How could this happen? A $74 billion question for the IT industry
CrowdStrike, a cybersecurity firm based in Austin, Texas, inadvertently triggered a global meltdown with a faulty update to its Falcon computer-security platform
New Delhi: For decades, the world has braced for an apocalyptic cyber outage, the stuff of countless films, TV dramas and novels. We’ve imagined threats from lone-wolf hackers, adversarial nations and anarchist hacktivists. Our fears have been stoked by incidents such as the 2017 WannaCry ransomware that spread across 150 countries or the hack of Sony Pictures that led to damaging leaks of emails and unreleased films.

But on Friday, the havoc was wreaked not by a nefarious actor but by badly written code from a company whose very purpose is to prevent such catastrophes. CrowdStrike, a cybersecurity firm based in Austin, Texas, inadvertently triggered a global meltdown with a faulty update to its Falcon computer-security platform.
The update sent Windows computers worldwide into disarray, paralysing corporations, crippling transport and freezing essential work. It was a stark reminder of the vulnerabilities inherent in an interconnected digital age.
Cyber expert James Bore noted, in comments to news agency AP, “All of these systems are running the same software. We’ve made all of these tools so widespread that when things inevitably go wrong — and they will, as we’ve seen — they go wrong at a huge scale.”
The scale of this outage was indeed unprecedented. Ciaran Martin, professor at Oxford University’s Blavatnik School of Government and former head of the UK National Cyber Security Centre, stated, “I’m struggling to think of an outage at quite this scale”, according to Reuters.
CrowdStrike, a market leader with a $74 billion valuation, has long been recognised for its cybersecurity competence. Known for building software defences for the cloud computing age and exposing Russian and North Korean threats, its founders have extensive backgrounds in cybersecurity. This makes Friday’s problems not just inexplicable, but inexcusable.
Software development operates on strict rules of testing and deployment. How could CrowdStrike have rolled out such a devastating update without realising its potential impact? This incident raises serious questions about the company’s quality control processes and the broader industry’s reliance on centralised systems.
While CrowdStrike’s CEO George Kurtz has apologised and clarified that the problem was not due to a security breach of their own systems, the damage to the company’s reputation may be substantial. More importantly, this incident should serve as a wake-up call for the entire cybersecurity industry.
The interconnected, centralised method that has become the norm in cybersecurity is clearly vulnerable to single-point failures. The industry must now grapple with how to prevent another episode of this nature, and if there needs to be a rethink on letting centralised solutions and market dominance by a few persist.

E-Paper

