CrowdStrike failure: the beginning of the end of software without guarantees?

Everyone knows now how a flawed update crashed 8.5 million computers running the Windows version of CrowdStrike’s Falcon cybersecurity software — but what does the failure of one company’s software testing regime mean for the IT industry as a whole? Experts and analysts say that the idiosyncrasies of the technology sector mean it could easily happen again.

Quality vs speed

CrowdStrike has given its version of events leading up to the July 19 crash.

But for independent IT expert Fernando Maldonado, one of the causes of CrowdStrike’s failure is in the way the cybersecurity industry competes with cybercriminals. “There is a race to always cover the latest threats. So, to close the window between when a threat is discovered and when you cover it, you have to pick up a certain speed,” which can lead to a lack of attention to the quality of this update, he says.

“It’s strange that it hasn’t happened before. It’s a problem of software quality” he said. “Speed prevails here. It is clear that the quality test has not been done.”

Maldonado is surprised by the paradox of this case: CrowdStrike has made its name precisely for its technical excellence and speed. “I think the company has grown so much that, suddenly, to remain agile, it has to sacrifice steps, and it leads to this. When they have already taken on a certain size, this type of company should perhaps be required to have a plus in the quality of software so that this does not happen,” he said. especially if it is critical infrastructure.

Software without guarantees: a legal vacuum

Beyond cybersecurity, a failure like this is possible within the technology industry due to the lack of guarantees provided for products and services, a situation to which regulators have turned a blind eye for decades so as not to anger the so-called big tech and not to slow the race for innovation.

Lawyer and cybersecurity consultant Paloma Llaneza said the contracts that companies sign with technology providers, in their vast majority, establish the payment of a minimum compensation for interrupted services, calculated based on the time of non-use of the software. In other words, catastrophic consequences such as those seen on July 19 following the CrowdStrike failure are not usually legally the responsibility of the company that sells that software.

“Software is sold ‘as is’. If you buy a word processing program and it is not suitable for word processing, it is not worth complaining either. What there is here is an irony in the fact that a cybersecurity company launches a patch that causes worse effects than an attack,” Llaneza said.

This kind of ‘legal vacuum’ would be unthinkable in other economic sectors. “Would you get into a car that did not comply with all the regulations and safety standards?” Llaneza asked. “Many say that sysadmins should have an environment where they only download [updates] to a few machines and test before deploying it… assuming that what they are selling you is bad, that you have to try it first.”

This makes cases like CrowdStrike’s unavoidable under current legislation. Llaneza said that work is already being done on this in the US, very slowly and for specific cases, such as implantable devices in humans. The US Food and Drug Administration (FDA) has regulated software deployed on implantable hardware, such as pacemakers, to confer proactive responsibility on the part of the manufacturer in updating vulnerabilities and cyberattacks that could directly or indirectly affect those machines.

This is a small step in a problem of great proportions. “That there is an absolute assumption of this principle [the lack of guarantee] shows how well it has been done by software manufacturers so that everyone looks in a completely different direction,” Llaneza said.

Is interoperability an issue?

Microsoft itself, a few days after the incident, pointed to another problem regulating the crash of its systems: an interoperability agreement that the European Commission imposed on it in 2009.

A company spokesperson told The Wall Street Journal that the Interoperability Commitment that Microsoft signed could have prevented the technology company from completely locking down the Windows operating system for security reasons. In an effort to combat anticompetitive behavior by big tech, the deal required the company to grant security software makers the same access to Windows as Microsoft itself enjoyed. The European Union, however, failed to reach similar agreements with Apple or Google.

In an analysis of the CrowdStrike incident published on its website, IDC agrees with Microsoft on this point. “By giving independent software vendors [ISVs] in their ecosystem direct access to the system kernel, the operating system vendor is essentially removing itself from the trust value chain,” the analytics firm said.

Thus, for IDC, the situation exposes the opposing approaches taken by the major operating system vendors. While Microsoft was forced to adopt a more open approach that allows at least a dozen ISVs to offer modern endpoint protection software, Apple is opting for a more prescriptive and closed ‘walled garden’ approach to endpoint protection, making it nearly impossible for any vendor to introduce configuration changes that could have a potentially catastrophic impact on iOS or macOS kernels. This has led it to clash with the European Commission for alleged unfair competition.

The concentration around certain software vendors that have a dominant position in the market, whether in terms of price, quality or interoperability with other products, makes it more difficult for smaller technology companies to improve their offering and accumulate market share. “That’s not to say that [big tech] abuses that dominant position from a legal standpoint. There are people developing software everywhere and there is enough talent to do it. Another thing is that concentrations occur because the services and products of certain providers are more competitive,” explained Llaneza.

“Microsoft has been receiving sanctions from the European Union for many years for different integrations within its systems to limit competition. Companies that have been in the sector for a long time do everything possible to get closer to that line of being in a position of dominance and abuse it just enough so that the alarms do not go off,” said the lawyer. And it’s not a problem of a lack of sanctions: They exist and they’re huge, but for companies the size of Microsoft or Google, they’re not that relevant.

Along these lines, Maldonado said that the case of CrowdStrike “requires a reflection on how we are doing things and the dependencies we are generating. There are many interdependencies. You don’t have to affect all banks: It is enough that you affect a dozen banks. Since they are all connected to each other, you are affecting all of them. It gives you an idea of the fragility that exists in the economy that depends on software that is often not well understood.”

Humans still have something to say in the age of AI

Beyond the failure of CrowdStrike and the systemic problems affecting the technology industry, the global computer blackout made it clear that, in the era of artificial intelligence (AI) everywhere, human beings are not expendable, and that the world is not ready to leave big decisions in the hands of machines. Not only was it flesh-and-blood people who had to manually check in passengers at airports when their screens turned blue, but it was also a person who had to go and fix each of the PCs or servers, said Maldonado.

“When these things arise, there is no automatism that solves it, there has to be a person. [The case of the blackout] opens up that reflection of saying, ‘Hey, are we really prepared to leave all this in the hands of certain automatisms?’ Yes and no. Today, you have to have a plan B. We’ll see tomorrow,” he says.

For Llaneza, this type of case reflects the need for greater regulation of the technology sector and overturns the hypothesis of some that controls stifle innovation.

“There is a position that has always been maintained in all technological developments, which is like the Wild West: first let’s let people go and kill each other to conquer the territory, and once people settle down, you appoint a sheriff and set rules. It happened with the Industrial Revolution, with people who worked 18 hours, did not rest and lived in factories. What has happened here is that it has not been regulated at all, neither in the US nor in Europe, and innovation has been put above all else. The results are being seen, they are catastrophic,” the lawyer said.

“So, artificial intelligence clearly has to be regulated. Technology is at the service of human beings, not us at their service, which is something that we seem to forget continuously,” Llaneza concluded.