When businesses run standardized software, small problems can quickly grow
A flaw in a core piece of popular software can cause widespread problems, as was the case Friday.
Last week’s CrowdStrike computer bug caused outages and headaches across the globe for some computers running Microsoft Windows — which is reportedly somewhere around three-quarters of all PCs worldwide.
In the United States, it seemed to hit two sectors of the economy especially hard: Airlines, which ended up canceling or delaying thousands of flights, and health care. There were reports of clinics closed and appointments canceled. Some hospitals reportedly had to record patient data with pen and paper.
There may be a historical analogy for those two industries’ problems in the Irish Potato Famine of the 1840s.
Back then, Ireland depended on a single variety of a single crop to feed most of its population: a kind of spud called the lumper.
This monoculture practice meant that, when the potato blight virus crossed the Atlantic and hit Ireland, it was able to blaze through the island’s staple crop and devastate its population in just a few years.
Software monocultures, on the other hand, can be a good thing.
“From a security perspective, there’s actually a lot of benefits to running a smaller, standardized set of software, because it allows you to spot a problem quicker and easier,” said Andrew Plato, CEO of Zenaciti, a cybersecurity consulting company.
But when there’s a flaw in a core piece of that software, the problem becomes widespread — as was the case last Friday.
“CrowdStrike was a popular software, and it affected Microsoft Windows, and that was the combo that did it,” he said.
One reason we tend to see the same combinations of software in lots of places is that they’re familiar to the relatively few people who work in cybersecurity, Plato said. “Which means you tend to implement the same things over and over again at different companies.”
When one kind of software seems to be working for one company, he said, its competitors will adopt it.
Plus, in some workplaces, standardization is essential: Health care providers, for instance, have to deal with strict privacy and data protection rules under the federal HIPAA law, said Ken Birman, a computer science professor at Cornell University. He’s done some research with Microsoft in the past.
“You want to know that every computer in the hospital is running that software. But that means that if you’ve managed to pick something which is vulnerable in some way, every computer in the hospital is going to go down,” Birman said.
Workplaces can also be reluctant to switch software systems, especially if their employees are comfortable with what they already have.
“There were a few reports of companies that [said] their software is so out of date, that they actually were spared this CrowdStrike issue, because they were using an even older version of Windows for some of their critical systems,” said Barath Raghavan, a computer science professor at the University of Southern California.
It’s unlikely businesses will move away from software monocultures, said cybersecurity consultant Andrew Plato. Instead, he said, they should have backup plans for when their systems do go down.