Starting on July 18 with ripple effects for days afterward, a routine software update caused a record-breaking freeze across much of the world.
CrowdStrike, a cybersecurity vendor deployed by Microsoft systems, installed an update that analysts say probably skipped quality testing. The result disabled an estimated 8.5 million computers in perhaps the largest cyber event in history.
Affected were Microsoft-powered systems critical to the online operations of banks, hospitals, police forces, major airlines, TV stations and government agencies. Flights and surgeries were canceled, courts and government offices shut down, and new hacking vulnerabilities introduced, including for federal agencies.
The shutdown brought Americans’ collective cyber vulnerability into sharp focus: Our reliance on trillion-dollar tech overlords may imperil national security.
The tech providers that support infrastructure relied upon by the public and private sectors bear a responsibility to protect our safety and security. In 2023, federal Cybersecurity and Infrastructure Security Agency Director Jen Easterly proposed holding tech companies liable for selling vulnerable products. With such liability measures in place, CrowdStrike’s global outage might have been avoided.
The rapid consolidation of power in tech companies poses challenges to the government and society. Companies reaching unprecedented sizes and valuations in the trillions control digital infrastructure that people depend on at least as much as the mail and trash pickup. Tech companies now run or help run communications, commerce and other services more nimbly than do federal agencies. But they also do it with less regulation and public oversight — as well as a profit motive.
Software-caused outages can be avoided in a few ways. Diversifying tech contractors and options strengthens resilience and mitigates risks. By contrast, if everyone relies on just a couple of providers, any single breakdown carries huge consequences. CrowdStrike, one of the nation’s largest cybersecurity firms, exemplifies this issue; it counts more than half of the Fortune 500 companies as customers.
Equally important is cybersecurity redundancy — multiple layers of security measures and backup systems that ensure continuous protection and functionality, even if one layer fails or is compromised. Although creating these redundancies may cost companies more in the beginning, they are investments in maintaining trust between businesses and their customers.
Earlier this year, the White House — notably, given how often the government lags on tech issues — urged the widespread adoption of “memory safe” programming languages such as Rust, Go, Python and Java, which protect against certain kinds of bugs related to how memory is used. Yet Microsoft and other big tech companies continue to rely on C/C++ alongside other languages because those are fast and used in developing firmware, programs embedded in hardware memory to help devices operate. It is worth sacrificing some convenience to avoid devastating security lapses.
Federal standards to ensure that software is secure by design would shift responsibility to vendors to provide safe products from the outset. We can also look to the European Union, where regulators are prioritizing cyber resilience through the Digital Operational Resilience Act, effective in 2025, meant to establish strict requirements to make sure the financial sector can handle information and technology threats.
Only by holding technology providers to the highest standards can we enjoy the advances of an interconnected world without fear of avoidable — and possibly life-threatening — disruption.
Heidi Boghosian is author of the forthcoming book “Cyber Citizens: Saving Democracy Through Digital Literacy.” She wrote this for the Los Angeles Times.