What happened? What can be done? What does this mean for the future of cybersecurity?

CrowdStrike, until last Thursday an obscure tech company, is now notorious for bringing the global economy to a shuddering halt. A corrupted update in its software crippled multiple industries around the world, from stock exchanges to aviation and pharmacies.

What happened? What can be done? What does this mean for the future of cybersecurity? And what can the world do to protect itself from technological Armageddon?

What went wrong?

On Thursday, July 18, the Texas-based cybersecurity company CrowdStrike updated its Falcon antivirus software for business systems using Microsoft Windows. Falcon interacts with Microsoft 365, Amazon Web Services, and Instagram, among others. A bug in the update brought these systems to their knees, affecting 8.5 million Windows devices worldwide. Users saw the dreaded Blue Screen of Death (BSOD), a Windows message indicating a system crash. Rival operating systems Linux and MacOS were unaffected.

What were the consequences?

Risk management firm Interos reported that 674,620 customers were directly affected, and 49 million indirectly. The largest share of affected organizations, 41%, were in the US, followed by 28% across Europe. Worryingly, 82% of US state governments and 48% of the largest US cities use CrowdStrike. The effects are difficult to quantify. More than 5,000 flights were canceled. Trains couldn’t run, and hospitals, pharmacies, broadcasters, and banks ceased functioning. Ports from Los Angeles to Rotterdam were shut down. Visa, which processes 8,000 transactions per second, was hit too.

Who was affected?

No personal devices were impacted, but businesses across a wide range of industries here hit. The most visible effects were on consumer-facing firms like airlines, railways operators, banks, retailers, pharmacies, health care providers, and credit card processors. Ports, emergency services, stock exchanges, broadcasters, and payroll software providers were hit too.

How can it be fixed?

CrowdStrike has issued a fix, but it will need to be applied separately to each affected device. Computers will need to be manually rebooted in safe mode, which will be a colossal headache. Microsoft advised clients to turn devices off and on again up to 15 times to reboot, and CrowdStrike advised IT experts to delete a specific file. CrowdStrike has acknowledged that it could take anywhere between hours and days to resolve this issue. Cybersecurity expert Eric O’Neil estimated it would take three to five days for things to return to normal.

What does it mean for cybersecurity going forward?

The incident has set off alarm bells about overreliance by so many large organizations on one company, and will raise awareness of the importance of cyber preparedness. One academic said businesses would have to reframe cybersecurity as an investment rather than just a maintenance cost.

How can such a scenario be avoided in the future?

Cybersecurity expert O’Neil recommends two key changes to avoid a repeat of this nightmare scenario. First, updates should not be rolled out to all customers at once, but rather incrementally, so problems can be detected early and nipped in the bud. Second, companies should remedy “points of failure,” single vulnerabilities that can shut down a whole system; and build in “redundancy” — i.e., use more than one cybersecurity tool so they’re not dependent on one provider. The fact that it was rolled out over Friday exacerbated the chaos; companies typically have fewer employees available on Fridays, and updates are generally deployed midweek to avoid just such problems.

Party Picks — and Their Problems

When party faithful pick their leader, it often ends badly. They usually go for the ideologically extreme, less pragmatic candidate who fails to appeal to the wider public. Two recent examples from the UK are Liz Truss and Humza Yousaf. And now Vaughan Gething, who resigned as Labour’s first minister of Wales last week, completes this triumvirate of failure.

Liz Truss was elected in 2022 by Conservatives sold on her tax cuts, minus the required spending cuts to balance the books. Cue market meltdown and political Armageddon for the Conservatives. Truss’s short-lived tenure fed into the Tories’ rout at the recent general election.

Humza Yousaf (also known as Humza Useless) succeeded Nicola Sturgeon as Scottish National Party leader and first minister in 2023. He narrowly beat the more competent and popular Kate Forbes to become the first Muslim to lead a Western nation. But he was saddled with Sturgeon’s unpopular social agenda and introduced an Orwellian Hate Crime Bill. He reneged on undeliverable environmental targets and was soon tossed.

Former health minister Vaughan Gething became the first black leader of a UK nation after beating the more moderate, likeable, and able former education minister Jeremy Miles by a whisker. But he took office with a scandal over his head about a donation he took from a firm who breached environmental laws; he fired a minister accused of leaking to a media outlet, which denied she’d done so; and he clung on even after he lost a confidence vote in the Welsh parliament. Gething finally quit after three ministers and his chief legal advisor resigned.

As the Conservatives in the UK and the Democrats in the US choose new leaders, they would do well to remember these debacles.

Vance and the Valley

Republican vice presidential nominee J.D. Vance is half Trump’s age, and looks like the future of the GOP. Adding to his energetic, youthful vibe is the backing he’s received from tech titans Peter Thiel and Elon Musk. Thiel, who cofounded PayPal, was an early investor in Vance’s venture capital fund Narya, and funded his successful 2022 Senate bid. But this is not a story of a Yale-educated financier in hock to corporate California.

Vance’s finance career mirrors his political philosophy: In 2018, he was recruited to a $150 million fund that invested in forgotten American cities. He bought into anti-woke candidate Vivek Ramaswamy’s investment fund, and built stakes in behemoths like Apple and Disney to urge them to reject woke politics.

Thiel, a Silicon Valley libertarian, has come to align with the MAGA movement. Elon Musk, who has endorsed Trump, heralded Vance’s appointment as the VP nominee, and has reportedly promised $45 million to a Trump-supporting super PAC — though as with most things Musk, it’s not clear exactly how much he intends to donate. Musk, whose concerns over free speech led him to buy Twitter, is angry with the Democrats over immigration and their progressive social agenda, bringing him right in line with Team Trump.

Vance’s investments in “Little Tech” — plucky fledgling start-ups in overlooked areas — are consistent with his enmity for Big Tech like Facebook and Google, which he has accused of censoring conservative voices and believes should be broken up. He’s also called for higher corporate taxes. Silicon Valley bigwigs had better watch out; the underdog looks set to become overlord.

(Originally featured in Mishpacha, Issue 1021)