Proper Protocols for Software Updates Questioned Following Global Outage
In the aftermath of a global outage caused by a faulty software update, concerns are being raised about whether companies and government agencies followed proper protocols for updates. Last week, an antivirus software update issued by CrowdStrike, one of the largest cybersecurity companies, caused a billion Windows-based computers to crash, disrupting essential operations in various sectors. CrowdStrike has since issued apologies and pledged to resolve the issues. However, cybersecurity experts are questioning whether the company circumvented best-practice procedures when it circulated the update.
Experts emphasize the importance of testing software updates thoroughly before rolling them out to customers. Robert Thomas, owner of a cybersecurity company, advises taking the time to test patches and updates on a separate system, running tests against business-critical software applications. The Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) have established standard protocols for conducting software updates, which include multiple stages of testing and gradually rolling out updates to a smaller group of customers. However, it appears that these best practices were not followed in the case of the CrowdStrike update.
CrowdStrike’s faulty update had cascading effects, causing computers operating on Microsoft’s Windows software to crash. The update was circulated for about an hour and a half before the flaw was discovered and the update was reverted. CrowdStrike assured customers that the outage was not a cybersecurity attack, but the damage caused by the incident was comparable to a cyber attack. This raises concerns about the extent of America’s dependence on a small number of cloud computing providers.
The rapid shift to cloud computing has led to increased concentration of services with a few dominant providers, such as Google, Microsoft, and Amazon. Stephan von Watzdorf, a cybersecurity expert at Swiss Re, highlights the risks associated with this concentration, as the failure of cloud services can have significant impacts on businesses and society. Vulnerabilities in cloud services can also affect re/insurers offering commercial cyber insurance products. Government agencies are now assessing the risks of cloud computing and tech consolidation, particularly in the context of societal and national security.
The CrowdStrike outage has prompted companies and governments to reassess their dependence on a single vendor and the ability to withstand errors by providers. Over-centralization makes organizations and the nation less resilient, and there are societal and national security risks in relying heavily on one or a few service providers. However, the benefits of cloud computing still outweigh the risks for organizations seeking a broader customer base, as long as they can afford to hire experts in cloud security.
Individuals who store their data in the cloud also face security, privacy, and reliability risks. The sharing of personal information with other businesses, government agencies, or employees of the cloud service provider and the ability of cloud service providers to access stored data raise concerns about privacy. The recent outage has also exposed companies to new risks from hackers attempting to exploit the situation.
CrowdStrike’s reputation and stock value have taken a hit following the outage. The company is facing potential class-action lawsuits, and law firms are already investigating damages resulting from the incident. In response, CrowdStrike has promised to reform its update deployment strategy, implementing a staggered deployment and adding extra validation checks. The company will also involve humans in testing updates and give customers more control over when and where updates are deployed.
