The Stock Exchange and United Outages Weren’t Hacks, but They Were Just as Scary

A trader on the floor of the New York Stock Exchange during Wednesday’s outage.

Photo by Lucas Jackson

On Wednesday, a 1 ½ hour–long reservation system failure grounded United Airlines flights, the New York Stock Exchange was down for almost four hours, and the Wall Street Journal’s website suffered intermittent outages. At an intelligence committee hearing that afternoon, Sen. Barbara Mikulski firmly told FBI Director James Comey, “I don’t believe in coincidences.” But no matter how hacklike the situation seemed, all three companies and law enforcement have been adamant that bad actors were not behind the failures. And that’s just as scary.

A United representative told the Los Angeles Times that a router issue had “degraded network connectivity for various applications,” causing the company’s system problems. And after consistently but opaquely claiming that there weren’t bad actors behind the stock exchange outage, NYSE said in a statement Thursday that a software update was to blame. “As is standard NYSE practice, the initial release was deployed on one trading unit … [but] there were communication issues between customer gateways and the trading unit with the new release.” NYSE attempted to correct the problem, but this caused new complications, and “the decision was made to suspend trading.” The Wall Street Journal is still investigating the cause of its outages, with some speculating that heavy Web traffic brought the site down.

Between the Office of Personnel Management hack and the breach at Sony, the idea of large-scale malicious cyberattacks has become markedly more real for consumers in recent months. But Dave Chronister, who founded the cybersecurity firm Parameter Security and formerly did IT management at financial institutions like A.G. Edwards, points out that there doesn’t have to be a bad actor on the other end for something to be a cybersecurity problem. “We’re in a hypersensitive time right now where everybody’s worried about the malicious attacker, but the chances are you’re going to have a lot more incidents like [those Wednesday] than actual attacks,” he said. “These were security incidents. The systems went down. It didn’t matter that it wasn’t an attack.”

Faulty routers and software updates may not sound like they could take down huge networks, but on an industrial scale, there’s ample opportunity for things to go wrong. “A lot of times the big corporations don’t even have visibility into their networks 100 percent because of the ways the networks came together,” said Jeffrey Stutzman, the co-founder of threat intelligence analysis firm Wapack Labs and the CEO of cybersecurity intelligence consortium Red Sky Alliance. “Their security tools may not be able to see everything.”

Stutzman notes that as companies evolve, change leadership, and acquire other companies, their networks go from complicated to almost absurdly heterogeneous. And for systems that need to be operational every day (24/7 in the case of an airline), there’s no time when big chunks of the network can go offline to be reorganized and strengthened. “A business unit president reports directly to a corporate CEO, and they’re measured on performance, they’re not measured on network hygiene,” Stutzman says.

The idea of network fragility may be new to consumers since tech companies (not just Apple) have always tried to give the impression that computers “just work.” But the IT directors managing critical infrastructure know how complicated it can be to run large-scale networks and attempt to implement improvements. “It is quite nerve-wracking when you go to apply an update … and then you’re waiting for three minutes for it to reboot. It feels like it takes an eternity,” said Jonathan Pollet, founder of Red Tiger Security, a group that specializes in doing network security evaluations of industrial systems like power plants and refineries without destabilizing their critical networks.

The systems we interact with all the time, whether it’s an airline ticketing interface or a stock exchange, have evolved in such a piecemeal way, and with so little reprieve, that they inevitably have problems. “It’s like the perfect storm now,” Pollet said. “You have systems that do not have the required amount of redundancy or the required amount of security connected to the Internet, which is full of randomness.”

And though three outages in one day may feel like too much of a coincidence to be chance, it makes perfect sense to security experts. “I can’t emphasize enough how many issues you can run into even in the best scenarios,” Chronister said. “Unfortunately a lot of people would look at this and say this is not a security issue, and that’s the problem right there.”