Han Dieperink: One Crowdstrike, you’re out

July 23, 2024

_{This column was originally written in Dutch. This is an English translation.}

By Han Dieperink, written in a personal capacity

Last week, many computers worldwide shut down as a result of a cybersecurity problem. This time there was no threat in the form of a DDos attack, ransomware, social engineering, phishing, or any other hacker activity. It was a human error in the cybersecurity software, software that is intended to prevent such a problem.

Once again, people appear to be the weakest link when it comes to digital security. In our highly interconnected world, such a relatively small human error can quickly go viral and cause a lot of damage. The arrival of AI will help cybersecurity eliminate the human factor. But the hacker can also use AI in attacks. Once again it appears that the cybersecurity risks, and in particular their consequences, are simply too great to outsource.

The history of cybersecurity

The first computer virus was called Brain and could infect IBM PCs (including compatibles) from January 19, 1986. Brain was able to spread not via the internet, but via a floppy disk. A year later, the first antivirus software was released (anti4us and Flushot Plus) and the concept of cybersecurity was created.

Nowadays, cybersecurity encompasses much more than just antivirus software. It is the set of measures, methods, strategies and tools to protect information on computers and other systems. The ultimate goal is to protect the user in the ongoing race with increasingly professional hackers.

Before the first IBM-compatible PCs came onto the market, the system software was centralized in the mainframe. This is a closed environment in which third parties can work with the computer via terminals, but cannot tinker with the operating system (OS). With the client-server setup, the computing power was local, also because the networks were not yet fast enough.

Such a system is extremely vulnerable to viruses, especially because not every user uses up-to-date software. With the arrival of the cloud, things have become much more difficult. In fact, this brings us back to the concept of the mainframe. A virus can still be kept out in the cloud, but there is malware that can survive in the cloud. After all, the cloud is basically nothing more than a simple copy of all uploads.

When things go south

To prevent users from not running their updates or running them too late, many software updates are now automated. This is how a human error in a Crowdstrike update ended up causing problems in so many places at the same time. Tens of thousands of planes were grounded, treatments in hospitals were cut short and television channels stopped their programs.

As far as we know, it is the first time that cybersecurity software has caused such a major problem. Windows users (68% of the market) once again saw the previously familiar blue screen. There was nothing wrong with competitors Apple and Linux. The solution is relatively simple, but cumbersome: uninstall the update (called C-00000291*.sys) and restart the PC manually.

In companies with many PCs, this can take a long time. After all, this involves millions of PCs. That means a lot of extra work for IT people. Crowdstrike claims it has 29,000 customers, half of which are the Fortune 500. Elon Musk has now had Crowdstrike removed from all systems at Tesla. It is striking that Crowdstrike shares only fell 11% on Friday, considering the billions in damage caused.

How can this be prevented in the future?

Now Crowdstrike is not a small company, but the fact that one software company is able to shut down so many activities worldwide for an extended period of time will automatically raise the question of whether this could not be done better. Microsoft is bigger than Crowdstrike with its Defender cybersecurity software, but Defender itself was hacked earlier this year.

Crowdstrike's mistake could easily have been prevented by (double) testing the update, but that was not done. This is because these types of companies want to install updates as quickly as possible when a new virus is discovered. Furthermore, the market for cybersecurity software is highly concentrated. In combination with apparently inadequate quality controls, it makes cybersecurity companies vulnerable.

Many companies have been confronted last week with the risk of outsourcing systems that are essential to running the business, especially systems with automatic updates. Companies will want to be less dependent on one supplier and will also want to do more themselves with their own IT department. They may even opt for a backup in a cloud from another supplier in the future.

The risks of an oligopoly

Fifteen cybersecurity companies control a total of 62% of the market. Three companies (Microsoft, Crowdstrike and Trellix) together control more than half of the market. As a result of the developments last week, governments will take measures to prevent such major problems in the future, especially in critical sectors such as healthcare, financial services, transport and energy. One of these measures could be that the market should be less concentrated than it is now.

This measure could also be included in the discussion about the market power of BigTech companies in the United States. The cloud also actually consists of three companies: Microsoft, Amazon and Google. Since cyber warfare is a matter of national security, there could be many more rules and procedures for cybersecurity companies. Given the extent of the damage, it could have an impact on economic growth.

In itself this is a one-off incident and the stock market can see through it. However, it does fit into a pattern of more cyber attacks. There is a need for more robust systems, for example by duplicating them (an opportunity for cloud providers) or by requiring more procedures (more government intervention) that can reduce profit margins.

Most users have no alternative to Microsoft as an operating system, but they do have an alternative in the field of cybersecurity. Some investors see cybersecurity as an investment theme, but it is far too narrow for that. Cybersecurity will increasingly become an integrated part of the software, which means that such a theme can be seen much less as a pure play. While expectations about market growth are high, this is often already included in the valuation.

More columns by Han Dieperink