“The big vendors aren’t going to have 5,000 different contracts with 5,000 different customers,” she says. “In some cases we can push contract clauses and say, ‘You’ll send us a SOC 2 report every year and you’ll attest you have all these controls.’ And they might sign and say yes, but you won’t really know. There’s only so far you can go with due diligence.”
What the CrowdStrike incident has done is highlight the need for better government assistance, she says.
The Association for Computing Machinery says there’s already an organization that seems to be uniquely positioned to undertake an investigation into the incident and publish results: the CISA’s Cyber Safety Review Board. In its statement, the ACM urged the US government to provide the CSRB with the necessary resources it needs to take on this investigation. That would have been nice but instead, the Department of Homeland Security just disbanded it, citing “misuse of resources.” The AI Safety and Security Board was also disbanded. That’s a particular problem because, just as with CrowdStrike, there’s a growing dependence on a small number of vendors. OpenAI’s ChatGPT, Anthropic’s Claude, Google’s Gemini, and Meta’s Llama are the foundation of nearly all enterprise AI applications, says Chuck Herrin, field CISO at security firm F5.
“Our rush to adopt AI without corresponding investment in security and resilience suggests we’re setting ourselves up for potentially catastrophic failures that could make the CrowdStrike incident appear minor in retrospect,” he says. “The CrowdStrike incident required physical access to affected systems for recovery, yet organizations are now creating AI dependencies so deep that manual intervention may become impossible.”
