A Windows-based supermarket self-service kiosk suffers the "blue screen of death" during the IT outage caused by a buggy update to CrowdStrike's security software. Photo / Herald staff
A Windows-based supermarket self-service kiosk suffers the "blue screen of death" during the IT outage caused by a buggy update to CrowdStrike's security software. Photo / Herald staff
A fix for affected systems has been released but getting them back online will take time as it requires manually weeding out the flawed code.
CrowdStrike software that injected the bug has almost 20% market share and is common in critical services.
Lovina McMurchy (Ngāti Rongomai) is the chief operating officer for Wellington-headquartered global cyber security start-up Kry10. Based in Seattle, she was previously a general partner for Movac and held senior roles with Microsoft, Amazon and Starbucks in the United States.
OPINION
Software firms like CrowdStrike are incentivised to rush out software updates – in a market dominated by a handful of tech companies – meaning any glitch will be felt by many. While caused by a buggy upgrade rather than a cyber attack, this week’s incident points to trouble ahead. Donald Trump created a cyber security agency during his presidency but then fired its head for not supporting his misinformation campaign about the stolen 2020 result. The agency could be gutted if he wins in November.
The IT outages this week are a good reminder of how interdependent the world has become. The pandemic showed us how fragile our supply chain is to global shocks.
The CrowdStrike outage showed us the fragility of the software systems which run the world.
Part of the issue comes from the global dominance of a few large tech companies: Windows is still the operating system used in many critical systems such as transport, banking and hospitals and was largely engineered in a very different age.
The CrowdStrike software that injected the bug has almost 20% market share and is common in critical services that are targets of cyber attacks due to the ensuing havoc when they don’t run reliably.
This outage was not caused by a cyber attack but by a bad update. The post-mortem has not been made public yet, but the nature of the outages suggest internal gaps in testing and other quality processes.
How can such a small and seemingly unimportant update be allowed to cause such catastrophic operational and financial damage? The answer lies in the incentives for makers of software and software services.
Technology is a fast-moving and highly competitive sector. There is immense pressure on software companies to constantly deliver new features and functionality which give them the edge over competitors.
When it comes to quality and security, they are incentivised to do just enough to squeak by as customers can’t always see the impact of shortcuts in these areas.
Part of the reason for this is that software is sold under “buyer beware” terms and conditions. The software maker decides on the trade-off between new features and quality and, if the customer chooses to purchase, then they inherently take on the risk of those trade-offs.
This is a rough deal given many customers are less technically able to assess those trade-offs than the makers of the software.
Times are changing though. Both the United States and Europe have recently passed new cyber policies that place the responsibility for quality and security squarely on the software makers and industries that run critical services.
This change comes from the fact that sophisticated nation-state attacks on private industry are now fully embedded in the playbook of warfare.
The line between national defence and civil defence is increasingly blurring. So far, these are policy statements not yet backed by legislative changes allowing for legal suits when the right level of care has not been taken. But it’s a clear indication of where things could be headed in the future.
Trump’s fight with cyber security agency
Of course, that depends very much on the outcome of the US election in November.
This is another area in which the policies of the Republicans and Democrats wildly diverge.
Donald Trump and his allies have had an ongoing battle with the Cybersecurity and Infrastructure Security Agency (CISA), the main US government agency responsible for protecting critical infrastructure.
While Trump created this agency himself in 2018 while President, he famously used Twitter to publicly fire the director of the agency in 2020 after he refused to support the misinformation campaign about the 2020 election being stolen.
Other Republican lawmakers believe that the CISA has been involved in encouraging Meta and other social content platforms to suppress conservative opinions.
It is widely believed that a Trump presidency will either defund the CISA or neutralise it by packing it with Trump loyalists.
If that happens, it will be akin to declaring an open season for US adversaries to attack US critical infrastructure.
The CrowdStrike outages show us clearly that no country is far enough away from Washington DC to not feel the real impacts of the politics in Washington DC.
I’m not sure what advice to give Kiwis except to buy a thumb drive and regularly back up your PC!
