One bit of good news about the “epic IT crash” that brought the western world to a temporary standstill is that it was a product of human error rather than a Russian cyber-attack like the SolarWinds hack of 2020 that had a similar modus operandi.
Last week’s outage was caused by an update that a big US cybersecurity firm, CrowdStrike, pushed to its corporate clients early on Friday morning, which conflicted with Microsoft’s Windows operating system, rendering devices inoperable – with predictable consequences, given that virtually every large organisation in the world is using Microsoft Windows.
Fortunately, fixing the problem turned out to be straightforward, though tedious, which will doubtless lead people to think of it as a hiccup rather than as a dry-run for something much worse. After all, if a single error by a single tech company can cause this much disruption, imagine what a determined adversary could do. Just as the pandemic forced us to confront the limitations of the global supply chains that had been created to improve efficiency rather than resilience, this CrowdStrike mistake should trigger a reappraisal of our networked world.
One question to be pondered concerns the societal risks of industrial consolidation in the tech industry. CrowdStrike is one of the largest companies in the cybersecurity market. Microsoft has a stranglehold on the business computing marketplace. Every large organisation runs Windows, and most small businesses do, too. Add the pressures that governments, agencies and the National Cyber Security Centre are putting on companies to improve their cybersecurity, which leads them to sign up for tools like CrowdStrike’s Falcon, and we have the potential for the kind of perfect storm we witnessed last week.
Most businesses run on Microsoft Windows, so corporate computing is basically a monoculture. This may be good for efficiency, standardisation, training, etc, but it is also bad for resilience if anything goes wrong.
Industrial consolidation also highlights the “attack surface” that hackers seek. If there are a handful of large cybersecurity companies supplying, and regularly updating, millions of desktop corporate PCs, then those supply chains constitute a surface with attractive potential for massive disruption. This is what the SolarWinds attack vividly demonstrated: important US government departments (homeland security, state, commerce and treasury) were affected, as well as corporations such as FireEye, Microsoft, Intel, Cisco and Deloitte.
There are lessons to be learned from this fiasco. The obvious one is that, while regular automated updates of security software are invaluable, there should always be a phased rollout of each update so that problems surface before they become catastrophic.
But what the CrowdStrike error has revealed above everything else is how fragile our networked world has become.
We have become utterly dependent on a complex web of technologies that few understand, created by an industry that seems indifferent to the consequences of its creations. We find ourselves in a new world, but it’s not exactly a brave one.
Do you have an opinion on the issues raised in this article? If you would like to submit a letter of up to 250 words to be considered for publication, email it to us at observer.letters@observer.co.uk