Public Radio for the Central Kenai Peninsula
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations
Support public radio — donate today!

The Crowdstrike outage showed the vulnerability of the cloud

SCOTT SIMON, HOST:

Companies continue to grapple with the massive CrowdStrike outage. It took down millions of computers running Microsoft Windows last Friday. Insurers now estimate that Fortune 500 companies hit with the outage face a staggering $5.4 billion in financial losses. NPR's tech correspondent Dara Kerr reports that the meltdown shows just how vulnerable computer systems are. And a note - CrowdStrike and Microsoft are NPR funders, but we cover them like any other company.

DARA KERR, BYLINE: In pre-dawn hours last week, the software vendor CrowdStrike issued an automatic security update. It was for all of its customers running Microsoft Windows on their computers. But by sunrise, tens of thousands of businesses worldwide were paralyzed, thanks to the update being faulty. The result - a blue screen of death.

EMILY PETERSON-CASSIN: And all of a sudden, you have airlines, 911 calls, communications, businesses have to close.

KERR: Emily Peterson-Cassin is a director at the advocacy organization Demand Progress. She says a big takeaway is that too many businesses are reliant on a handful of cybersecurity providers.

PETERSON-CASSIN: Just the vastness of one mistake highlights how big of a risk it is to rely on one company for such a huge swathe of infrastructure.

KERR: So what is that one company - CrowdStrike. It was founded in 2011 and now boasts nearly 30,000 customers. About 300 of them are Fortune 500 companies, including all the major airlines, the biggest banks on Wall Street and huge health care systems. And what CrowdStrike does is it pushes out security updates through a cloud-based system to all of its customers at once. Glenn Gerstell is the former general counsel of the NSA. He says it was just a matter of time before something like this happened.

GLENN GERSTELL: The reality is something like this is probably going to happen again. These kinds of outages that have massive cascading and ripple effects are going to continue because of the underlying reality that everything is extraordinarily interconnected.

KERR: Gerstell says last week's outage reveals the fragility of the entire internet - an internet that was originally organized without anticipating these types of massive computer systems with billions of users.

GERSTELL: Maybe 25 years ago, we might have been able to say, wait a minute, this looks like it's heading down the wrong track, but we're way past that point. And we just have to recognize that we're dealing with inherently fragile, cobbled-together pieces of electronic architecture that weren't really designed, from the beginning, to perform the functions that they are now performing.

KERR: He says the way this whole system was built makes it hard to prevent future meltdowns. Another takeaway is the nature of the security business, which is reliant on speed. To be effective, cybersecurity needs to get updates out there fast.

CRAIG SHUE: The adversary is adapting. They're trying to find small windows of opportunity to be able to launch an attack. And as a defender, you have to be able to move really quickly.

KERR: Craig Shue is the department head of computer science at the Worcester Polytechnic Institute. He says these incidents are extremely rare, but when they happen, they can affect everyone.

SHUE: We essentially have a many eggs in one basket kind of situation, and that allows us to fortify that basket. Like, we have really good security software, but it does mean that when that security software fails, it causes a lot of broken eggs.

KERR: Broken eggs that are still being cleaned up.

Dara Kerr, NPR News.

(SOUNDBITE OF DOKOI'S "GLOW") Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Dara Kerr
Dara Kerr is a tech reporter for NPR. She examines the choices tech companies make and the influence they wield over our lives and society.