by
Jakub
Porzycki/NurPhoto
via
Getty
Images)
“Cause
the
players
tried
to
take
the
field
The
marching
band
refused
to
yield
Do
you
recall
what
was
revealed
The
day
the
music
died?”
—
Don
McLean,
American
Pie
That
musical
metaphor
was
painfully
apt
on
November
18,
when
my
own
digital
world
temporarily
went
silent.
On
that
day,
I, like a
lot
of people,
experienced the
outage
of
several
LLM
tools
like
ChatGPT
and
Claude. At
first,
I
didn’t
think
all
that
much
about
it.
But
there
are
some
real
lessons
here
about
technology
and
reliance
on
it
we
should
all
heed.
The Day
It
Died
(Temporarily)
November
18
started
like
any
other
day.
I
was
up
early
to finish
some
articles
to
meet
a
deadline. I
was
in
the
middle
of doing
so and
needed some
information to finish them.
I
figured
that
information
would
be
easy
and
quick
to
get from
ChatGPT so
I
had procrastinated doing
the
work.
Just
what
I
needed: when
I
opened ChatGPT on
my
laptop,
I got
some
strange
message
about
my credentials being
invalid.
My immediate reaction
was
yikes!
I checked my
phone
and
was
able
to
open
ChatGPT
on
it.
I explained the
problem to
ChatGPT
hoping
for
some
solution.
We
went
through
about
45
minutes
of
instructions
on
how
to
change
various security
settings
on
my
laptop,
none
of
which
worked,
of
course.
What
wasn’t
suggested
was
that
there
was
an
outage
and
hang
tight
for
a
bit.
Of
course,
we
all
later
found
out
the
outage
was
caused
by
a failure of
something
called Cloudflare. What Cloudflare does
is
protect
its
customers
which
are
many,
not
just ChatGPT, from
malicious
security
attacks
like credential
stuffing,
cross-site
scripting,
SQL
injection,
bot
attacks,
and
API abuse.
When it failed,
it
blocked
access temporarily to
many
of
its customers
like ChatGPt and
Claude
sites.
The
outage was
corrected and
most
of
us
went
about
our
business.
But
for
the
deadline-driven and
exacting
business lawyers
and
legal
professionals
are
in,
it’s
right
to
hit
pause
and understand
what
actually
happened.
And
in
doing
so,
there
are
a
couple
of
lessons
not
just
for
ChatGPT
and Cloudflare but
for
the
rest
of
us
as well.
Lessons
about cybersecurity
and reliance
on
technology.
So
What
Happened?
One
of
the
most
astute
observers
of
the cybersecurity scene
is the
journalist
and
investigative
reporter Brian Krebs.
He writes a blog called Krebs
on
Security.
It’s
a
blog
worth
reading
on
a
regular
basis
since
it brings
the myriads of security risks
we
all otherwise
unknowingly
face
every
day. He
talks regularly about
security
incidents,
cyber-attacks,
vulnerabilities,
and
related
threats.
In
his
post
on November 19,
Krebs
talked
about
the
outage.
The
post
was entitled The Cloudflare Outage
May
be
a Security
Roadmap. The
title
itself
suggests
why
we
need
to
be
a
little
cautious.
Krebs provides
a
timeline
for
the
incident
which Cloudflare
described
as
“an
internal
service
degradation.” Cloudflare and
Krebs were quick
to
point
out
that
the
outage was
not due
to a
cyberattack
or
any
sort
of
malicious
activity.
But
that
doesn’t
mean
the
incident
didn’t
have
some
significant security
wrinkles.
The
Outage
Impact
So you
say,
so
what? The
system
failed
but
people
couldn’t
access
the
LLMs
anyway.
Not
so
fast, according to
Krebs. Like
me
with
my
cell
phone,
lots
of
people
were
still
able
to
access
tools
like
ChatGPT
with
workarounds, particularly those
with
some
knowledge
about
how
to
do
it
(which
was
not
me,
I
just
got
lucky).
