Opinion: Who will pay for the Crowdstrike outage?


While some other airlines including United have had mass flight cancellations since the outage – which stemmed from security updates related to Microsoft 365 apps and services from cybersecurity firm CrowdStrike – Delta has had far more flight cancellations than any other US airline. — John Spink/The Atlanta Journal-Constitution/TNS

Crowdstrike did not have a good day on July 19. During a routine software update, the file that the cybersecurity firm issued triggered a logic error that prohibited Windows machines from rebooting. Microsoft estimates that around 8.5 million computers may have been affected by the event.

This created a tsunami of downstream consequences, as computers that supported numerous industry operations were unable to coordinate and process data.

For air travel, the net effect was the cancellation of more than 10,000 flights since July 19, as reported by FlightAware, with Delta Air Lines particularly hit hard. Using very conservative estimates, if each flight was booked on average with 64 people, and the average cost of a ticket was US$290 (RM1,320), the lost direct revenue on these days totaled more than US$180mil (RM819.7mil).

Given that some of these people had to cancel hotel rooms and car rentals, and perhaps even miss cruises, the secondary effects of the outage in the hospitality industry alone are likely many times more than this.

Numerous other industries were affected, with similar analyses that can be undertaken.

In some areas, 911 services were unreachable, which meant that emergency calls for heart attacks and accidents went unanswered. Some of these missed calls may have resulted in deaths, for which no financial value can be placed.

Numerous large hospital systems around the nation were also affected, forcing nonemergency procedures and office appointments to be canceled or delayed.

Such a massive disruption has not gone unnoticed. The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection requested a meeting with Crowdstrike CEO George Kurtz.

The question now being asked is: Who will pay for all these delays, cancellations and consequences?

The first group affected is investors on Wall Street, where more than US$10bil (RM45.5bil) of value was trimmed from Crowdstrike’s market capitalisation through July 22. How long it will take for Crowdstrike’s shares to recoup such losses remains to be seen.

The irony of the situation is that Crowdstrike software is designed to protect computers against viruses and malicious software. Yet the current outages did harm that rivals what a computer virus or malicious software could have unleashed. Using a war metaphor, what happened with Crowdstrike was akin to friendly fire.

The one saving grace from this event is that the fix to the problem file was not complicated, taking less than 80 minutes to identify and implement. However, damage had already been done to the 8.5 million computers affected, with some requiring manual deletion of the problem file and reboot.

Does this make Crowdstrike liable for all such work and efforts and the associated downstream damages?

Every software product that is available carries with it terms and conditions that limit its liability to the user in the events of any type of malfunction or disruption. In essence, users agree to hold the software owner harmless. Few of us ever take the time to read such agreements, even though we are bound by them.

Unfortunately, the outage is likely to spur a series of class-action lawsuits that will allow attorneys to argue on behalf of different classes of those harmed, seeking damages that ultimately will be settled out of court.

However, of greater importance is that the Crowdstrike outage shines a bright light on the fact that all organisations and entities that rely on computers are one bad file, one inadvertent keystroke or one software update away from a potentially destructive technology meltdown. Every organisation and entity are exposed to such risks.

What happened with Crowdstrike could have happened with any one of the many other security software companies, though perhaps not on such a large scale. This is the price that we all pay for enjoying the benefits of cyber efficiency and access to the digital economy.

No one wants to return to a paper-centered world, manually undertaking tasks that can be completed digitally thousands of times faster and more accurately.

This outage also provides a sneak peek into the future of how glitches in artificial intelligence systems may lead to cyber meltdowns, disrupting financial, transportation and health systems far beyond what any group of people could cause on its own.

Crowdstrike may carry some liability for what happened July 19, yet the demand for efficiency offered by our digital economy is just as complicit. The congressional committee that will question the Crowdstrike CEO may be unable to appreciate this fact.

The next several months will be interesting to observe as these liability issues are unraveled, discussed and explored. The alternative to what Crowdstrike offers — namely, no cyber protection — is far more dangerous than what transpired July 19.

This is the reality of living in a digital economy. It carries numerous benefits and conveniences that we all enjoy. It also carries risks, some of which are obvious, such as viruses and malicious software, and some are not, as many organisations learned July 19. – Chicago Tribune/Tribune News Service

Follow us on our official WhatsApp channel for breaking news alerts and key updates!
   

Next In Tech News

Ukraine says Russian cyberattack hits state registries but no data lost
Exclusive-US data-center power use could nearly triple by 2028, DOE-backed report says
Italy fines OpenAI over ChatGPT privacy rules breach
UK watchdog says $35 billion Synopsys-Ansys deal raises competition concerns
EU approves Nvidia's acquisition of Run:ai
Malaysia approves Data Sharing Bill 2024 for federal government agencies
MITRS online platform available from April 2025
MCMC publishes code of conduct for Internet and social media providers
Disruptive 10-minute deliveries spread to India’s food business
Slovak battery maker InoBat raises 100 million euros in latest funding round

Others Also Read