- A massive IT outage Friday disrupted services globally, affecting companies from airlines to banks.
- The disruption was linked to a software update from cybersecurity firm CrowdStrike.
- Experts warn these technical disruptions could worsen but that there's no easy fix.
If you had to fly, log in to your bank account, or go for elective surgery, a massive IT outage Friday offered a reminder: We're all in this technical morass together.
Part of the reason tech snafus like this ripple across the globe faster than ever is that many of the systems we rely on are largely invisible to many of us who depend on them — but all connected in the background.
It's likely a safe bet that many of the people reliant on the cybersecurity firm CrowdStrike aren't aware of it — until the technical wheel stops spinning like it did Friday. The widespread outages appeared to be linked to a software update the company issued.
The outage hit everyday people. "I tried to log into my bank account this morning, and I was like, 'What the heck is going on?'" one man told Business Insider.
Part of the reason we collectively fall so hard is because, like the tech hardware that underpins so much of our lives, there is a corporate framework that does, too: A patch from CrowdStrike appears to have flowed through to Microsoft's operating system.
The company's OS is so dominant that the domino effect fanned outward from there — to the systems that check you in the airport, to your electronic medical records, and, yes, to the software that controls your motorized window shades.
Windows had about 72% of the global market share of operating systems as of February, according to data from Statista. That compares with about 15% of Apple's macOS.
And by one estimate, CrowdStrike's market share in the "endpoint protection" security category is nearly 24%.
We're in for a bumpy ride
According to Chris Cummiskey, CEO of Cummiskey Strategic Solutions and a former official with the US Department of Homeland Security who oversaw the agency's IT functions, the problem of hydra-headed IT disruptions will likely worsen as technology works its way deeper into our lives.
He told Business Insider that CrowdStrike would need to answer whether additional safeguards are required.
"Did you really want to push one button and have this go out to all of the Microsoft platforms across your entire client base all at once without some additional testing?" Cummiskey said.
And many of these IT disruptions have a whac-a-mole feel to them: You don't know where the hiccups will occur. And they're likely to get worse, according to Charles Hosner, a cybersecurity leader for the UK, Netherlands, and Belgium with Boston Consulting Group.
He wrote on LinkedIn that it's become harder to anticipate the source of these disruptions.
"Leaders need to accept that a perfect storm has evolved around how IT is consumed, leading to even more events of this nature," he wrote.
Hosner said that digital environments have grown more complex over the past decade. "It is impossible to predict and control every aspect of how they operate," he said.
Work on building resilience often gets pushed aside for other priorities, Hosner wrote.
"Leaders don't truly believe bad things will happen until they do," he wrote. That means organizations often have to "learn on the fly and under pressure." That enhances the ripple effects of the type of incident that erupted Friday. He expects the disruption will unfold over days and weeks.
Hosner also wrote that tech teams can't handle this alone. "This is not an IT issue, it is a broad business issue and it needs a business-led solution with IT supporting," he said.
Even the best falter
Cummiskey, the former DHS official, said part of what's surprising about this latest disturbance is that CrowdStrike is seen as a "gold standard" in the cybersecurity community. The fact that this happened with a company of that caliber is a reminder that a lot can go wrong and that there's no easy fix, he said.
"Even the best are going to falter at times," Cummiskey said. "And when it's combined with the Microsoft platform, which it was in this instance, that's really going to amplify the disruptions that you're seeing."
He said most of the time when these mistakes occur, the public doesn't really feel it. But that's starting to change as the world becomes more interconnected.
"You're starting to see more instances where a mistake happens, it cascades, and then all of a sudden, the public is going to feel it, whether it's a canceled medical procedure or their flight stuck on the tarmac," Cummiskey said.
Meantime, the government won't save the day
Cummiskey said it would be difficult for the feds to regulate a remedy for these types of problems, in part because of the Supreme Court's recent decision to overturn the so-called Chevron doctrine. The decision limits agencies' regulatory power.
"It's going to make it harder for the government to issue and maintain regulatory structures," he said of the decision.
Cummiskey said efforts in Washington involving the White House and some in Congress have so far been unsuccessful in setting up basic minimum standards through cybersecurity regulations that must be adopted.
"That's really not going to happen when you've got 85% of the infrastructure in private sector hands," he said.
And Cummiskey said that because the government won't be able to mandate fixes, it will be up to companies to stay ahead of these types of issues — something people affected by today's issues might not find reassuring.