Cyber meltdown points to downsides of efficiency

Cyber strike. The CrowdStrike engineer who pushed through a seemingly harmless software update probably couldn’t have imagined the global havoc it would cause. Nor, in all likelihood, could the $83 billion cybersecurity company’s customers. The global meltdown that followed on Friday exposes the extreme fragility of a global IT network that prizes efficiency over stability.

Widespread computer outages, characterised by the dreaded “blue screen of death”, grounded U.S. aircraft, stopped traders from settling positions, and kept broadcasters like Britain’s Sky News off air. It all started with what CrowdStrike CEO George Kurtz called a “defect found in a single content update”, which went to customers using Microsoft’s ubiquitous Windows operating system. The company deployed a fix, Kurtz also said.

One question is how long it will take to get things moving again. In a forum on social media site Reddit, users discussed workarounds including rebooting machines in a protected mode and removing a CrowdStrike file. If that’s the only possibility, it suggests that IT administrators can’t reconnect offline computers remotely. For an organisation with hundreds of thousands of workstations, restarting them manually one by one would be highly disruptive.

Another, longer-term, question is how this could have happened. That comes down to concentrated market shares in the business-to-business software sector. CrowdStrike last year claimed that it was the most widely used seller of endpoint security, which involves protecting devices like workstations and servers. It had 19% of the market in the second quarter of 2023, according to research firm Canalys.

Such high levels of concentration stem from the fact that many businesses like to use one vendor rather than many. Greater scale begets higher margins, giving software leaders an edge on pricing and new product development. CrowdStrike, for example, turned 75% of sales into gross profit in its most recent financial year. Its market value more than doubled in the 12 months to Thursday, before tumbling roughly a tenth on Friday.

A typical enterprise spends 10% of its IT budget on cybersecurity, according to SenseOn data, so perhaps it’s no surprise that executives are keen to work with vendors that benefit from economies of scale. The flip side, however, is that issues at a single firm can affect a meaningful chunk of the global economy. Bank supervisors have cottoned on to the risk, for example, of a cloud provider breaking. That’s only sensible given the dominance of Amazon Web Services and Microsoft Azure. CrowdStrike shows that the same kind of problem can come from a far more obscure source.