Nearly a week after a major IT outage shut down computer systems around the world, cybersecurity firm CrowdStrike (CRWD) issued a statement Thursday revealing that a single software update was responsible for grounding planes, reducing hospital procedures and closing businesses for days.
The announcement came as most companies returned to business as usual. But it points to the vulnerability of our modern Internet infrastructure and how the removal of even a relatively small number of devices – Microsoft (MSFT) estimates 8.5 million systems have been affected – can impact our lives.
“What we see here is the ripple effect that a small software update, or in the future, perhaps a cyberattack or malicious code, can have a huge impact,” David Bader, director of the Institute for Data Science at the New Jersey Institute of Technology, he told Yahoo Finance.
And without some kind of broader plan to address the issue, another widespread outage is almost certain to happen.
“What we’re seeing today are these types of cascading failures occurring more and more frequently,” Bader said. “This will continue as we look at AI and as we move toward [artificial general intelligence]that these types of failures, whether accidental, some bad programming like CrowdStrike, or their malicious attacks, will continue to show the vulnerability of our technological world.”
Lack of coherent rules
According to CrowdStrike’s statement, the company released a software update on July 19 that included a flaw that was not detected in validation checks. The error immediately crashed some web-connected Windows systems, causing them to display a crash message known as the blue screen of death.
CrowdStrike says it is responding to the issue by revamping how it prepares its software updates, including more rigorous testing and staggered deployment to avoid a global systems meltdown in the future.
It’s important to note that software is developed by people. And although they are often incredibly capable people, they are still human, and humans make mistakes. This is often how flaws enter software ecosystems, whether it’s CrowdStrike’s programs or some other company’s platform.
“Even the best testing processes fail,” explained Gartner analyst Jon Amato. “You can do a certain amount of automated testing, but those automated tests are designed by humans and humans are fallible.”
And while CrowdStrike is certainly looking to improve its own internal processes when it comes to ensuring the stability of its software updates, that doesn’t mean every other software company will do the same.
“We really don’t have any organizations in the U.S. that are looking holistically at our technological resilience,” Bader said.
He added: “We don’t have a body that can generate the best practices needed for private industry to protect against the delivery of software updates and what a customer should do, for example, the banks, the hospitals, the airlines, like them they must protect themselves to ensure that these problems do not affect them in the future.”
And while the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency offers tips, there is no major enforcement mechanism to force companies to follow specific strategies when issuing software updates or addressing program flaws and malicious attacks.
Without that, Bader said, greater disruption and a prolonged recovery are sure to follow.
A bigger problem?
In addition to the need for a regulated approach to IT failures, the CrowdStrike outage also points to a broader problem in the backbone of the world’s technological infrastructure: a small number of companies have an outsized impact on the way the web works.
“We definitely know that these are very fragile systems, and the fact that they work as well as they do is, frankly, a miracle, given all the different players, the lack of heterogeneity in the stack,” Gregory Falco, assistant professor of mechanical and aerospace engineering and systems engineering at Cornell University’s Sibley School, he told Yahoo Finance.
But expanding the number of companies that connect directly to our Internet infrastructure isn’t exactly an easy solution either. This is because the more companies there are, the more opportunities there are for failure.
Ultimately, the solution to these types of problems on a global scale may simply come down to forcing companies to be better prepared for the catastrophe. And if the software fails, understand how to contain the consequences.
Email Daniel Howley at dhowley@yahoofinance.com. Follow him on X at @DanielHowley.
For the latest company earnings reports and analysis, earnings rumors and expectations, and earnings news, click here
Read the latest financial and business news from Yahoo Finance
/cdn.vox-cdn.com/uploads/chorus_asset/file/25537887/STK275_CROWDSTRIKE_CVIRGINIA_D.jpg?w=300&resize=300,300&ssl=1 "CrowdStrike Received ‘Most Epic Fail’ Award at Hacker Conference Def Con")
