[ad_1]
Airlines grounded planes across the world on Friday, not because of a problem with the airplanes themselves but with the computers that help them navigate the complexity of scheduling, display flight schedules to passengers, and monitor flight paths. Some hospitals canceled scheduled surgeries and medical appointments because their staff couldn’t use their computers to access patients’ medical records. Even grocery stores were impacted. I couldn’t buy groceries just outside London on Friday because the payment processing system used at my market was down.
I couldn’t buy groceries just outside London on Friday because the payment processing system used at my market was down.
We can trace all those disruptions to cybersecurity vendor CrowdStrike. A minor error in its software caused computers running the code to fail. Even after the code was patched, each and every computer affected had to be manually restarted by a human being, which meant fixing the problem took a lot of time.
How did a small mistake in a company most of us had never heard of create such a mess? Centralization pressures have consolidated many industries, and, in software, the result has been that Microsoft Windows is the default operating system controlling everything from 911 systems to banks to elevators. Corporations around the world trust Microsoft to help them smoothly run their businesses. Microsoft’s security team deploys updates automatically on a schedule. Many users have probably forgotten or weren’t even born during the widespread malware attacks (as early as 1988 and especially in the 1990s and 2000s) which repeatedly brought down much of the internet.
What we saw on Friday exposes the tension between safety and security. Safety means ensuring that software runs as expected and does so dependably every time. Safety gives us the confidence to use computers to handle hospital medical records and airline scheduling and know that they will be reliable. Security, on the other hand, is ensuring that software is free from attacks from those who want unauthorized access. Security allows us to connect computers to the internet and know that cybercriminals will not be able to use our computer to make money or access private information stored. For software like Microsoft Windows, which is ubiquitous in our national critical infrastructure, we need safety and security.
But focusing on one can come at the expense of the other. To ensure safety, we need enough time to audit the code and test it properly. That allows experts to examine the code and run it in a variety of scenarios to give them the confidence the code will run as expected. To ensure security, though, we need to be able to update the code quickly to minimize harm against potential attacks. Cybercriminals are regularly targeting computers using new ways to get in. Quick updates allow us to block threats as soon as they arise.
Due to the complexity of modern computer systems, even systems that were not running CrowdStrike were affected.
An error in a CrowdStrike update didn’t run as expected, which caused worldwide frustrations Friday. Due to the complexity of modern computer systems, even systems that were not running CrowdStrike were affected. If they used a third-party service dependent on CrowdStrike, then they would still be equally affected. For instance, I don’t know if my grocery story runs its own payment processor or if it contracts with a payment processor that uses CrowdStrike. It’s irrelevant. If a single component of an interconnected system is directly affected, then the rest is rendered unusable until the affected systems are back online.
Security software like CrowdStrike’s needs to be able to run updates on a fast pace to ensure the security of the systems it runs on. However, by allowing CrowdStrike to autoupdate without outside inspection, too much trust is put in this company and its software. Such a process doesn’t sufficiently safeguard safety, and we need a complete review to see if CrowdStrike followed all relevant safety norms. If they did, then those those safety norms need to be updated.
What happens next? We need security software to be able to update quickly, but better mechanisms need to exist to ensure the safety of the underlying systems. In the weeks and months to come, expect changes within companies as they adjust their systems to include security critical code in their normal safety processes. But this is not enough.
Governments regulate software systems, particularly in certain critical industries. This extra layer protects their citizens from undue harm. Software systems are certified by external companies providing compliance checks on a regular basis. This ensures that they comply with the regulations. In many sectors, systems are required to run proper security software and CrowdStrike was a default option here. By giving a single vendor privileged access to many Microsoft corporate systems around the world, a ripe environment was created for a single failure to bring down a large part of the computer-powered infrastructure we rely on across the world.
There are a large number of centralization pressures in the software industry. Outsourcing information technology is a cost-effective way to outsource legal risk if issues arise. Choosing known good vendors makes the compliance-checking processes quicker and easier. These pressures can’t be overcome if there isn’t substantive changes in how we regulate systems. We have now seen one of the repercussions of the lack of diversity of software. If nothing changes, such a catastrophic event will inevitably happen again.
[ad_2]
Source link
