC supplier was infected and that HVAC supplier came in through the HVAC supplier and infected Target and stole all sorts of financial information from Target. So you know who would have thought right. And then you've got these internet of things. Everything is beginning to get connected to the internet. Uh, you know, you've got all sorts of things around that are, uh, that are now connected to the internet. I'm sure many things that we're not even aware of, right, Our inner are, are connected to the internet. Um, so, and those things are, potentially any, anything that's connected to the Internet is potentially subject to be to having problems, either through a cyber attack or through bad software uploads. So you know, that's a potential problem and I'll make it even more scarier for you, Steve.
Clem Miller:
So there's something called, there's something called SCADA software. You ever heard of SCADA software Supervisory control and data acquisition, Supervisory Control and Data Acquisition? Supervisory Control and Data Acquisition that's a fancy term for the fact that industrial facilities, railroads, transportation facilities, utilities, all can be remotely controlled through these remote control computer systems, where you can basically sit at a desk in Hawaii and run a utility in Georgia and using this system. But if the SCADA system is infected, especially if it's something called remote execution software, Somebody could come in, take over, just not even gum it up, but take over the entire operation of whatever it is you're trying to control from Hawaii, right, Whether it's a utility or a train or whatnot. You could run the trains off the tracks. You know there have been instances where utilities have started to put in too much chlorine. Have basically….
Steve Davenport:
What about the train accidents in Ohio? Maybe?
Clem Miller:
I mean, I can't imagine a company would admit to being compromised so they would just take the you know there was a mistake and move on and not want to share that. I guess what's the obligation of these companies going to say, steve, and I'm glad you raised it because recently the SEC said that in their risk factor disclosures in their 10 Ks, companies now have to, are now required, to talk about cybersecurity, and on top of that they're supposed to make interim filings within a certain number of days after a cyber incident has occurred. Now I don't know whether that includes incidents involving the cybersecurity providers, but it does involve having to notify about significant cyber intrusions. And so there is now a requirement, and I know that companies are starting to report.
Steve Davenport:
I want to say it's within four business days I saw something about that, but I, I again, I, I can't imagine that their filings are going to provide any kind of detail, because if they did, then they open themselves up to lawsuits for negligence and performance , at four days after.
Clem Miller:
How much are you going to know really?
Steve Davenport:
I think these companies know a lot on day one and they don't you know, necessarily share it as as as well as they should. So as a business opportunity, I look at this and say who's the competitor, who's going to benefit the most from this? I understand that Sentinel is a smaller competitor. Look, when I was working for State Street, there was a lot of talk about how they had a backup outside of this grid so they could move and take location If something compromised the grid. They could relocate and be able to operate distinctly in several locations in several regions of the world. And one of the things they always said was well, we try to have multiple vendors so that we can not be tied to one if something goes down or goes
Steve Davenport:
wrong.
Steve Davenport:
But then during COVID and everybody trying to cut costs and improve streamline, a lot of people said we've got to isolate and become more central on one because we just can't spend the money on this. And I look at this and say there really shouldn't be one cyber vendor. If you've got what I would say critical operations, which would be utilities, trains, transportation, those should have a different cybersecurity software than the average person who's sitting at a desk at home. I don't imagine that there is the same areas of expertise. So I guess I would say I think that we may have gone too far in the general interconnectedness of things. I think we have to start to say from the national security interest.
Clem Miller:
I think the military needs to be on its own network and have its own equipment. So the military generally is on its own equipment already.
Steve Davenport:
So generally speaking, If I wanted to move things on the trains, I could imagine that I'm a military. I got to move 16 Sherman tanks over to Mexico.
Clem Miller:
Yeah, You're.
Steve Davenport:
You're reliant on the, on the normal train system there is an interconnectedness of which we cannot Correct, correct, and so what I'm trying to do is say where do we draw the lines? The lines have to be drawn.
Steve Davenport:
You are in free business and you are like, are airlines really a business or are airlines really a more regulated form of a utility?
