Opinion: Who will pay for the Crowdstrike outage?

Crowdstrike didn’t have a good day on July 19. During a routine software update, a file released by the cybersecurity firm triggered a logical error that prevented Windows computers from restarting. Microsoft estimates that the event may have affected about 8.5 million computers.

This caused a cascade of consequences as computers supporting many industrial operations were unable to coordinate and process data.

For air travel, the net effect has been the cancellation of more than 10,000 flights since July 19, according to FlightAware, with Delta Air Lines particularly hard hit. Using a very conservative estimate, if each flight was booked by an average of 64 people and the average ticket cost was US$290 (RM1,320), the lost direct revenue on those days totalled more than US$180 million (RM819.7 million).

Considering that some of these people had to cancel hotel reservations, car rentals, and perhaps even cruises, the side effects of the power outage alone on the hotel industry are likely many times more severe.

Many other industries have been affected and similar analyses can be conducted.

In some areas, 911 services could not be accessed, which meant emergency calls about heart attacks and accidents went unanswered. Some of these missed calls could result in deaths that have no financial value.

Numerous large hospital systems across the country were also affected, causing non-emergency procedures and office visits to be canceled or delayed.

Such a massive disruption did not go unnoticed. The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection requested a meeting with Crowdstrike CEO George Kurtz.

The question that now arises is: Who will pay for all these delays, cancellations and consequences?

The first group to be hit are Wall Street investors, where Crowdstrike’s market capitalisation has fallen by more than US$10 billion (RM45.5 billion) as of July 22. The question is how long it will take for Crowdstrike shares to recover those losses.

The irony of the situation is that Crowdstrike software was designed to protect computers from viruses and malware. Yet the current failures have caused damage comparable to what a computer virus or malware could have unleashed. To use a war metaphor, what happened with Crowdstrike was similar to friendly fire.

The only saving grace of this incident is that the fix for the problem file wasn’t complicated, taking less than 80 minutes to identify and implement. However, the damage had already been done to the 8.5 million computers affected, with some requiring manual removal of the problem file and a reboot.

Does this make Crowdstrike liable for all such work and efforts and the damages associated with them?

Every software product available has its terms and conditions that limit its liability to the user in the event of any kind of failure or disruption. In essence, users agree to protect the owner of the software. Few of us take the time to read such agreements, even though they are binding on us.

Unfortunately, the outage will likely lead to a series of class action lawsuits, with lawyers representing different groups of victims and seeking compensation that will ultimately be settled out of court.

But more importantly, the Crowdstrike failure shines a bright light on the fact that all organizations and entities that rely on computers are one bad file, one accidental keystroke, or one software update away from a potentially devastating technological breakdown. Every organization and entity is at risk.

What happened to Crowdstrike could have happened to any of the many other security software companies, though perhaps not on such a large scale. It’s the price we all pay to enjoy the benefits of cyberefficiency and access to the digital economy.

Nobody wants to go back to a world where everything is done on paper and tasks that can be done digitally can be done thousands of times faster and more accurately.

The outage also gives us a taste of how flaws in AI systems can lead to cybercollapses, disrupting financial, transportation and healthcare systems far beyond what any group of humans could cause on their own.

Crowdstrike may bear some responsibility for what happened on July 19, but the demands for efficiency offered by our digital economy are just as complicit. The congressional committee that will question Crowdstrike’s CEO may not be able to appreciate that fact.

The next few months will be interesting to watch as these liability issues are unraveled, debated, and investigated. The alternative to what Crowdstrike offers—namely, no cyber protection—is far more dangerous than what happened on July 19th.

This is the reality of living in the digital economy. It brings with it many benefits and conveniences that we all enjoy. It also comes with risks, some of which are obvious, such as viruses and malware, and some of which are not, as many organizations learned July 19. – Chicago Tribune/Tribune News Service