CrowdStrike: From Anonymous to Infamous
How digitalization, SaaS, and disaster capitalism create an explosive, yet profitable mix
A short but telling personal anecdote before we sink our teeth into the already infamous CrowdStrike outage. Close to a decade ago I started working with a container shipping company in the operations department. The first days at work were mainly reserved for training, for me to understand what people do in the department. I sat next to someone who was in charge of the vessel manifest, which is the document holding details about all the containers on the vessel (the container number, origin, destination, contents, etc.). Given that the company’s ships were rather large, the manifest was often several hundred pages long. The person opened the manifest in Notepad and clicked print, and then several minutes later he brought it back. This was supposed to go onboard the ship!
I couldn’t believe that in the 21st century we still did things on paper. What a waste! How many trees were cut for this document (this was a time when environmental consciousness was saving paper, as opposed to now when using paper is considered carbon negative, and good for the environment). We have the capability to send things electronically (EDI – electronic data interchange - had been around for at least a decade at that time and was working just fine), yet paper still ruled. I thought maybe the shipping sector was just a bit conservative – it was. But they were also quite smart.
Fast-forward a decade, more business processes than ever before have been digitalized and are at higher risk than ever before. Not only has digitalization exposed businesses to worldwide external threats, often perpetrated from outside the jurisdiction where businesses operate, practically ensuring no or limited prosecution of perpetrators. Digitalization has also increased the risk of critical business disruptions due to internal threats, this time from an unexpected source – technology vendors. The CrowdStrike outage should raise questions in every business as to the benefits, costs and risks of digitalization and the need for business operations resilience. Paraphrasing Thomas J. Allen and Michael Scott Morton more than three decades ago: the question isn’t if a process can be digital, but whether it should be digital. Maybe paper-based processes were cumbersome, slow, required large printers and substantial amounts of paper. But they also ensured that the walls containing organizational data and processes were physical rather than virtual.
The question isn’t if a process can be digital, but whether it should be digital. Maybe paper-based processes were cumbersome, slow, required large printers and substantial amounts of paper. But they also ensured that the walls containing organizational data and processes were physical rather than virtual.
What happened
If you haven’t heard of CrowdStrike before, don’t worry, most of us haven’t. CrowdStrike is a US technology company provides endpoint security primarily to corporate clients. Endpoints can be laptops, tablets, phones, or other machines that can pose cybersecurity risks. Antivirus software accomplish pretty much the same task but focusing specifically on malware, whereas endpoint security deals with a wider array of corporate security issues. There’s still a software product that needs to be installed but that usually happens in the background through IT departments, often unbeknownst to the user. However, because of the greater depth of the protection, endpoint security software requires a high level of access and control to the machine. One product that provides this service is CrowdStrike Falcon.
Due to privileged access CrowdStrike Falcon has on corporate machines it also meant that issues with the software can have repercussions on their functionality. On July 19th these repercussions became visible when a faulty update “triggered a logic error that resulted in an operating system crash.” Specifically, a coding error pointed the software to load a memory address that was inexistent, triggering a system shutdown. Whether the error was accidental, partly, or entirely intentional, as some have suggested, is an interesting question but somewhat beside the point. The result of this error was the systematic and persistent failure of 8.5 million machines running the Windows operating system. This failure in turn disrupted services from airlines, airports, government services, logistics, port terminal operators, healthcare providers, payment processors.
As a small digression, this type of event isn’t a first, although it is perhaps one of the largest disruptions of its kind. In 2010, the antivirus software company McAfee updated its software triggering the failure of several hundred thousand machines running Windows XP. Funnily enough, the current CEO of CrowdStrike, George Kurtz, was in 2010 and during that event, the CTO of McAfee. The McAfee-caused outage isn’t as famous, possibly because it affected fewer businesses in a time where digital services use was not so widespread. Perhaps there was more redundancy is the system? We are in a different era now.
The SaaS digitalization dilemma
Digitalization has been accelerating and has picked-up speed especially during and after the COVID-19 pandemic. Pause for a moment and think how many restaurants had QR codes for digital menus prior to the pandemic. Accelerating digitalization was enabled by managed IT services or software as a service (SaaS) where businesses do not need to directly manage the IT infrastructure required for technology deployment. This makes the upfront costs (both financial and staff-related) much more appealing. Add to that the common belief in virtually every corporation or large business that technology ‘saves money’. The other important aspect is that SaaS offshores responsibility especially for cybersecurity. The result is incentive alignment: technology companies push the SaaS model onto clients, and businesses invest in technology as it ‘saves money’. It’s a win-win!
There are, of course, some downsides to digitalization and to the SaaS model. We have just experienced the effects of one of these downsides. The SaaS model introduces a unique point of failure for business operations in multiple businesses, often businesses operating in the same domain (e.g., airlines, airports, customs etc.). Software errors or outages that would have taken out a business now take out an industry or several.
A small parenthesis on responsibility offshoring. The last 4-5 years have seen a massive rise in cybersecurity breaches. One of the most recently announced is the AT&T breach where the data of more than 100 million clients was exposed. In Australia, several breaches in companies like Optus or Medibank exposed data of nearly half of the country’s population. The widely publicized Boeing 737 Max crashes had a component of poor technology implementation that led to the disaster. These issues have affected the businesses’ reputation. Using SaaS means that cybersecurity is outsourced but so is the reputational risk. For instance, although the 2023 Okta breach affected all its clients spanning multiple companies, that breach was not such a high-profile case as say Optus or Medibank.
