Breaking the Monopoly

Will the CrowdStrike crisis encourage cybersecurity localization?

30 July 2024


On July 19, CrowdStrike, one of the world's leading cybersecurity vendors, experienced a critical technical glitch in its Falcon threat-detection system. This global outage affected an estimated 8.5 million Windows-operated devices worldwide, according to Microsoft. The screens of impacted machines displayed a blue warning message, erroneously indicating processor incompatibility.

The disruption had far-reaching economic and social consequences, particularly affecting devices in critical facilities. Although CrowdStrike assured users that the malfunction resulted from a faulty update rather than a cyberattack, the incident has reignited debate about the implications of monopolies in the global tech landscape, especially within the cybersecurity sector.

This event underscores how a massive, interconnected monopoly, safeguarded by unified systems, can lead to significant losses from a single unintended error. The incident not only highlights the immediate repercussions of such failures but also raises broader concerns about global cybersecurity infrastructure and its vulnerabilities.

Significant Losses

The Blue Screen of Death (BSOD) that appeared on Windows-operated devices caused widespread panic across vital services affected by the faulty CrowdStrike Falcon security update. Government agencies, banks, airlines, payment systems, emergency centers, television networks, and healthcare systems all scrambled to implement fixes ranging from simple reboots to complex recovery procedures.

CrowdStrike swiftly released a statement acknowledging the issue, providing instructions on the necessary steps to be taken and guidance on how to reboot affected devices in safe mode. Although this glitch affected only 1% of Windows-operated devices globally, its impact caused widespread losses, ranging from minor inconveniences to severe economic damages.

The airline industry was particularly hard hit, with more than 5,000 flights canceled worldwide. Some companies were forced to issue handwritten boarding passes for passengers. The disruption led to significant financial losses for airlines, including compensation payouts, lost revenues, fuel costs, and other expenses.

The ripple effects extended far beyond air travel. Rail services, payment systems, banking services, healthcare facilities, and media organizations were also disrupted. This led to travel disturbances and business interruptions across various sectors, from retail sales to parcel deliveries and even hospital procedures. The event was described as the largest tech outage ever witnessed.

CrowdStrike was not the only entity to suffer; the company itself faced immediate financial repercussions. Its stock value plummeted by 21% in pre-market trading in the US, resulting in the company losing $16 billion of its value in a single day. Even tech giant Microsoft saw its stock decline by 0.53%.

The total cost of this incident is expected to be astronomical. Compensations for affected customers alone are estimated to exceed $1 billion, highlighting the far-reaching consequences of this technological mishap.

Persistent Issues

Founded in 2011 in Texas, USA, CrowdStrike has rapidly built a vast network of approximately 24,000 clients in just 13 years. The company has been involved in investigating several prominent cyberattacks, including the 2014 Sony Pictures hack by a group identifying itself as "Guardians of Peace," and the hacking of the Democratic National Committee computers during the 2016 US elections.

By 2023, CrowdStrike was valued at $80 billion, with an annual revenue of $3 billion, solidifying its position as one of the most valuable and widely used cybersecurity firms. This significant growth and substantial market share in cybersecurity have reignited numerous concerns related to the monopolization by major tech companies and its impact on digital security and business continuity.

Recent Incidents and Vulnerabilities

On a smaller scale, recent incidents have highlighted the vulnerabilities of relying on dominant tech platforms. The six-hour outage of Meta's social media applications in 2021 caused global disruptions and concerns, particularly because many organizational communications rely on these platforms. Similar disruptions occurred with Twitter in 2019, Amazon in 2021, and Google in 2020, when various services, including Gmail, YouTube, and Google Docs, were down for several hours due to an issue with Google's Identity Platform and Access Management (IAM). The 2020 SolarWinds hack further exemplified the far-reaching consequences of such vulnerabilities, allowing attackers to access systems of several US government agencies and major corporations due to SolarWinds' extensive client base of over 300,000 globally.

