From Thursday With ripple effects for days afterward, a routine software update triggered an unprecedented freeze across much of the world. CrowdStrike, a cybersecurity vendor deployed by Microsoft systems, installed an update that analysts say likely bypassed quality. evidenceThe result disabled a It is estimated that 8.5 million computers in what is probably the largest cyber event in history.
Microsoft systems that are critical to the online operations of banks, hospitals, police forces, major airlines, television stations and government agencies were affected. Flights and surgeries were cancelled, courts and government offices were closed, and new hacking vulnerabilities were introduced, including some for Federal agencies.
The government shutdown exposed Americans' collective cyber vulnerability: Our dependence on trillion-dollar tech overlords could jeopardize national security.
Technology providers that support the infrastructure on which the public and private sectors rely have a responsibility to protect our security. In 2023, the head of the Federal Agency for Infrastructure Security and Cybersecurity Jen Pascual He proposed holding tech companies accountable for selling vulnerable products. With such accountability measures, the global CrowdStrike outage could have been avoided.
The rapid consolidation of power in technology companies poses challenges to government and society. Companies reaching unprecedented sizes and valuations (in the trillions of dollars) control the digital infrastructure that people rely on at least as much as mail and trash collection. Tech companies now manage or help manage communications, commerce, and other services with greater agility than federal agencies, but they also do so with less regulation and public oversight, and a profit motive.
The market dominance of the technology sector explains More than 10% of the US economy. In 2024Microsoft reported revenue of 211.91 billion dollarsOther tech giants posted even larger images. figuresAmazon, $574.78 billion; Apple, $383.28 billion; and Alphabet (Google), $307.39 billion. (Meta Platforms, formerly Facebook, brought in $134.9 billion.)
A portion of these profits goes toward lobbying activities and paying fines for security and antitrust violations, rather than investing in cybersecurity and other improvements that would reduce harm to consumers. In 2023, tech giants spent at least 10 million dollars each in the lobby while also receiving more than $3 billion in fines and settlements for violating European digital antitrust laws and facing lawsuits from the Department of Justice and the Federal Trade Commission. Meanwhile, in 2022, the financial impact of poor software quality in the US amounted to at least $100 billion. $2.41 trillionaccording to the Consortium for Information and Software Quality.
Software-caused disruptions can be avoided in a number of ways. Diversifying contractors and technology options strengthens resilience and mitigates risks. Conversely, if everyone relies on a couple of vendors, any breakdown has huge consequences. CrowdStrike, one of the largest cybersecurity companies in the country, exemplifies this problem; it has more than Half of Fortune 500 companies companies as customers.
Equally important is cybersecurity redundancy – multiple layers of security measures and backup systems that ensure continued protection and functionality, even if one layer fails or is compromised. While creating these redundancies may cost companies more up front, they are investments in maintaining trust between companies and their customers, as Javad Abedcybersecurity expert and adjunct professor of business at Johns Hopkins University, told USA Today.
About two-thirds of reported software vulnerabilities in commonly used programming languages are due to memory-related security flaws, such as incorrect allocation or freeing of memory spaces that can allow unauthorized access or malicious code execution. Earlier this year, the The White House, in particular, given how often the government lags behind on technology issues — urged The widespread adoption of “secure memory” programming languages like RustGo, Python and Java, which protect against certain types of errors related to memory usage, are all common. However, Microsoft and other big tech companies still rely on C/C++ along with other languages because they are fast and are used to develop firmware, programs embedded in hardware memory to help devices function. It's worth sacrificing some convenience to avoid devastating security flaws.
Finally, in line with Easterly's recommendation to increase the accountability of tech companies, US regulations need an update. Our antitrust laws should stop focusing solely on prices and Avoid economic damage to cover the protection and security of data privacy. Federal regulations to ensure that software is safe by design It would shift the responsibility to suppliers to provide secure products from the start. We can also look to the European Union, where regulators are prioritising cyber resilience through Digital Operational Resilience Actwhich will come into force in 2025, aims to establish strict requirements to ensure that the financial sector can handle threats to information and technology.
Only by holding technology providers to the highest standards can we continue to enjoy the advances of an interconnected world without fear of avoidable and potentially deadly disruptions.
Heidi Boghosian is a lawyer and author of the upcoming book ““Cyber citizens: saving democracy through digital literacy.”