When computers and tech systems around the world went down Friday, snarling airports, closing Social Security offices and limiting jail operations, many people had one question: How on earth could this happen in 2024?
A software update from a single cybersecurity company, US-based CrowdStrike, was the root cause of the chaos, underlining the fragility of the global economy and its dependence on computer systems to which relatively few people give a passing thought.
“[M]ost people believe that when the end of the world comes, it will be AI taking over some kind of nuclear power plant and shutting down electricity,” Costin Raiu, a longtime cybersecurity researcher, quipped to CNN. “While in reality, it’s more likely to be some kind of a little bit of code in a botched update, causing a cascade reaction in interdependent cloud systems.”
Software updates are a critical function in society to keep computers protected from hackers. But the update process itself is crucial to get right and to safeguard from tampering. An inherent — and some say misplaced — trust in that process was punctured on Friday.
CrowdStrike is everywhere
Numerous Fortune 500 companies use CrowdStrike’s cybersecurity software to detect and block hacking threats. Computers running Microsoft Windows — one of the most popular software programs in the world — crashed because of the faulty way a code update issued by CrowdStrike is interacting with Windows.
CrowdStrike, a multibillion-dollar firm, has expanded its footprint around the world in its more than decade of doing business. Many more businesses and governments are now protected from cyberthreats because of this, but the dominance of a handful of firms in the anti-virus and threat-detection marketplace creates its own risks, according to experts.
“We trust cybersecurity providers widely but without diversity; we’ve created fragility in our technology ecosystem,” Munish Walther-Puri, the former director of cyber risk for the city of New York, told CNN.
“‘Winning’ in the marketplace can aggregate risk, and then we all — consumers and companies alike — bear the costs,” Walther-Puri said.
CNN has requested comment from CrowdStrike.
How to prevent this from happening again
The wide swathe of critical infrastructure providers affected by the outage is also likely to raise fresh questions among US officials and corporate executives about whether new policy tools are needed to avoid catastrophe in the future.
Anne Neuberger, a senior White House tech and cybersecurity official, spoke of the “risks of consolidation” in the tech supply chain when asked about the IT outage on Friday.
“We need to really think about our digital resilience not just in the systems we run but in the globally connected security systems, the risks of consolidation, how we deal with that consolidation and how we ensure that if an incident does occur it can be contained and we can recover quickly,” Neuberger said at the Aspen Security Forum in response to a question about the IT outage.
The chaotic scenario that played out Friday did not involve a malicious actor, but government officials around the world will likely be gaming out what might have been.
The infamous hack of the US government using SolarWinds software in 2020, which US officials blamed on Russia, came through a tampered software update. That hack was not nearly as disruptive but another alleged Russian hack in 2017 caused billions of dollars in damage to the global economy because malicious code spread like wildfire.
The CrowdStrike episode “demonstrates the serious damage that could be inflicted by a malicious adversary if they were so minded,” Tobias Feakin, a former ambassador for cybersecurity and critical technology in the Australian foreign ministry, told CNN.