Market Dominance and Its Implications

Statistics indicate that the telecommunications and information security technology market is dominated by a few major companies. Palo Alto Networks leads with a market value of $107 billion, serving over 80,000 companies worldwide. Following closely are CrowdStrike and Fortinet, valued at $44.7 billion, claiming to serve over 755,000 clients globally.

This monopoly is part of a broader global tech monopoly phenomenon, which includes companies like Microsoft. As of February 2024, Microsoft's Windows operating system holds a 72% market share in global computer operating systems. Microsoft itself ranks second globally among major tech companies by market capitalization, valued at $3.3 trillion, and third by annual revenue, amounting to $236.6 billion.

Access and Control Privileges

The CrowdStrike crisis also raises issues related to the access and control privileges used in these systems and their reliance on "deep integration," which significantly impacts the devices they protect. For instance, the Falcon sensor relies on "endpoint detection and response" technology (EDR), which detects and blocks threats, requiring regular updates to stay ready to respond to new threats as they emerge. This wide-reaching access, including to the most central and sensitive components of the protected device, made the faulty update sufficient to disrupt devices due to its extensive reach.

Additionally, the CrowdStrike malfunction raises questions about the efficiency of widely deployed security systems. While the company addresses technical problems, a faulty update caused significant issues, appearing to violate basic update principles, including simulation, auditing, verification, safety, comprehensive testing, rollback mechanisms, and gradual application to minimize error impacts. This relates to the systems' immunity to breaches and the severity of such breaches' consequences as these systems become more widespread and complex.

AI and Security Vulnerabilities

This issue intensifies with the reliance on AI systems, which can themselves be vulnerable to "poisoning attacks," i.e., injecting false data into the network or infrastructure. In such attacks, the attacker modifies the AI system's training data to produce desired results during inference. By affecting the training data, the attacker can create backdoors in the model, causing specific outputs when certain inputs are provided, effectively turning the model against its intended purpose. Similarly, "prompt injection" attacks involve crafting malicious prompts as inputs to a large language model (LLM), leading it to behave in unintended ways, often designed to make the model ignore its original instructions and follow the attacker's commands instead.

Implications of Reliance on Unified Systems

These vulnerabilities lead to another issue related to reliability and the ability to entrust security tasks to a single, sometimes comprehensive, service provider. The implications of this on the efficiency, resilience, and independence of the cybersecurity system are significant. Although unified systems facilitate integration, streamline training programs, and enable collaboration within and across organizations, they also expose this interconnected system to potential collapse or disruption in case of a provider's mistake, technical malfunction, or cyberattack.

Localization and Diversification

The crisis underscores the importance of localizing cybersecurity efforts and emphasizes the need to rely on national security systems while building professional competencies. It highlights the risks of over-dependence on global systems which, despite their efficiency, raise concerns about the influence and control of major corporations and their extensive access privileges. Furthermore, it stresses the significance of diversifying between systems of different origins to ensure cybersecurity aligns with local context requirements and needs.

This alignment makes technical investment in the cybersecurity sector both worthwhile and consistent with current and anticipated internal and external risks, in accordance with national priorities and resource allocation. Building national capabilities should be coupled with establishing external partnerships and incorporating national qualification requirements when contracting with global tech companies.

This approach involves implementing business continuity management systems to proactively manage cyber threats and handle consequences, ensuring the continuity of technical systems, data preservation, and effective attack responses. This should be done while considering organizational, human, and technical factors within a strategic framework that prioritizes rapid response, national interest, law enforcement, and balances the development of national competencies with openness to global partners.

Moreover, the development and activation of technical emergency centers are crucial. These centers must be prepared for rapid intervention during significant disruptions, working collaboratively with relevant companies to resolve issues. It is not only important to choose the best system for protection and to ward off cyber threats but also to formulate a comprehensive system for risk analysis and assessment, ensure business continuity, and create robust recovery plans. This comprehensive approach requires continuous review and regular updating of policies and procedures based on lessons learned from actual incidents and anticipated scenarios.