Learning from CrowdStrike: Regulatory Consequences

This is the first of two notes I'm posting related to the CrowdStrike event that affected over 8.5 million Windows computers and servers on July 19, 2024. I'm not commenting directly on what CrowdStrike did or did not do - there will be ample time for detailed post-mortems with lawyers and government bodies everywhere paying close attention.

The event highlights important issues I think needs to be better understood and acted upon to avoid a repeat incident and to augment the stability and safety of the global technology that underpins our lives. As a single point of failure, the CrowdStrike event stopped airlines, airports, banks, hospitals and others from functioning normally. This was a global safety and security event and shines an intense spotlight on unintended consequences and things that we can all address.

Regulatory Overreach and Unintended Consequences

CrowdStrike and all major security vendors take advantage of being able to access the protected kernel of the Windows operating system. For those not technical, this is the most sacred part of the operating system which is meant to ensure the safety and stability of Windows. All operating systems have a kernel (Windows, Linux, MacOS, etc), and all make sure that the kernel is protected so that bad code or malicious actors can't override the protections and safeguards.

Well, almost all.

The European Union, as part of its continuing actions against Big Tech and supposedly in the name of opening up competition, decided in 2007 to impose a (then) record fine €497 million on Microsoft finding them guilty of anti-competitive behaviour on multiple levels.

As reported in the Wall Street Journal on Sunday July 21, 2024, Microsoft said its hands were tied after they came to an agreement with the EU in 2009 based on the 2007 case. This required Microsoft to give vendors the same internal and privileged access to Windows as Microsoft has. This means that vendors are able to interact with the protected core, and if not careful, are able to cause it to crash as it did last Friday.

While sounding good in the name of opening up competition, this agreement meant that the stability of Windows was no longer fully in Microsoft's control. The unintended consequence of the EU achieving political points for open competition actually created a stability vulnerability that the world experienced last Friday.

Apple for example, is not (yet) constrained by the EU and keeps its kernel closely guarded. Its App Store is actually a way for them to provide safeguards to prevent nefarious or simply bad code from making its way to Apple devices. It's far from perfect, but with the EU and the US DOJ scoring political points pushing hard against the App Store, they could expose Apple's customers to the same vulnerability as the EU action did with Windows. An unintended consequence.

With the ubiquitousness of technology in our lives and the rapid shift to cloud and AI-based systems, consumer groups, politicians and activists everywhere are looking for ways to contain the genie in the bottle. Even with the best of intentions, the unintended consequences of overreach can have dramatic and even dangerous outcomes.

Maybe we need to be reminded of the immortal words of IBM's Thomas J. Watson in 1911: Think!

Copyright (C) 2024, Lian Zerafa. The views expressed here are my own.

#CrowdStrike #Microsoft #cybersecurity #risk

.