More Dependence Means More Vulnerability

The blue screen of death (SFGate)

The Microsoft Windows "blue screen of death" appeared on many thousands of computers worldwide and disrupted operations of a broad swath of major industries, including airlines, banks, and hospitals. The culprit wasn't a hacker but a software update issued by the cybersecurity firm CrowdStrike.

The outage, one of the most momentous in recent memory, crippled computers worldwide and drove home the brittleness of the interlaced global software systems that we rely on.

Triggered by an errant software update from the cybersecurity company CrowdStrike , the disruption spread as most people on the U.S. East Coast were asleep and those in Asia were starting their days.

Over the course of less than 80 minutes before CrowdStrike stopped it, the update sailed into Microsoft Windows-based computers worldwide, turning corporate laptops into unusable bricks and paralyzing operations at restaurants, media companies and other businesses. U.S. 911 call centers were disrupted, Amazon.com employees’ corporate email system went on the fritz, and tens of thousands of global flights were delayed or canceled.

“In my 30-year technical career, this is by far the biggest impact I’ve ever seen,” said B.J. Moore, chief information officer for the Renton, Wash.-based healthcare system Providence, whose hospitals struggled to access patient records, perform surgeries and conduct CT scans.

Fixing the problem involved technical steps that confounded many users who aren’t tech-savvy. Some corporate IT departments were still working to unfreeze computer systems late on Friday. CrowdStrike said the outage isn’t a cyberattack.

Unfortunately, restarting computers and removing the offending software had to be done manually---skills well within the capability of Windows users 30 years ago but unfortunately lacking in the majority of users today. (An analogy is being able to understand the basic workings of an automobile and effecting some minor repairs versus being totally helpless if anything should go wrong with one's car.)

IT teams often can fix problems on employees’ computers using remote-access software—tools that became especially common during the work-from-home boom of the pandemic. But for laptops and other PCs that approach doesn’t work if the machines can’t restart. For those systems, CrowdStrike’s fix had to be done in person—either by a tech-support person on site, or by a regular employee trying to apply the instructions.

Another aspect of resilience is being able to perform one's basic job functions if the computers--which after all were once regarded as just a tool--go down.

Speaking as one who used to close the books, make the payroll, invoice the customers, and pay the bills with an adding machine, a pen, and a typewriter, I am appalled by accountants who lack basic knowledge of the functioning of accounting systems.

Maybe this CrowdStrike incident will be a wake-up call to companies who don't want to risk their existence on the computers always working.