Outages at NYSE, United Airlines, WSJ.com expose digital vulnerabilities

July 8, 2015 4:04 PM PT

The outages came one after another: one of the nation’s biggest airlines, its largest financial news publication and its main stock exchange.

Wednesday morning’s spate of technological foul-ups grounded United Airlines flights, sidelined the Wall Street Journal’s website and halted trading for more than three hours on the New York Stock Exchange. Their successive timing ignited widespread speculation about hacking attacks and conspiracy theories about who might be responsible.

Government and company officials said the causes were more mundane and technical, but the shutdowns nonetheless raise concerns about the vulnerability of vital organizations that can be easily crippled by malfunctions or cyberattacks.

As the world becomes more connected, such events expose serious risks for countries, companies and individuals who depend heavily on fragile technology — often a mash-up of older and cutting-edge systems. Electricity grids, credit cards, social media, email, public transportation and GPS all have become indispensable to everyday modern life.

Sign up for our daily Today’s Headlines newsletter

“These are incredibly complicated systems. There are lots and lots of failure modes that are not thoroughly understood,” said Jeff Schmidt, chief executive and founder of JAS Global Advisors, a security consulting firm. “Because the systems act so quickly, you have this really increased potential for cascading failures.”

On most days, the Internet and the myriad systems it powers can be counted on to work well enough. But security experts say problems are inevitable, through hacking, human error, broken cables, buggy code or other unforeseen issues.

Technology will evolve and improve over time, but it will never be foolproof. What’s more important, experts say, is for organizations and individuals to better protect themselves against issues that are bound to crop up — an often neglected task.

Carl Wright, general manager of TrapX, a security-through-deception defense company, said much of the rapid deployment of new technology comes with little forethought about security.

Most companies today spend less than 10% of their information technology budgets on security, he said, and “sometimes, it’s as low as 6%. Not a lot of the money an organization spends on tech to create capability for their business goes to securing it. What we need to see is a major shift.”

One problem: The best security systems can be costly. In other cases, the technology is still struggling to catch up to plug the holes.

But organizations can play defense. Business continuity plans and relationships with regulators and law enforcement can lead to faster response times when problems arise. Building in redundancies — using two Internet service providers, for instance — can serve as a backstop when one system crashes.

Training programs can get employees up to speed on how to handle failures. At the higher levels, nimble management teams can quickly identify and respond to issues — difficult in large corporations and heavily regulated businesses.

One strategy growing in popularity is for businesses to invite hackers to look for security vulnerabilities and reward them with so-called bug bounties.

Many organizations rely on third-party vendors to help them prepare for outages. A slew of security companies have cropped up, introducing technology that replaces standard character-based passwords with images and even emojis.

The series of outages on Wednesday morning was an unusual occurrence, immediately prompting questions about a cyberattack.

Homeland Security Secretary Jeh Johnson said in a statement that “the malfunctions at United and the NYSE were not the result of any nefarious actor.” Both organizations cited technical issues for their downtime, which totaled 3 1/2 hours for the NYSE and about 1 1/2 hours for United.

A spokeswoman for the Wall Street Journal said its website’s outage was still being investigated.

Cybersecurity and the massive dependence on technology have also concerned lawmakers. On Wednesday, three of the nation’s top federal law enforcement officials strongly urged Congress and Silicon Valley to allow government authorities immediate, instant access to encrypted cellphones and other Internet devices.

The coincidental timing of that pitch — on the same day that the outages occurred — might bolster officials’ case that more stringent measures are needed to protect U.S. computers and national infrastructure from cyberattacks, despite objections from Silicon Valley.

On Tuesday, the nation’s top cryptographers criticized Washington demands for companies to alter their technology and allow law enforcement to secretly see and read what is being sent and received on cellphones and computers.

“Lawmakers,” the scientists warned, “should not risk the real economic, geopolitical and strategic benefits of an open and secure Internet for law enforcement gains that are at best minor and tactical.”

What changes occur at the governmental level remain to be seen. What is certain, however, is similar outages are bound to happen again, said Katie Moussouris, chief policy officer at HackerOne, a vulnerability and bug bounty platform.

“It’s impossible to create systems that will never fail,” she said. “So instead of setting everything up and hoping it won’t fail, we should be setting up systems that can respond quickly and gracefully to those failures.”

Twitter: @byandreachang, @traceylien

Times staff writer Christine Mai-Duc contributed to this report.

ALSO:

United blames system outage on router problem

What China’s bursting stock bubble means for the U.S. economy

It’s official: Latinos now outnumber whites in California