The CrowdStrike outage shows our dependence on Big Tech overlords

Passengers at airport walk past a blue screen showing frowning face error message

By Heidi Boghosian

July 23, 2024 12:07 PM PT

Starting on Thursday with ripple effects for days afterward, a routine software update caused a record-breaking freeze across much of the world. CrowdStrike, a cybersecurity vendor deployed by Microsoft systems, installed an update that analysts say probably skipped quality testing. The result disabled an estimated 8.5 million computers in perhaps the largest cyber event in history.

Affected were Microsoft-powered systems critical to the online operations of banks, hospitals, police forces, major airlines, TV stations and government agencies. Flights and surgeries were canceled, courts and government offices shut down, and new hacking vulnerabilities introduced, including for federal agencies.

The shutdown brought Americans’ collective cyber vulnerability into sharp focus: Our reliance on trillion-dollar tech overlords may imperil national security.

The tech providers that support infrastructure relied upon by the public and private sectors bear a responsibility to protect our safety and security. In 2023, federal Cybersecurity and Infrastructure Security Agency Director Jen Easterly proposed holding tech companies liable for selling vulnerable products. With such liability measures in place, CrowdStrike’s global outage might have been avoided.

The rapid consolidation of power in tech companies poses challenges to the government and society. Companies reaching unprecedented sizes and valuations in the trillions control digital infrastructure that people depend on at least as much as the mail and trash pickup. Tech companies now run or help run communication, commerce and other services more nimbly than do federal agencies. But they also do it with less regulation and public oversight — as well as a profit motive.

The tech sector’s market dominance accounts for more than 10% of the U.S. economy. In 2024, Microsoft reported revenues of $211.91 billion. Other tech behemoths posted even larger figures: Amazon $574.78 billion, Apple $383.28 billion and Alphabet (Google) $307.39 billion. (Meta Platforms, formerly Facebook, posted $134.90 billion.)

A chunk of these profits goes toward lobbying and paying penalties for safety and antitrust violations, rather than investing in the cybersecurity and other improvements that would reduce consumer harms. In 2023, tech giants spent at least $10 million each on lobbying while also receiving more than $3 billion in fines and settlements for breaking European digital antitrust laws and facing lawsuits by the Department of Justice and the Federal Trade Commission. Meanwhile, in 2022, the financial impact of poor software quality in the U.S. amounted to at least $2.41 trillion, according to the Consortium for Information & Software Quality.

Software-caused outages can be avoided in a few ways. Diversifying tech contractors and options strengthens resilience and mitigates risks. By contrast, if everyone relies on just a couple of providers, any single breakdown carries huge consequences. CrowdStrike, one of the nation’s largest cybersecurity firms, exemplifies this issue; it counts more than half of the Fortune 500 companies as customers.

Equally important is cybersecurity redundancy — multiple layers of security measures and backup systems that ensure continuous protection and functionality, even if one layer fails or is compromised. Although creating these redundancies may cost companies more in the beginning, they are investments in maintaining trust between businesses and their customers, as Javad Abed, a cybersecurity expert and assistant professor in business at Johns Hopkins University, told USA Today.

Around two-thirds of software vulnerabilities reported in commonly used programming languages stem from memory-related security flaws, such as the misallocation or freeing up of memory spaces that can enable unauthorized access or the execution of malicious code. Earlier this year, the White House — notably, given how often the government lags on tech issues — urged the widespread adoption of “memory safe” programming languages such as Rust, Go, Python and Java, which protect against certain kinds of bugs related to how memory is used. Yet Microsoft and other big tech companies continue to rely on C/C++ alongside other languages because those are fast and used in developing firmware, programs embedded in hardware memory to help devices operate. It is worth sacrificing some convenience to avoid devastating security lapses.

Finally, in line with Easterly’s recommendation to increase liability for tech companies, U.S. regulations need an update. Our antitrust laws should move away from focusing solely on pricing and avoiding economic harm to encompass data privacy protection and security. Federal standards to ensure that software is secure by design would shift responsibility to vendors to provide safe products from the outset. We can also look to the European Union, where regulators are prioritizing cyber resilience through the Digital Operational Resilience Act, effective in 2025, meant to establish strict requirements to make sure the financial sector can handle information and technology threats.

Only by holding technology providers to the highest standards can we continue to enjoy the advances of an interconnected world without fear of avoidable — and possibly life-threatening — disruption.

Heidi Boghosian is an attorney and author of the forthcoming book “Cyber Citizens: Saving Democracy Through Digital Literacy.”