Stay informed with free updates
Simply register on the Technology sector myFT Digest – delivered straight to your inbox.
The writer is a professor at Tufts and the author of ‘‘Cyber insurance policy’
Who is to blame for the CrowdStrike software outage that knocked out millions of computers across all industry sectors around the world last week? As is often the case with cybersecurity incidents, there are many culprits. CrowdStrike failed to properly verify the channel file it sent to its customers, resulting in their Windows computers being locked out, and it also appeared to send that file to everyone at once, rather than starting with a small number of customers to identify the issues before rolling out the update on a broad scale.
Meanwhile, Microsoft allowed CrowdStrike and other third-party developers kernel-level access to its Windows operating system. The kernel of an operating system has control over the entire computer. Without that level of access, CrowdStrike’s update likely wouldn’t have had the same impact. It would certainly have been easier to fix the problem without having to manually reboot all affected systems.
Giving software companies that kind of access to an operating system is dangerous: It means you can quickly lose control of your computer if one of the software vendors you trust makes a mistake or is compromised. That’s why Apple began informing third-party developers in 2020 that it would no longer grant them kernel-level access to the macOS operating system (and it’s also entirely possible that the CrowdStrike issue didn’t affect Apple devices).
But it’s not all Microsoft’s fault. 2009 Agreement The agreement between the company and the European Commission requires it to give third-party developers the same access to Windows that its own security software has. The idea was to make it possible for other software companies to compete with Microsoft by ensuring that many of its products and services were interoperable with third-party software and tools. This is a laudable goal, and many of the provisions of the agreement are entirely reasonable, such as the requirement that Outlook support common calendar and event scheduling formats.
But the 2009 agreement is deeply flawed in that it requires Microsoft to make available to third-party security software makers all of the APIs, or programming functions, that its own security software products use. This is the provision that forces Microsoft to give kernel-level access to companies like CrowdStrike. Until it is amended, it is not clear that Microsoft can apply the main lesson of this debacle and begin phasing out access, as Apple did four years ago.
In addition to amending its deal with Microsoft, the commission, like other regulators, must consider the risks of sacrificing security in the name of competition. Tech companies have long warned that opening up their ecosystem too much to outside developers could come at a cost to security. These concerns are sometimes dismissed as an excuse for anti-competitive behaviour, but there are some legitimate trade-offs between security and competition.
Last month’s commission saying To comply with the EU Digital Markets Act, Apple must make it easier to access and download software provided outside its official App Store. That will open up more competition for apps, but may mean users download unsafe software that hasn’t been approved by Apple.
To encourage competition in this way it is absolutely necessary to lock down operating systems as much as possible, because we could end up downloading software from many unknown and unreliable developers. That is why Apple inserted In January, Apple implemented new security measures for its mobile operating system to limit potential damage caused by unapproved code downloaded onto iPhones. That’s why regulators need to think carefully about the level of access they require tech companies to grant to competitors and third-party developers.
We may be willing to sacrifice some security in the name of increased competition, but we should never, under any circumstances, sacrifice the cores in our computers.