close
close

Commentary: CrowdStrike Failure Shows Danger of Dependence on Big Tech Companies

Posted on by darion

On Thursday last week, a routine software update caused record low temperatures in many places around the world, with effects lasting for days.

CrowdStrike, a cybersecurity vendor deployed by Microsoft Systems, installed an update that analysts say likely bypassed quality control testing, taking down some 8.5 million computers in what could be the largest cyber event in history.

Microsoft systems that are critical to the online operations of banks, hospitals, police, major airlines, television stations and government agencies were affected. Flights and operations were canceled, courts and government offices were closed, and new security holes were introduced, including for federal agencies.

The government shutdown has brought into stark relief Americans’ collective vulnerability to cyberattacks: Our reliance on trillion-dollar tech giants can threaten our national security.

Technology providers that support the infrastructure that the public and private sectors rely on have a responsibility to protect our security. In 2023, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, proposed holding tech companies accountable for selling vulnerable products. Such accountability measures could have avoided the global CrowdStrike outage.

The rapid consolidation of power in tech companies is challenging government and society. Companies that are growing to unprecedented sizes and trillion-dollar valuations control the digital infrastructure that people depend on at least as much as they depend on mail and trash pickup. Tech companies now run or help run communications, commerce, and other services more efficiently than federal agencies. But they also do so with less regulation and public oversight—and with a profit motive.

The technology sector’s market dominance accounts for more than 10% of the U.S. economy. In 2024, Microsoft reported revenues of $211.91 billion. Other tech giants reported even larger numbers: Amazon $574.78 billion, Apple $383.28 billion, and Alphabet (Google) $307.39 billion. (Meta Platforms, formerly Facebook, reported $134.90 billion.)

Some of those profits go toward lobbying and paying fines for security and antitrust violations, rather than investing in cybersecurity and other improvements that would reduce consumer harm. In 2023, the tech giants spent at least $10 million each on lobbying, while receiving more than $3 billion in fines and settlements for violating European digital antitrust laws and facing lawsuits from the Justice Department and the Federal Trade Commission.

Meanwhile, according to the Consortium for Information & Software Quality, in 2022 the financial impact of poor software quality in the U.S. was at least $2.41 trillion.

There are several ways to avoid software-induced outages. Diversifying vendors and technical options increases resilience and reduces risk. In contrast, if everyone relies on just a few vendors, any single outage has huge consequences. CrowdStrike, one of the largest cybersecurity firms in the country, is an example of this problem; it counts more than half of the Fortune 500 as customers.

Equally important is cybersecurity redundancy — multiple layers of security measures and backup systems that provide ongoing protection and functionality even if one layer fails or is compromised. While creating these redundancies may cost companies more up front, they are investments in maintaining trust between companies and their customers, Javad Abed, a cybersecurity expert and assistant professor of business at Johns Hopkins University, told USA Today.

About two-thirds of software vulnerabilities in commonly used programming languages ​​are due to memory vulnerabilities, such as improper allocation or deallocation of memory space, which could allow unauthorized access or execution of malicious code.

Earlier this year, the White House—especially given how often the government lags behind on technology issues—pushed for widespread adoption of “memory-safe” programming languages ​​like Rust, Go, Python, and Java, which protect against certain types of memory-related bugs. Still, Microsoft and other big tech companies still rely on C/C++ alongside other languages ​​because they’re fast and used to develop firmware, programs embedded in hardware memory to help devices run. It’s worth sacrificing a little convenience to avoid devastating security flaws.

Finally, as Easterly recommends, to increase accountability for tech companies, US regulations need to be updated. Our antitrust laws should move away from focusing solely on price and avoiding economic harm to include data privacy and security.

Federal standards to ensure software is secure by design would shift responsibility to vendors to deliver secure products by design. We can also look to the European Union, where regulators are prioritizing cyber resilience through the Digital Operational Resilience Act, effective from 2025, which aims to establish strict requirements to ensure the financial sector can cope with information and technology threats.

Only by holding technology providers to the highest standards can we continue to enjoy the progress of a connected world without fear of avoidable and potentially life-threatening disruptions.

Heidi Boghosian is an attorney and author of the upcoming book Cyber ​​Citizens: Saving Democracy Through Digital Literacy.