Microsoft operates an “open” operating system, allowing developers access to the core or “kernel” of its system under a competition policy agreement it reached with the European Commission in 2009 that gives security software providers the same level of access to Windows as Microsoft itself has.
That, and Windows’ dominance, may explain why Microsoft has been subjected to a series of cyber hacks in recent years. These hacks forced Microsoft to promise to overhaul its system’s security. Microsoft has said it will use artificial intelligence and automation to make its software more secure.
Part of the company’s challenge is the complexity of its business, which offers its products (including its market-leading cybersecurity products) via the cloud to companies with their own servers and via patches for legacy systems.
That, and the fact that the computers had to be online to receive the infected update, explains why different businesses were impacted differently and even individual computers and other pieces of technology within those businesses responded differently.
What happened on Friday wasn’t, thankfully, a cyberattack but a mistake made by a developer with privileged access to the heart of Microsoft’s operating system, a level of access Microsoft might normally reconsider, although the legal implications – and CrowdStrike’s need for that level of access to protect its customers and its own anti-virus software – might complicate any effort to reduce that particular vulnerability.
CrowdStrike, which has grown rapidly and aggressively, might also need to examine its own processes and do significantly more stress-testing of the updates it sends routinely to its customers. Enterprise customers might need to think more deeply about whether writing increasingly large cheques to effectively outsource the protection of their own networks is sufficient.
In the global, interconnected, web of multitudes of different systems and software on which the modern global economy relies, with its global supply chains and just-in-time processes and real-time payments infrastructure, the stability and security of the relatively new digital architecture is taken for granted, until it isn’t.
Usually, as we’ve seen here with the Medibank and Optus cyber hacks, it is criminal activity that exposes the flaws in that architecture. The CrowdStrike episode is chilling because it highlights how a single, flawed, software update from a trusted source – one of a multitude that occurs routinely – can cause large parts of the global system to fail.
The global dominance of the Windows operating system and the dominance of the three major cloud providers – Microsoft, Amazon and Google’s parent, Alphabet – means that any mistake they make or distribute will have global ramifications.
Loading
Competition regulators may need to examine that dominance and the risks to competition and security it represents.
It might also be that companies need to consider reducing their reliance on single providers and investing more in backup systems so that they can continue to operate if the “Blue Screens of Death” ever reappear within their networks. Perhaps some thought will need to be given to old-school fallbacks that don’t involve IT systems.
The pandemic caused companies to rethink and redesign their physical supply chains, re-shoring or “near-shoring” critical elements. CrowdStrike’s software bug might, indeed should, force a similar re-evaluation of corporate and government systems’ vulnerabilities.
Artificial intelligence is seen as a potential aid to improving cybersecurity, improving systems’ ability to identify and respond immediately to cyber threats—even as some of those involved in developing AI products warn that it could represent a threat to humankind.
Friday’s global outage is a reminder of how dependent the world has become on increasingly complex and increasingly interconnected technologies, with data flowing through quite concentrated choke points including, increasingly, the cloud and AI providers.
Those represent potential points of global failure, whether generated by sloppy coding or something more malicious. AI might help strengthen the protections against such failures but could just as easily add new vulnerabilities.
The global technology ecosystem is so large and complex and vulnerable to human error or unlawful intent that it is inconceivable that it could ever be made completely secure.
It is, however, incumbent on the big tech companies on which the system rests to make it as safe and resilient as is practicable and to prioritise that objective over speed to market and profit. If they can’t, it is inevitable that governments will intervene to regulate their operations more closely.
CrowdStrike is now likely to be hit by a deluge of lawsuits and the loss of significant chunks of its customer base. Microsoft was already under siege from customers and governments for the previous breaches of its security. There are obvious commercial rationales for Microsoft, Amazon and Google, and the host of developers who work with them, to do whatever they can to avoid a repeat of what happened on Friday.