This is the digitalization dilemma, the incentives between technology vendors and businesses are well aligned prompting extensive digitalization specifically through the SaaS model. Yet, as more services and business processes are essentially outsourced, the business risk for catastrophic disruptions grows. Although many businesses talk about risk management, there’s no real model that I’m aware of that properly manages this.
Disaster capitalism
What’s the solution to heightened risk brought by managed IT services? MORE managed IT services to manage the risk of the managed IT services!
The question I’ve often asked myself after these types of major events is: are things going to change? The pessimist in me sees few chances for this to happen. The first reason is that incentives between technology vendors and senior managers will continue to be aligned. I’d go a step further in saying that these outages are likely to send cybersecurity efforts in overdrive. What’s the solution to heightened risk brought by managed IT services? MORE managed IT services to manage the risk of the managed IT services!
At an industry level there is one perhaps hidden incentive: disaster capitalism. The term, introduced by Naomi Klein, referred to the exploitation of crises to establish controversial policies, while the crisis itself acts as a distraction from effective resistance and response. In the past five years the amount of major manmade disasters worldwide has been absolutely stunning, starting from the global pandemic and the lockdown measures, the Suez Canal blockage in 2021 and current Houthi siege, the Panama Canal congestion, US and Asian port congestion, the severing of internet cables in Australia, the Palestine, Ohio derailment, the Francis Scott Key bridge collapse and, now, the CrowdStrike outage.
As undesirable as crises appear, they do typically have a positive effect on business performance as they justify price increases, power centralization and the creation of oligopolies and monopolies. For instance, the Suez Canal crises were formidable revenue generators for container shipping profitability. The sector’s net income rose from ZERO in the five years prior to the pandemic to US$63.1 billion in Q2 of 2022. Panama Canal congestion led to ‘skip the queue’ bids of up to US$ 2.4 million for the privilege. Enron discovered just how profitable crises were and built a business model out of it. Disaster capitalism is just that model at a different scale. The disaster capitalism model leverages unique points of failure especially in supply chains (whether these are technological, infrastructural or admirative seems to make little difference) to generate crises that typically generate improved performance for various sectors of the economy.
This doesn’t necessarily mean that organizations will trigger crises or disasters on purpose. However, when crises do occur, the profiteering process may commence. The key issue here is, not all sectors or organizations benefit from all the crises all the time. As much as crises help profitability in one sector, they may cripple others. For business continuity, it pays to be prepared.
Preparedness in the crisis age
If there is one concept that should enter senior managers’ and organizational vocabulary, it’s resilience. Resilience is the ability to absorb changes (including unexpected ones) while continuing to function. The concept can be applied from infrastructure, supply chains, organizations, processes to data. In it of itself, resilience is too abstract to be particularly useful. However, drilling down into the aspects of resilience can help. Some aspects of resilience include redundancy, agility, flexibility, and visibility.
Redundancy is the repetition of elements to provide alternative functional channels;
Flexibility is the ability to redeploy capacity that has been previously committed;
Visibility is the access and sharing of key or useful information in a timely manner;
Agility is reaction speed to events.
These aspects should be used to highlight potential actions to be applied on infrastructure (ports, communication infrastructure, power sources), supply chains (e.g., inventory, sourcing, logistics), organizations (departmental functions) and processes (payment processing, data/customer interactions, data processing and management). This exercise can yield hundreds of issues where resilience can be improved. The way to prioritize amongst these issues is to plan and act first to address unique points of failure (the Suez and Panama Canals are excellent examples in logistics). If an entire business operation relies exclusively on SaaS, it’s probably a good idea to implement some redundancy, irrespective how inefficient it might be having to deal with this issue. For instance, many hospitals have transitioned to digital record keeping but continue to have a manual, paper-based process as a backup.
Preparedness and resilience are key because the likelihood of events like the CrowdStrike outage in other areas is quite high. At a technology level, failure of fundamental SaaS products for business operations like Enterprise Resource Planning (ERP), Transport Management Systems (TMS), 2-Factor Authentication (2FA) should be considered. With increasing electrification of both transport and industrial processes, electricity outages may become more sustained than previously considered. Electricity grids may also face quite significant instability with increased penetration of renewable energy sources which can also affect the length and frequency of outages. This may affect both production, storage, and logistics. In the age of ‘Smart’ (to be read: internet connected) tools, more generalized equipment failures can be expected – if all vehicles receive a faulty update, they may fail concomitantly.
Where to next
The CrowdStrike outage is an example of the types of global crises likely to occur perhaps even with increased frequency. These crises are fueled by digitalization that has increased corporate risk by exposing business processes and data to the world, by the SaaS model that outsources technology management and failure responsibility while further increasing risk and by disaster capitalism that perpetuates a business model that takes advantage of technology failures and crises. As profitable as this volatile mix may be, it will likely weaken businesses and perhaps entire business sectors in the medium- to long-term. Personally, this means that it’s rather unlikely I’ll be out of a job anytime soon. To avoid a large-scale Enron like end, businesses need to take back control over their own processes, data, and risks.