Stay informed with free updates
Simply sign up for the Technology sector myFT Digest – delivered straight to your inbox.
The writer is a professor at Tufts and author of “Cyber Insurance Policy
Who is responsible for the CrowdStrike software outage that crippled millions of computers across industries around the world last week? As is often the case with cybersecurity incidents, there are many places to blame. CrowdStrike failed to properly verify the channel file it sent to its customers, crashing their Windows computers, and it also appears to have rolled out the file to everyone at once, rather than starting with a small number of customers to identify potential issues before rolling out the update broadly.
In the meantime, Microsoft has allowed CrowdStrike and other third-party developers to have access to the kernel level of its Windows operating system. The kernel of an operating system controls the entire computer. Without this level of access, CrowdStrike’s update would likely not have had the same impact. It would certainly have been easier to fix the problem without manually rebooting all affected systems.
Granting software vendors this kind of access to an operating system is dangerous: it means you can quickly lose control of your computer if one of the software vendors you rely on makes a mistake or is compromised. That’s why Apple began informing third-party developers in 2020 that it would no longer grant them kernel-level access to the macOS operating system (and it’s also very likely why the CrowdStrike issue didn’t affect Apple devices).
But the fault doesn’t lie entirely with Microsoft. A 2009 agreement between the company and the European Commission requires it to give outside developers the same access to Windows that its own security software has. The idea was to allow other software makers to compete with Microsoft by ensuring that many of its products and services are interoperable with outside software and tools. It’s a laudable goal, and many of the provisions in the agreement are perfectly reasonable, such as requiring Outlook to support common event and calendar scheduling formats.
But the 2009 agreement is deeply flawed in that it requires Microsoft to make available to third-party security software makers all the APIs, or programming functions, used by its own security software products. It is this provision that requires Microsoft to give kernel-level access to companies like CrowdStrike. Until this provision is changed, it is unclear whether Microsoft can implement the main lesson of this debacle and begin phasing out that access, as Apple did four years ago.
Beyond amending its deal with Microsoft, the Commission – like other regulators – needs to consider the risks of sacrificing security in the name of competition. Tech companies have long warned that opening up their ecosystem too much to outside developers could come at the expense of security. These concerns are sometimes dismissed as an excuse for anti-competitive behavior, but there are legitimate trade-offs between security and competition.
Last month, the Commission said that Apple, in order to comply with EU digital markets legislation, must make it easier to access and download software provided outside its official App Store. This will open up more competition for apps, but could mean users downloading unsafe software that is not approved by Apple.
To encourage competition in this way, it is essential to lock down operating systems as much as possible, because we could end up downloading software from many unknown and untrustworthy developers. That is why Apple introduced new security measures to its mobile operating system in January to limit the potential harm caused by downloading unverified code onto iPhones. That is why regulators need to think carefully about the level of access they ask tech companies to grant to competitors and third-party developers.
We may be willing to sacrifice some security for the sake of increased competition, but we should never, under any circumstances, sacrifice our computing cores.
.jpg)
.webp)
0 Comments