Editor’s note: Check out our frequently updated live blog for all the latest updates on the Microsoft/CrowdStrike service outage.
Keeping your system up to date is critical to protecting it from cyberattacks and other threats. But sometimes things go wrong, as happened late this week.
CrowdStrike, a cybersecurity company that protects businesses and users from cyberattacks, made a mistake, leading to a global collapse. Users with Windows computers saw the “blue screen of death”, Flights were suspended, The banks went darkand websites closed.
“This was a software update that was pushed out to the company’s clientele around the world, but particularly those using Windows servers, and within a certain time frame,” Derrick Cogburn, a professor at American University, executive director of AU’s Institute on Disability and Public Policy, and faculty co-director of the Internet Governance Lab, told Mashable. “So it wasn’t just everyone using CrowdStrike, but a fairly sizable group of the community.”
Cogburn said this affected a connected network of companies that were simply trying to do the right thing and protect themselves and their users. But “when a vendor like CrowdStrike has a problem with an update, it can have repercussions across the industry globally.”
“As cybersecurity awareness has grown, more businesses and organizations have worked to protect themselves,” Cogburn said. “CrowdStrike is one of the best companies out there when it comes to protecting businesses and organizations from a variety of cyberattacks.”
Of course, this wasn’t a cyberattack (it appears to have been a bug in an update), but these are the same kinds of problems that could arise from a cyberattack. Because CrowdStrike has positioned itself as the leading company when it comes to protecting against cyberthreats, many companies have adopted its services. Cogburn argues that CrowdStrike does a good job of combating such attacks, but it made a serious mistake that caused widespread chaos. Too many companies are integrated with the same tool. When it fails, an entire global network of companies is affected.
How did a software update silence so many systems?
“The incident is a great example of the cascading failures that can occur given our relatively homogeneous systems that comprise the backbone of IT infrastructure,” Gregory Falco, a cybersecurity expert and assistant professor of engineering at Cornell University, said via email.
Rory Mir, associate director of community organizing at the Electronic Frontier Foundation, told Mashable that these digital systems can’t be perfect all the time. We rely on them to protect our sites, but “they’re going to fail at some point,” whether through deliberate attacks or a simple mistake.
“The problem is that we are trapped in a digital monoculture, where decades of anti-competitive practices have created a single system responsible for much of what we need, from airlines to hospitals to schools,” Mir said. “A mistake that leads to a major failure is inevitable, but for it to have this kind of impact is a policy failure.”
Speed of light that can be mixed
Who does this affect most?
Every time disaster strikes, we are reminded that those most at risk are also those most deeply affected by such systemic failures.
“Something we see regularly with any kind of system failure, like malware attacks and data breaches, even if the nature of the failure affects everyone across the board, frankly people’s resilience and ability to cope with these things has an uneven impact,” Mir said. “People who have enough money to have backup systems and can maybe get another hotel to wait for another flight or something like that are more able to weather this kind of disaster.”
Ultimately, access to technology is expensive, and knowing how it works is, as Mir says, “privileged knowledge.”
“When something like this happens and it’s so widespread, sometimes we don’t think about all the unintended consequences,” Cogburn said. We think of airlines and TV stations, but we may not immediately think about how the SNAP EBT program (which was shut down for hours) or food and educational services are affected. While some people can easily adapt and drive to the office instead of working from home, others don’t have that luxury.
“For people who have more limited options, if they’re relying on connected devices (and) connected services, and those are turned off, they may not have the kind of flexibility to adapt to a more in-person environment or space,” Cogburn said. “So I think that’s one of the ways that underserved populations are being impacted.”
Smaller companies could be hit harder than larger companies, which can “weather the storm a little bit more easily,” Cogburn said, because they don’t have the same kind of resources to draw on.
Inevitably, this could lead some people to be wary of systems like CrowdStrike, which Cogburn says are “really dangerous.” Think about how often you don’t want to update your phone, but then leave yourself open to bugs and attacks; then multiply that figure by 100.
“You’re left incredibly vulnerable to the reason the patch was developed in the first place,” Cogburn said.
How can we ensure that this doesn’t happen again?
Such failures are inevitable, but their effects on society need not be. Mir argues that the widespread nature of this problem is due to a lack of enforcement of antitrust laws by agencies such as the Department of Justice and state attorneys general.
“Until now, antitrust laws have focused on driving down prices for consumers, which is great, but it has also created a monoculture where there may be one big company offering a cheap deal, but then it becomes a huge single point of failure. And we could end up with a Y2K-like scenario,” Mir said.
Mir is hopeful that this massive and unprecedented failure will lead to legislative change.
“This is largely a failure of the antitrust enforcers themselves — the Department of Justice, the FTC, the attorneys general — but I think hopefully this disaster will be a wake-up call to all of them and potentially to lawmakers to make sure that antitrust laws are working for consumers and for reasons beyond just lowering prices,” Mir said.
All in all, it was an unprecedented failure, but in a way we were lucky: it wasn’t a cyber attack. We may not be so lucky next time, so we need to address it now, before it’s too late.