Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Organisations around the world are still recovering from one of the biggest ever IT outages. On Friday, a glitch caused by a faulty software update from CrowdStrike, an American digital security vendor, affected 8.5mn Microsoft Windows devices. Flights were grounded, hospital appointments postponed, and several news broadcasters dropped off air. A fix was rapidly deployed, and many services have resumed. It may take time for all affected computers to be reset.
The toll will become clearer, but many are counting their blessings that this was only a tech malfunction and not something harder to resolve, like a cyber attack. Still, that a seemingly routine software update can reap such worldwide chaos should serve as a wake-up call.
Crashes, hacks and data breaches are a mounting threat as the global economy becomes more digitalised and interconnected. Computers and the internet already underpin everything from stock exchanges and electric vehicles to central heating.
The concentration of software and hardware in the hands of a few providers makes matters worse. Many tech businesses tend to develop large customer bases, allowing them to collect more data, benefit from economies of scale, and improve their services. But these network effects also expose users to single points of failure. Three companies — Google, Amazon and Microsoft — account for two-thirds of the cloud provider market. CrowdStrike has close to a fifth of the endpoint cyber security market.
Building resilience is essential. First, businesses and governments need to understand their exposures. CrowdStrike and Microsoft are both reputable. But whenever an organisation is too reliant on an individual provider, there is always a risk, however small, of failures hitting its wider processes.
Second, once vulnerabilities are mapped, organisations need to build redundancy into their operations and develop contingency plans to ensure critical functions can still work in the worst-case scenarios. This includes diversifying their IT infrastructure by having more than one cyber security, operating system, or cloud provider. Air gapping — where large interconnected IT systems are backed-up by smaller separate networks — is another option. Phased rollouts of updates are sensible too. These strategies are particularly important for critical government services and sectors, including healthcare, energy, and finance.
Third, closer collaboration between the public and private sector is essential. Businesses benefit from accessing secure digital networks, as well as the public services that rely on them. This means there should be a common interest in sharing information on breaches, vulnerabilities, and stress tests. The cost of switching between IT providers, interoperability, and the ability of new entrants to compete also needs effective monitoring. But co-operation between regulators and tech firms is important to ensure any regulations are targeted, and do not stifle innovation.
Single points of failure also lurk more broadly in our globalised and highly networked economies. The pandemic highlighted how many businesses had become over-reliant on China-linked supply chains that supported their uber efficient “just in time” delivery models. Last week, stocks of the world’s largest chipmakers dropped following comments by Republican presidential nominee, Donald Trump that Taiwan — a primary source of chip production — should pay for its own defence against China. In April the IMF warned of the rising threat of cyber attacks for financial stability.
The logic of mapping, contingency building, and collaborating holds for mitigating most concentrated risks. Last Friday’s software snag is a critical reminder that building resilience into our physical and digital economic systems is essential, and should not be postponed. This will come at a cost, but will bring the benefit of insuring against even costlier threats.
Read the full article here