Steve Davenport:
I mean, I think airlines and finance are both on the bottom, are on that edge that you could easily see them because of their absolutely horrible performance in being able to judge and take care of consumers on a regular basis. I think that finance is going in that same direction and I think that when we look at I'm not saying we should socialize everything, but there are certain parts of this that I'm not sure remain in the truly free business area because they just don't perform on a regular basis. They have regular problems with the ideas of how to operate safely for the consumers, to give them a consistent product. And I think that you know both finance and transportation kind of go into that bucket and then you start to say, because they have a national interest, we need to do something to make sure their security is greater than you know. Military is the top of the pyramid. The next two are utilities and maybe energy infrastructure, and then maybe we go to transportation and educational institutions.
Clem Miller:
So, on cybersecurity, you know if I think you know you've got sectors that are highly regulated in this country and in many countries. If they're not highly regulated, then they're actually owned by and managed by governments themselves. Cybersecurity is an area which is lightly regulated, if at all is lightly regulated, if at all. What happens with cybersecurity is that the resources that governments provide in terms of cybersecurity are aimed at helping rather than regulating, and perhaps that needs to change. .
Steve Davenport:
I don't by than regulating intending to help is you've got this agency within Homeland Security called the Cybersecurity and Infrastructure Security Agency, cisa, which I assume is pronounced CISA or CISA, and CISA is an agency that provides guidance to industry, runs some interagency forums or some intercompany forums, provides antitrust protection against companies or for companies within industries that work together on cybersecurity problems. And then you've got NIST, the National Institute of Science Technology, which provides technical standards for cybersecurity. So those are ways of trying to help industry protect itself. .
Steve Davenport:
they put the National Center for Military viewed. How do Macon, georgia, and I think it's important that we have some type of recognition that, hey, the military's cyber needs are different than the commercial needs. And I guess that's what I'm saying is that it almost feels like we tried to take a commercial application, apply it to airlines and trains and this example of how interconnected and potentially fail you know, non fail safe they became really. I mean, let's talk about Delta, yeah, delta, for some reason. I mean I don't really know if this is true, but it feels to me like these companies are still running applications on mainframes that they've just had forever and when something happens like this, nobody knows how to go in and get the code right. Nobody knows how to go in and get the code right. And I look at Delta and I say how is a stock if United and American are back in
Steve Davenport:
scheduling okay, and one day, and you're in day three or four and you're still not sure. I mean, I got to imagine that we've, you know, there's been a failure, houston, we need to rectify this.
Steve Davenport:
I'm surprised at how Delta can be. You know, how do the analysts look at this? Because to me, if an analyst looks at a company and says, well, their weakness is that at any time there's a cyber problem or tech problem, it takes them two or three times longer. Well, I mean, that means there's something inherent in their infrastructure that's not being well handled. Therefore, they're not spending enough resources or they're not spending the resources well, they should be marked for that, and I'm not sure the market can figure all these things out, but I don't know who will. But somebody needs to right. I mean, do you want to invest in a company that continuously has more problems with their technology? No, at this point, I don't know. Do you own any of the airlines? No, all right. Do you own any of the airlines? No, all right. Do you own any transportation?
Clem Miller:
No. Okay, so I mean economic activity in the country are pretty closely linked and these companies help keep the trains moving, the boats moving into basis goods being moved. And I look at this and say, you know, something needs to change in order to make these people more accountable. Because, just you know. And then I said Delta is now, you know, refunding the payments for these flights that all got delayed. And now people are saying, well, what about my hotel and what about my loss? You know how do we measure lost productivity? For two or three days, people were sitting in you know airlines and sitting in airports. That's something that has to be, I think this whole. If you make the penalties large enough, people will economically be incented to come up with better solutions, won't they?
Clem Miller:
Absolutely. I mean, it feels like we've got it has to be regulated better. Okay, the airlines have to be regulated better on a financial um, you know, to deal and to deal with cyber security. There has to be greater regulation of cyber security in general, not just airlines, but across the board. There needs to be stronger cyber security regulation, with violations, uh, punished, and you just don't have that. Yet in the US You've got agencies help, that do help, but it's all like carrot and no stick in the US as far as cybersecurity is concerned.
Steve Davenport:
mean I saw some estimates of $4 billion being the impact and the CrowdStrike could take most of that hit and their whole revenue for a year is $4 billion. So I'm not sure how they come out of this, whether some of the CEO, or? When we saw the CEO's response, his comment was you know, we add to our goodwill drop by drop and then when we have an event like this, the goodwill goes away in buckets. Goes away in buckets. I think that this is an example of how we need to be a little more as analysts for companies. We need to look at them in terms of how do they perform in these crisis type situations, just as how you look at how they perform in day-to-day, quarter-to-quarter. What are their earnings, what are their revenue? We look very closely at some things. What are the earnings, what are the revenue?
