The CrowdStrike outage shows our dependence on Big Tech overlords - Los Angeles Times
Advertisement

Opinion: The CrowdStrike outage shows the danger of depending on Big Tech overlords

Passengers at airport walk past a blue screen showing frowning face error message
Screens display a blue error message at a departure floor of LaGuardia Airport in New York on Friday after a faulty CrowdStrike update caused a major outage for computers running Microsoft Windows.
(Yuki Iwamura / Associated Press)
Share via

Starting on Thursday with ripple effects for days afterward, a routine software update caused a record-breaking freeze across much of the world. CrowdStrike, a cybersecurity vendor deployed by Microsoft systems, installed an update that analysts say probably skipped quality testing. The result disabled an estimated 8.5 million computers in perhaps the largest cyber event in history.

Affected were Microsoft-powered systems critical to the online operations of banks, hospitals, police forces, major airlines, TV stations and government agencies. Flights and surgeries were canceled, courts and government offices shut down, and new hacking vulnerabilities introduced, including for federal agencies.

The shutdown brought Americans’ collective cyber vulnerability into sharp focus: Our reliance on trillion-dollar tech overlords may imperil national security.

Advertisement

The tech providers that support infrastructure relied upon by the public and private sectors bear a responsibility to protect our safety and security. In 2023, federal Cybersecurity and Infrastructure Security Agency Director Jen Easterly proposed holding tech companies liable for selling vulnerable products. With such liability measures in place, CrowdStrike’s global outage might have been avoided.

We already knew that businesses do almost nothing to protect us from hackers. The CrowdStrike debacle points to another weak point.

July 23, 2024

The rapid consolidation of power in tech companies poses challenges to the government and society. Companies reaching unprecedented sizes and valuations in the trillions control digital infrastructure that people depend on at least as much as the mail and trash pickup. Tech companies now run or help run communication, commerce and other services more nimbly than do federal agencies. But they also do it with less regulation and public oversight — as well as a profit motive.

The tech sector’s market dominance accounts for more than 10% of the U.S. economy. In 2024, Microsoft reported revenues of $211.91 billion. Other tech behemoths posted even larger figures: Amazon $574.78 billion, Apple $383.28 billion and Alphabet (Google) $307.39 billion. (Meta Platforms, formerly Facebook, posted $134.90 billion.)

Advertisement

A chunk of these profits goes toward lobbying and paying penalties for safety and antitrust violations, rather than investing in the cybersecurity and other improvements that would reduce consumer harms. In 2023, tech giants spent at least $10 million each on lobbying while also receiving more than $3 billion in fines and settlements for breaking European digital antitrust laws and facing lawsuits by the Department of Justice and the Federal Trade Commission. Meanwhile, in 2022, the financial impact of poor software quality in the U.S. amounted to at least $2.41 trillion, according to the Consortium for Information & Software Quality.

Software-caused outages can be avoided in a few ways. Diversifying tech contractors and options strengthens resilience and mitigates risks. By contrast, if everyone relies on just a couple of providers, any single breakdown carries huge consequences. CrowdStrike, one of the nation’s largest cybersecurity firms, exemplifies this issue; it counts more than half of the Fortune 500 companies as customers.

L.A. County Superior Court, the biggest trial court in the country, was closed Monday as it continues to recover from a ransomware attack, officials said.

July 22, 2024

Equally important is cybersecurity redundancy — multiple layers of security measures and backup systems that ensure continuous protection and functionality, even if one layer fails or is compromised. Although creating these redundancies may cost companies more in the beginning, they are investments in maintaining trust between businesses and their customers, as Javad Abed, a cybersecurity expert and assistant professor in business at Johns Hopkins University, told USA Today.

Advertisement

Around two-thirds of software vulnerabilities reported in commonly used programming languages stem from memory-related security flaws, such as the misallocation or freeing up of memory spaces that can enable unauthorized access or the execution of malicious code. Earlier this year, the White House — notably, given how often the government lags on tech issues urged the widespread adoption of “memory safe” programming languages such as Rust, Go, Python and Java, which protect against certain kinds of bugs related to how memory is used. Yet Microsoft and other big tech companies continue to rely on C/C++ alongside other languages because those are fast and used in developing firmware, programs embedded in hardware memory to help devices operate. It is worth sacrificing some convenience to avoid devastating security lapses.

Finally, in line with Easterly’s recommendation to increase liability for tech companies, U.S. regulations need an update. Our antitrust laws should move away from focusing solely on pricing and avoiding economic harm to encompass data privacy protection and security. Federal standards to ensure that software is secure by design would shift responsibility to vendors to provide safe products from the outset. We can also look to the European Union, where regulators are prioritizing cyber resilience through the Digital Operational Resilience Act, effective in 2025, meant to establish strict requirements to make sure the financial sector can handle information and technology threats.

Only by holding technology providers to the highest standards can we continue to enjoy the advances of an interconnected world without fear of avoidable — and possibly life-threatening — disruption.

Heidi Boghosian is an attorney and author of the forthcoming bookCyber Citizens: Saving Democracy Through Digital Literacy.”

Advertisement