INTERNET SECURITY

THE bleak lesson from the devastating global computer breakdown on Friday 19 July – which grounded flights, crashed payment systems, crippled NHS surgeries and hospitals, disconnected phone lines, and knocked media outlets off air – could have been even worse. With no end in sight, this malfunctioning has been dubbed the “digital pandemic” and has already incurred colossal costs in time and money.

To those unversed in the intricacies of computer technology, the speed and extent of the disaster are almost incomprehensible. Surely, many will say, computer systems should be designed to avoid crashes on this scale at all costs. We would not accept planes, trains, or automobiles that dysfunction so badly.

But the truth is when it comes to computers, we accept inherent levels of risk that would be utterly intolerable elsewhere. The technology companies’ profits soar and, when things go wrong, we – the digital serfs of this brave new world – must humbly accept the cost and inconvenience that our masters inflict on us.

To appreciate the scale and complexity of the problem, consider this thought experiment.

Imagine if we allowed almost every traffic light in the world to be made by the same manufacturer. Worse, imagine that all of them were made with a remote-controlled switch that turned them to red. And – catastrophically – that a simple error at the manufacturer or one of its suppliers could trigger this switch all over the world.

Traffic would be instantly gridlocked on every continent. To repair these traffic lights, technicians would in many cases have to dismantle them and fiddle around in the works.

That, in crude terms, is the story of CrowdStrike in this computer breakdown and collapse. Most computers in the world use Microsoft – which makes the ubiquitous Windows operating platform, as well as Word, Excel, and the Teams video-calling system. Many Microsoft customers also rely on other software – in this case the Falcon Sensor program provided by the cybersecurity firm CrowdStrike.

Security software protects computers from attack, typically by screening incoming data to ensure that it does not include “malware” – malevolent programs that steal data, freeze computers, or scramble their contents.

To work properly, these programs must operate unhindered on our computers, phones, and tablets. And to protect against new threats, they must update regularly – and automatically. In this current incident, one of the automatic software updates from CrowdStrike contained a simple, devastating error. Automatically installing on computers that run Windows, it crashed affected devices, triggering a page containing Windows’s error message – the so-called “blue screen of death”.

The result: the world suddenly had to switch to cash payments and handwritten boarding passes, while shops were forced to shut, medical appointments cancelled, and aircraft at airports grounded.

It is little comfort that George Kurtz, the co-founder and chief executive of CrowdStrike, says he is “deeply sorry”. Fixing the problem will not just take hours, but days or even weeks. At best, computers will need to be switched on and off again, allowing a new update to install. At worst, affected machines will need hours of specialist attention.

Nor will it be any comfort to furious customers around the world that CrowdStrike’s share price has crashed, knocking £10billion off its £65billion capitalised market value.

It could have been far worse.

This does not appear to have been a cyber-attack by a foreign power. Microsoft systems in countries all over the world, including Russia and China, were affected.

Nor was it the work of cyber-criminals. The faulty update did not scramble our databases, leaving us open to ransom demands from crime gangs in return for a key to recover our information.

Nor – unlike many recent cyber-attacks – did it whisk our most precious private information away to the Chinese Communist Party’s spy services in Beijing.

A far worse – and narrowly avoided – cyber-attack earlier this year could have given our enemies the master key to hundreds of millions of computers around the world, enabling them to wreak deadly havoc. Known in tech circles as the “xy” attack, it involved a little-known but ubiquitous program that compresses data to improve efficiency.

This attack, probably the work of Russian spies, was uncovered and stopped by chance at the last minute. And because in the end the damage was minimal, it attracted almost no public attention.

That was a near-miss. Far worse was the SolarWinds attack, exposed in 2021. Hackers – almost certainly Russian – bugged an update issued by Microsoft for a widely used program. The targets were Western (chiefly American) defence and other government networks. The cyber raid also exposed data from the U.S. Treasury, Justice, and Commerce departments, and thousands of Wall Street’s top companies.

The internet has become the central nervous system of our civilisation. Yet it was never designed or intended for this. It was built to promote academic cooperation and technological innovation, not global security. It is wide open to abuse by pranksters, fraudsters, and rogue states.

A handful of operating systems and software that updates remotely and automatically create a sitting target.

We would hardly accept such a concentration of risk in other walks of life, especially if we had no control over the decision-makers in such systems, and almost no redress if they made mistakes. With most other products and services, you can sue the provider if there’s a malfunction – and gain additional compensation for any damage caused. Not computers.

Unlike other parts of our technological universe, computers, phones, and software are not sold with proper guarantees. The manufacturers can shrug at their products’ shortcomings.

Buried in the terms and conditions are clauses that exempt the manufacturer from almost all liabilities.

One might well ask how on earth we got to such a parlous state of affairs.

One reason is greed: tech giants like their profits. They lobby hard for their privileged status, just as they do for the right to sell our attention to online advertisers – and to resist demands for proper age verification on social media platforms like TikTok.

But a deeper reason is that we have been naïve and complacent in our headlong embrace of new but untrusted technology. We have prized innovation and convenience ahead of security.

These risks, we were told, were the price of admission to the brave new world of computer wizardry. Maybe. But we are paying heavily for it.

In the case of this cyber meltdown, the culprit was carelessness. But suppose the perpetrator had been some rogue regime, perhaps distracting us at a moment of geopolitical tension?

Imagine that this outage had stopped the trains running, frozen all cash machines and, for that matter, turned all our traffic lights to red – or worse, green.

We would have nobody to blame but ourselves.