Steve Davenport:
you know, we look very closely at some things, but some things we just kind of give up to that idea.
Clem Miller:
You can't quantify it. Yeah, I mean, what we say, if we can't quantify it, then it doesn't exist, or or you know, we don't need to come on it's not that it doesn't exist we don't need to point.
Steve Davenport:
we don't need to, that's the point. We don't need to consider it. We're just not like, even if we did a 500, you know, even if we did 200 million, put some number against goodwill. Isn't this where goodwill comes in, Badwill also?
Clem Miller:
comes in, doesn't it, claude? Yeah, yeah, and this is what diversification is for in a portfolio, in part as well. Wow, to diversify.
Steve Davenport:
Your diversification is to not own any of them right. That's not. You don't agree in de-worsification De-worsification right so.
Clem Miller:
No I mean I don't like so much to be in, I don't like so much to be in certain heavily regulated industries. But I get there from sort of the backend, by looking at results and I think we're talking about whether to be in the cyber stocks.
Steve Davenport:
Yeah, so I'm. I'm saying you know it's, it's not a free lunch. When they say, oh, look at these multiples, look at their growth rate, look at this, you know, and I'm like, okay, but the more they grow, the more they open up the possibility that they're impacting another industry in another place where there could be liability right, right, and they could be growing too fast and not paying attention Right.
Steve Davenport:
So I think we want to wrap up this crowd strike, and I guess I would say want to wrap up this crowd strike and I guess I would say from my point of view, it's not always as it appears. I think that there's some responsibility here for Microsoft and I think there's probably responsibility for the companies and the industries that didn't do a good job of diversifying their cyber needs such that they have some fail-safes and some things in place that would prevent them from exposing themselves to this much liability. I don't want them to have another three days like this. I think the stock should be even lower. So I think there's a question.
Steve Davenport:
When you get into these is okay. I understand when everybody's safe and you've collected the regular revenue of a subscription model, but I also understand when there's a wide open event that could impact many industries and you're ultimately going to be held responsible. I almost think that the legal areas should be that there's responsibility. The minute you take someone else's code and put it to work, it doesn't necessarily have to mean that they're still responsible. So if your codes don't work with their code, then therefore, I think you still would take on a little bit of that responsibility. How do you view this and what's your perspective on?
Clem Miller:
it. I think a lot of work has to be done in companies and at the government level, both in the United States and around the world, to really amp up cybersecurity, and not just providing resources, but in terms of having strong regulations that would impose severe penalties and reputational damage on companies that aren't living up to code, so to speak. Right, right, um, I think that's the uh, that has to be the answer, uh, and it can't just be oh, it's a black swan, let's forget about it. Right, we can't measure it because it's not a black swan. You know the timing might be a black swan, but the issue is not a black swan. You know the timing might be a black swan, but the issue is not a black swan. We know the issue is out there and we know the issue is one that's going to be with us, and with us increasingly. Yeah, I mean, this is a shoot yourself in the foot type of event.
Steve Davenport:
Like you said, there wasn't some clever, you know, cyber criminal who outsmarted all the people at CrowdStrike. This was. This was self-inflicted. Therefore, I'd say that there, if it was in there, if it was within their control and it was in Microsoft's control to make sure something should have been done differently, these people shouldn't have suffered this. Something should have been done differently. These people shouldn't have suffered this kind of three-day barrage of inconsistency from technology, because I just thought we were going into the AI age, where things were going to be done better, and this just makes me question whether that AI is going to ultimately contain more bugs than less bugs.
Steve Davenport:
I'm a little skeptical, glenn, I don't know how you are, but you seem to have found the solution, which is to not invest in this area. You've given us your skepticism by showing us where you put the money. I think they Thank you everybody for listening and we appreciate it. Your skepticism by showing us where you put the money Right. I think they thank you everybody for listening and we appreciate you, and we hope that you enjoy this and, if you do, please download, like and share with others. Thanks and have a great day.
