This weekend my wife and I watched the movie Leave No Trace. Â The plot follows a military veteran father with post-traumatic stress disorder who lives in the forest with his young daughter. The two have escaped modern society and rely on their own skills and the abundance of nature to survive. Of course, it doesn’t last long and eventually the authorities catch up with them.
Watching the movie made me think of Preppers, those individuals who have decided that armageddon is coming and that they need to invest in a bunker somewhere fully kitted out with food, water and a handy selection of semi-automatic weapons. Somewhat ironically, given the topic of this article, a significant number of those Preppers choose to site their bunkers in New Zealand and a large proportion of them are billionaires who have made their cash through Silicon Valley technology endeavours.
Indeed, while he may not be a Prepper, one of those Silicon Valley billionaires became a little less anonymous this weekend when the company he founded, CrowdStrike, was central to what is likely to be remembered as the largest global IT meltdown of all time. And, yes, before those in the know correct me, I’m well aware that Geroge Kurtz lives in Texas. Believe me, I’ve spent lots of time in Austin as well as Silicon Valley and, in this case, at least, a Texan technology billionaire is pretty much interchangeable with a Silicon Valley one.
While the news of Biden precluding himself from the Democratic nomination to run for President (or, more rightly, succumbing to the immense pressure to do so) has likely resulted in the CrowdStrikle outage being a distant memory and of little weight in the coverage decisions media makes, there are still some interesting takeaways from the situation.
Nomenclature Matters
I saw dozens of headlines talking about a cybersecurity incident or a bad actor being successful in breaching millions of computers. While Cybersecurity is the word du jour and hence gets used for pretty much every IT-related outage on earth, this was in no way a cybersecurity issue. This was a hugely unfortunate, but in no way malicious, screw-up of royal proportions by a software vendor. Bad, but not as bad as the Russians or North Koreans being central to the outage. This gets us to the “but how come something decided in Texas affected us here?” question.
Cloud Software 101
For those unaccustomed to technology, software is always changing. While in the old days (like, a decade ago) new versions of software came out once every year or two on a compact disc to be installed by the end user at their leisure, things have changed. These days, we all work primarily in the cloud and what this means is that software updates are rolled out by vendors centrally, regularly and automatically.
Companies like Amazon, Salesforce and our very own Xero popularised the benefits of multitenancy software where thousands or millions of customers can all be using identical software and have this software updated centrally and remotely.
What Safegaurds Are There?
Vendors spend huge amounts of time and money on testing their software through countless combinations and permutations before they deploy it. This is a complicated matter given the plethora of operating environments, hardware configurations, third-party software add-ons and the like that exist out in the open. It would seem that, in this case at least, CrowdStrike were a little lax in potentially one tiny aspect of their testing. While that is absolutely a screwup, and it had huge implications, we need to look at the counterfactual.
Opting Out is not an Option
I acknowledge that the outage was bad and that CrowdStrike must and will take huge steps to ensure something like this is less likely to occur in the future. But we need to remember that CrowdStrike and vendors like it exist to make global IT safer. The counterfactual of not having this kind of company protecting IT infrastructure is even less realistic: we could mimic the protagonists in that movie my wife and I were watching. We could give up on technology, ditch our iPhones, relinquish our email addresses and go back to sending postcards and aerogrammes.
Or we could roll back to previous generations of technology, a virtual billboard invitation to the bad guys to come and get us. This really is a competition between well-funded and fast-moving attack parties and a thin line of defence. Yes, sometimes that defence results in friendly fire, but the solution isn’t to give up defence altogether.
CrowdStrike had a really bad weekend and a CEO who is paid hundreds of millions of dollars a year has an obligation to front up and take responsibility. but at the same time, we need to recognise the countless millions of times that CrowdStrike has successfully defended our computers from bad actors. As a strike rate, and no matter what the Preppers say, that’s not a bad statistic.