In This Story
Cybersecurity firm CrowdStrike brought much of the world’s computing systems to a halt Friday when it bungled an update to its software on Microsoft Windows operating systems.
As a result, scores of hospitals, government agencies and airlines suddenly couldn’t access online services: At least 30,000 flights were impacted, 911 lines were down in a slew of states, and many hospitals had to stop noncritical surgeries. That’s in part because more than half of Fortune 500 companies use CrowdStrike’s software, which boats almost 30,000 subscription customers.
As businesses work to restore services, experts said there are some lessons to be learned from the outage, which CrowdStrike has emphasized was not a cyberattack.
Gregory Falco, an assistant professor of engineering at Cornell University, said the incident highlights the perils of widespread dependence on software from just a few companies.
“The incident is a great example of the cascading failures that can occur given our relatively homogenous systems that comprise the backbone of IT infrastructure,” Falco said. “Cybersecurity providers are part of this homogenous backbone of modern systems and are so core to how we operate that a glitch in their operations will have similar impacts to failures in systems that are household names.”
Lee McKnight, an associate professor at Syracuse University’s School of Information Studies, said that CrowdStrike touts the consolidation of the Falcon system that malfunctioned, using it as a selling point. But, he warned, “any system put in place where there’s a single point of failure is a risk.”
“We now have a riskier world than we might have had before” when companies had their own IT systems, McKnight said. Back then, “if Microsoft installation was bad, it didn’t affect every company in the world.”
Put simply, he said, “single points of failure are bad.”
Dominic Sellitoo, an assistant professor at the University at Buffalo School of Management, said companies should take stock of their software and try to limit automatic updates to a minimum.
“Most IT organizations have a rigorous testing cycle internally that happens with things like Windows updates to ensure this sort of thing doesn’t happen,” he said. “I think many organizations are going to be extending this process in light of this event.”