A botched CrowdStrike software update might seem to justify regulatory ‘oversight.’ The opposite is true.

The post CrowdStrike Crash: Regulators, Please Don’t Interfere appeared first on CEPA.

It was a bad day at the office for CrowdStrike. A simple update by this cybersecurity company shut down Microsoft’s Windows operating system on 8.5 million machines, causing major disruption to global travel, healthcare, and other critical industries. The scale of the software problem spooked lawmakers and security professionals.

How can we best prevent future debilitating software crashes? The simple answer is that we cannot. Bugs are inevitable. Businesses have incentives to limit the damage. Legislators lack the expertise to understand and draw up effective laws to deal with unexpected software outages, and regulators, even with the best of intentions, often end up worsening risks.

The business of software is the business of bugs. Firms that minimize crashes and respond fast to bugs prevail. It is impossible to write bug-free code. Good testing and disciplined release processes minimize risks. Automated testing helps. Artificial intelligence will improve code.

But mistakes will happen. CrowdStrike has issued explanations. Some commentators point to recent job cuts at CrowdStrike. A Microsoft official blamed the European Commission. In 2009, European regulators required Microsoft to grant security firms direct access to the “kernel.” The kernel is sensitive. It sits at the heart of the operating system. An error injected into the kernel can wreak havoc.

The European Commission imposed the rule to encourage competition between competing software companies to challenge giant Microsoft. European regulators say it is a stretch to blame them, not least since most impacted devices were outside Europe.

But even if the EU did not cause the problem, Microsoft has a point. Under the guise of spurring competition, European regulators are opening the door to security risks. Under the EU’s Digital Markets Act, the largest tech gatekeepers including Microsoft, Apple, Alphabet, and Amazon are required to loosen access.

This could mean exposing the kernel or facilitating access to an app marketplace. Apple, for instance, is protective of its lucrative App Store, arguing that its rules and requirements are there to protect its customers and decrease the likelihood of a CrowdStrike-type meltdown. The UK’s Investigatory Powers Act goes even further, empowering the UK’s security services to review and halt version releases. A release to fix a known bug could be paused.

Regulators and lawmakers should now hold their nerve. Their efforts to tackle monopolies and deal with unfair practices should not undermine security. Human error led to the CrowdStrike debacle. If a bad actor, be it an enemy nation or a cybercriminal, needed a recipe to cause havoc, now have seen the ingredients. Firms, large or small, should not be restrained in reinforcing security in their own applications.

Additional government oversight of software development to increase security would be a mistake. It is impractical. How would it be achieved? Code reviews in Washington and Brussels? Regulators are not equipped to provide meaningful oversight. It is much better to allow professionals to do their work and use existing legal mechanisms such as contract law to increase their incentives.

It is dangerous to productivity to interfere with software at the code level. Tech companies, particularly start-ups, often release updates with known issues in order to maintain momentum and to get new features to users. If regulators stall this process and burden software firms with regulatory requirements, it might lead to paralysis where little gets updated or improved.

CrowdStrike now says 97% of Windows sensors are back online, and Congress has summoned its CEO George Kurz to testify. CrowdStrike says it now plans to test updates before sending them out. The company also plans gradual rollouts so it can check for problems.

A final word of caution is needed for legislators to ponder whether to wade in. Somebody, somewhere has been watching the global chaos, thinking “I can improve security” and is now hatching plans and writing code. Resilience through innovation and improvement is a better bet than increased government oversight.

Ronan Murphy is Director of the Digital Innovation Initiative at the Center for European Policy Analysis. Before joining CEPA, Ronan spent more than twenty years working in technology and software.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.

The post CrowdStrike Crash: Regulators, Please Don’t Interfere appeared first on CEPA.