On July 19, 2024, a flawed update of Crowdstrike cybersecurity software caused a wave of problems on Microsoft systems worldwide. This event brought thousands of businesses and services, from supermarkets to hospitals, to a halt, exposing serious vulnerabilities in our cybersecurity systems.
The problem: a bug, not a cyber-attack
This was not a cyber-attack, but a bug that crippled numerous Windows devices, preventing them from rebooting. This incident highlights a systemic problem: our over-reliance on automatic updates of proprietary software that, if faulty, can cause major disruptions on a global scale.
The issue of centralization
Centralization of cloud systems has become a nightmare for many companies. Despite talk of resilience and decentralization, we continue to see extremely centralized systems that, when they fail, create chaos everywhere. This event should give us pause: are we really investing wisely in protecting our services, or are we simply throwing money into a bottomless pit?
Software transparency: a necessary solution
One of the most effective solutions to this problem is the adoption of free and open-source software. These types of software offer a transparency that proprietary software cannot provide. With open code, developer communities can quickly identify and fix vulnerabilities, improving overall security.
The European directive on cyber resilience
In 2023, the European Parliament approved a cyber resilience directive that aims to ensure quality and transparency in information systems. This directive is an important step toward greater security, but its effectiveness depends on its strict implementation and the willingness of organizations to adopt responsible management practices.
Critical infrastructure management
The Crowdstrike incident reminds us that responsibility for risk management cannot be delegated to a computer. As an old adage from the 1979 IBM manual states, “A computer can never be held accountable, therefore a computer must never make a management decision.” This principle is more relevant than ever. The management of critical infrastructure must be human and accountable, not automated and centralized.
Conclusion
I express my full sympathy to the technical workers involved in this disaster. Hopefully, this incident will serve as a lesson to improve our IT security management. It is time to wake up and seriously address the weaknesses in our systems. Only through transparency, decentralization and responsible management can we hope to build true and lasting resilience in cybersecurity.