Why the CrowdStrike debacle should be a warning to policymakers and Americans

The CrowdStrike debacle has highlighted the potential for cyberwarfare to disrupt and disable critical infrastructure, and the need for a more proactive approach to cybersecurity in order to protect against such threats.

In the hurricane of political news over the past several weeks, it probably isn't surprising that one of the biggest things to happen this year didn’t get as much coverage as it might otherwise.

The CrowdStrike debacle is the story that everyone in Washington, and back home, should be talking about. But they aren’t. Too many people are dismissing it as simply an accident or a mistake. It was described as a “major inconvenience.” It was certainly all of these things. And, per the company responsible, it was apparently not a cyberattack or linked in any way to nefarious behavior.

So, it was an accident, and not, say, an act of war. But let’s be perfectly clear: We just got a really good look at what the next war could be like.

Eighty years ago, our grandparents and great-grandparents dropped bombs almost every single day on Nazi Germany. Later, we firebombed Tokyo and dropped two atomic weapons.  We did all of that, yes, to win World War II. But more specifically, we did it to eliminate the Axis Powers’ ability to make the things needed to fight the war — tanks, airplanes, guns, fuel and food — and to undermine their citizenry’s desire to keep fighting.

Today, one doesn’t need bombers or aircraft carriers to do either of those things. Indeed, one doesn’t even a government. 

The day of the CrowdStrike breakdown, I was driving from Milwaukee to Chicago.  When we stopped to get gas, there were signs up saying that the pumps weren’t accepting credit cards. The station was taking cash only. But if you didn’t have cash — and how many people carry enough cash these days to fill up at the pump? — you waited. You sat and you waited. And you did that until the pumps were fixed, or someone could come pick you up.

How different is that outcome — no gas — from someone blowing up an oil refinery with a bomb? Sure, the recent outage was a short one. But what if it hadn’t been? 

We got a hint of what that looked like during the hack of one of the major east coast gas pipelines back in 2021. There were gas lines, shortages and price spikes.

Our world is so dependent on the internet today that just about everything we do has some sort of vulnerability to outside malignant actors. The CrowdStrike outage affected gas stations and hospitals. Schools have been shut down by cyberattacks. Even the ability to get drinking water out of your tap, and flush your toilets, has been targeted.

An adversary could shut this country down in either of two ways. But bombing us back into the 19th century costs a lot of money, takes a lot of time, and risks a brutal response.  Why not just stand off at a safe distance — literally anywhere in the world — and accomplish the exact same end using cyberwarfare? 

Cyber is a central piece of modern asymmetrical warfare. It is cheap and can be ruthlessly effective. In the 1980s, asymmetrical warfare meant using a $200,000 Exocet missile to sink a $50 million British warship during the Falklands War. Today, it might mean using a $2,000 laptop to hack into a satellite system and turn an $11 billion aircraft carrier into a dead piece of floating metal. Not as dramatic, perhaps, but the end result would be stunningly similar.

It has been axiomatic throughout history that great powers are always fighting the last war, not the next. France fell into that trap in the 1930s, erecting the Maginot line in an attempt to prevent a repeat of the dynamics of the First World War. And when it was conceived and built, that made sense. But just a few years later, when war broke out, it looked very little like it did in 1914. Trucks and tanks and airplanes changed things. And the Nazis simply went around, and over, the Maginot Line.

America faced something analogous in Vietnam, when all of its experiences from World War II proved less valuable than anticipated in dealing with guerilla warfare.

That isn’t to say that the U.S. is ignoring the cyber threat. Certainly, both the Pentagon and Capitol Hill recognize the risks we face. But when it comes to defense, Washington still talks in terms of numbers of naval surface vessels or operational fighter aircraft. It still talks about “defense spending as a percentage of GDP.”  Those are critical to, say, projecting power in the Pacific. But what would we do if, in response to future bellicose warnings regarding Taiwan, China simply threatened to wipe out the records of everyone’s 401(k)? We could spend all the money in the world on weapons, and it wouldn’t protect us against something like that.  

The CrowdStrike incident must be a warning, not just to policymakers and strategists but to ordinary Americans as well. With technology, anything that can happen by accident can also happen on purpose. And we cannot afford to be fighting the last war.

Mick Mulvaney, a former congressman from South Carolina, is a contributor to NewsNation. He served as director of the Office of Management and Budget, acting director of the Consumer Financial Protection Bureau and White House chief of staff under President Donald Trump.