Fatal crowdstrike update: we need more producer liability

Contents

A faulty CrowdStrike update crashed countless Windows computers on Friday, putting airlines, banks, stores and other businesses out of action. It is still too early to provide a conclusive explanation of what happened and to call for consequences. Too much is not yet known. In addition to the CrowdStrike update problem, there are also reports of outages in Microsoft's cloud services. It is still unclear whether and how they are connected. However, it is already possible to do a little preliminary sorting, clear up erroneous ideas and formulate promising approaches – such as the wish that manufacturers should finally take responsibility for their own mistakes.

Ein Kommentar von Jürgen Schmidt

Jürgen Schmidt - aka ju - ist Leiter von heise Security und Senior Fellow Security des Heise-Verlags. Von Haus aus Diplom-Physiker, arbeitet er seit über 25 Jahren bei Heise und interessiert sich auch für die Bereiche Netzwerke, Linux und Open Source. Sein aktuelles Projekt ist heise Security Pro für Sicherheitsverantwortliche in Unternehmen und Organisationen.

• heise Security Pro

On Friday, Crowdstrike distributed an update that caused Windows computers running their software to crash and fail to boot. Crowdstrike's central product is the so-called Falcon platform, a type of advanced antivirus software that is designed to detect malicious software and activities and, ideally, prevent them. The technical term for this is Endpoint Detection and Response - EDR for short. This involves installing a so-called agent on the system to be protected, which is deeply embedded in the system. And it was precisely this CrowdStrike agent that received the faulty update and subsequently blocked all devices on which it was active.

Not a monoculture

However, this incident is not due to a monoculture, as is often claimed. At least not as far as the security software that caused the failures is concerned. Although Crowdstrike is prominent and widespread, it is not the only player in this market. There is also SentinelOne, Microsoft and two or three others that play in the same league.

You can't expect companies to diversify more in this area, either. The parallel operation of different security solutions would ultimately lead to even less security. Security is only as good as the weakest link in the chain; additional tools increase the attack surface. If you have three alternatives in productive operation, you also take the problems of all three with you. Not to mention the fact that you also need to have the know-how and resources to maintain all three - which is simply hopeless.

Windows is not the problem

That leaves Windows and Microsoft as the monopolist, which has also been blamed in many comments. But that doesn't hold water in this case. At least not so directly. The cause of this problem was clearly Crowdstrike and not Microsoft. And of course, there is also CrowdStrike software for macOS; CrowdStrike even offers EDR for Linux. And even if they weren't affected this time, these versions could be affected in the same way as the Windows version was on Friday. It would just interest far fewer people. We don't currently know what else may have happened with Microsoft's cloud services and whether this is related to the CrowdStrike update.

In any case, the common root of both problems is poor quality. On the one hand, poor quality software, whose security vulnerabilities require a whole stack of security measures and constant updates. And secondly, of course, the updates that are supposed to eliminate these security gaps or at least limit their danger. And this is where Microsoft comes into play again. With its software, which is so buggy that secure operation is barely possible, by driving customers into the (Microsoft) cloud and by systematically rounding off its own security culture, the company has contributed significantly to the current highly dangerous overall situation.

Ultimately, Microsoft cannot really be blamed for this. Because as long as we largely absolve manufacturers of responsibility for the consequences of their sloppiness and pass the costs on to customers and society in general, investing in product quality does not pay off for them. Listed companies are even obliged to their shareholders to implement profit-optimizing measures such as cutting expensive quality assurance or internal security teams as much as possible.

Manufacturer liability is needed

What we ultimately need is manufacturer liability. If Microsoft allows a master key for its own cloud to be stolen (which should never have existed in the first place), then this must have consequences for Microsoft if their customers' data is stolen with it. If Cisco sells a "secure email gateway" that is clearly grossly negligent in ignoring basic security concepts such as sandboxing and least privilege, then there must be direct consequences for Cisco if this blows up in the customers' faces at some point.

The company Crowdstrike would then have thought twice about whether it should really take the risk of an update paralyzing thousands of systems – or whether it should invest more in quality assurance. In that case, banks, airports and other affected parties would now be at the company's door to claim reimbursement for the costs incurred. As a result, the victims are left to foot the bill - and Microsoft, Cisco and Crowdstrike continue to optimize their profits.

(ju)