Since Cloudflare protects
not
just
ChatGPT
but
a
whole
host
of entities, that
means
there
were
a
lot
of
folks
exposed
during
the
limited
time
of
the outage.
And many
of
these entities
themselves
pivoted
away
from Cloudflare during
the
outage so
their
sites
remained
accessible
to customers
and
others.
This
created
a
window
of opportunity for bad
guys that
were previously kept
at
bay by Cloudflare.
The
bottom
line,
if
the Cloudflare customers
relied only on
the Cloudflare protections
and
didn’t
have adequate back-up
protections, they
and their
customers
were exposed, and
they
need
to check to
see
if
they
were
attacked during
that
time
period.
So….
Two
lessons for the
rest
of
us.
First,
when
it
comes
to
cybersecurity,
you
need
to
have double or
even
triple
protections.
The problem with technology is
that
it
can
fail
and fail quickly
and
in
unpredictable
ways.
I
can’t
tell
you
how
many
times
I
have
stood
up
to
give
a presentation only
to
have
the
technology
I
was
going
to
rely
on
fail.
I learned a
long
time
ago
as
a
trial
lawyer
that
when
you
are
going
to
present
evidence
to
a
judge
or
jury,
you
need
to
have
several contingency plans.
The
same
is
true
here.
Remember
the
concept
of a belt
AND a
pair
of suspenders. When
it
comes
to cybersecurity, maybe
it’s
belts
and pairs
of suspenders.
Second
lesson.
We
need to
think before
we
become
overly reliant on
any
technology but
particularly
GenAI.
Why particularly GenAI? It’s
getting significant publicity
and
traction
anywhere
and
everywhere
these
days.
The revolutionary
potential
of
it
has
us
all salivating as
we
picture a
changed
world.
That
may
be
so.
But
it’s
still
technology
that
can
fail
—
fail unpredictably and spectacularly.
The Cloudflare outage
didn’t
impact
me all
that
much other
than
some inconvenience.
I
got
the
research
I
needed
in
old-fashioned ways.
It just
took
longer.
But
if
I
were
sweating
a
filing
deadline and
had
no
back-up
plan,
the
result
could
have
been catastrophic. As previously
written, let’s pause and
get
a
reality
grip here. To
take vendor promises
with
a
grain
of
salt.
For
a
whole
host
of
reasons Melissa
Rogozinski and
I discussed in
a
several recent Above
the
Law
articles,
the
promises
don’t
always
match
reality.
As discussed before, the
margin
for
error
in
law
is
exceedingly
small.
And
the
impact
of
error
is exceedingly large.
That
means
we
can’t
be
complacent
about
technology,
especially one
seeming
capable
of
doing
so
many
things
that
were
previously
done
either
by
people
or
various
technologies.
That
meant
failure
of either a human
or one
piece
of technology would not be quite
as
impactful
as
the potential failure
of
an
LLM that
does
so
many
things.
We
need
to
all
remember
that
as
we
rush
to
wholesale
adopt
GenAI
in
our
work
and
everyday
life.
Let’s
Not
Forget
the
Day
the
Music
Died
Don’t
overrely on
GenAI
or
any
tech
for
that
matter.
Have
back-up
and
contingency
plans.
Don’t
fall
for
the
idea
that any
tech,
just
like
any
human,
can’t
fail
from
time
to
time.
That’s
the
nature
of
tech. It
doesn’t
mean
we
don’t
take
advantage
of
it,
it
means
we
do
so
with
eyes
open.
Let’s
not
forget
the
day
our
tech
music
died.
Keep
playing
American
Pie
in
your
head. And yes, if
the
song
is in your
head
today,
you
can
blame
me.
Stephen
Embry
is
a
lawyer,
speaker,
blogger,
and
writer.
He
publishes TechLaw
Crossroads,
a
blog
devoted
to
the
examination
of
the
tension
between
technology,
the
law,
and
the
practice
of
law.