The Fragile Foundation of Our Digital Infrastructure: Lessons from the CrowdStrike Incident

Published in

𝐀𝐈 𝐦𝐨𝐧𝐤𝐬.𝐢𝐨

6 min readJul 21, 2024

On the fateful day of July 19, 2024, a seemingly innocuous software update rolled out by cybersecurity giant CrowdStrike sent shockwaves across the globe as it inadvertently sparked a catastrophic IT meltdown.

This event laid bare the delicate nature of our ever-expanding interconnected digital framework. The fallout was widespread, disrupting the operations of countless businesses, airlines, and government agencies.

It casts a stark light on the vulnerabilities woven into the fabric of our technology-dependent society. It underscored the pressing need to develop robust and resilient systems to safeguard against such far-reaching disruptions in the future. The path ahead will be challenging and inexpensive, and it might incur costs in terms of economic growth and productivity, which are usually considered untouchable.

The back story so far (07.21.2024)

The update was meant to improve CrowdStrike's Falcon platform but led to widespread system crashes and network outages. Computers using the Falcon software experienced significant performance issues, with many becoming completely unresponsive. The impact affected various industries — airlines had to ground flights, leaving passengers stranded and cargo delayed.

Banks had to suspend transactions, causing financial markets to falter. Media outlets struggled to broadcast news, leading to information blackouts at a critical time. Even Microsoft's cloud services experienced disruptions, contributing to technical failures affecting millions of users worldwide.

The response so far

CrowdStrike responded quickly, but it was challenging. The company promptly identified the problematic update and began rolling back changes. The remediation plan recommended multiple reboots for Plan A and Plan B, which involved removing files from the hard drive with a privileged account. The CEO of CrowdStrike was on CNBC, stating there is a fix. My skeptical side thought, "This will be an interesting few days."

Restoring normal operations was difficult and time-consuming. Many affected organizations had to manually remove the faulty update from thousands of devices, which took a long time and sometimes caused outages for days. This incident showed that automated update systems have both benefits and drawbacks. While they are essential for security, they can also cause widespread disruption when things go wrong. As we move into Monday (07.22.2024), we should see how different systems across different companies are interconnected. The good thing is that not all firms are CrowdStrike customers, and not everyone runs Windows and gets the update simultaneously.

This event will shed a spotlight on the following areas

System Resiliency
Vendor Concentration Risk

System Resiliency

This event highlights what philosopher Nassim Nicholas Taleb calls the "fragility" of our modern systems. In his book Antifragile, Taleb argues that our pursuit of efficiency and optimization often comes at the cost of resilience.

He writes, "Modernity has been obsessed with comfort and cosmetic stability, but by making ourselves too comfortable and eliminating all volatility from our lives, we do to our bodies and souls what Mr. Greenspan did to the U.S. economy: make them fragile" Taleb

Our modern technological infrastructure, emphasizing streamlined processes and just-in-time delivery, embodies what Taleb describes as a "fragile" system — one that appears stable under normal conditions but is susceptible to catastrophic failure when faced with unexpected stress. He notes, "The fragile wants tranquility, the antifragile grows from disorder, and the robust doesn't care too much." In this context, the CrowdStrike update acted as an unexpected stressor that revealed the hidden fragilities in our seemingly robust digital ecosystem.

Taleb's "negative Black Swans" concept — unforeseen events with severe negative consequences — is particularly relevant here. He argues that "We don't learn that we don't learn. We don't learn that we are not learning."

This event is the poster child for this —a single point of failure in a widely used security product cascaded into a global crisis. Our interconnected systems, designed for peak efficiency, proved vulnerable to a domino effect of failures.

This event also shows Taleb's criticism of over-optimization. He argues that a system optimized for efficiency is often fragile, while a less efficient but more robust system can be more resilient when facing shocks. In its pursuit of maximum efficiency and seamless integration, our digital infrastructure may have sacrificed the redundancies and safeguards that limited the spread of the failure.

In response to this situation, Taleb's urge to create "antifragile" systems - those that can not only withstand shocks but potentially benefit from them - seems more important than ever. He encourages us to "build a system that loves randomness," implying that embracing some disorder and unpredictability might be crucial for creating more resilient technological ecosystems. I need the answers for this path; I will leave it up to people who are much more intelligent than I am. But beware of the wolves selling sheep homes in which the wolf has the key for emergency access.

Vendor Concentration Risk

The incident also highlights the dangers of a high concentration level in the technology sector. A small number of companies now supply crucial infrastructure software that is used by organizations all around the world. CrowdStrike has a significant presence, serving around half of the companies in the Fortune 100 and a similar number in the Fortune 500. Similarly, Microsoft's cloud services support many global business operations. While this consolidation can lead to innovation and cost efficiencies, it also creates systemic risk. When one of these critical providers experiences issues, the impact is felt globally, with few alternative options available.

This concentration amplifies the impact of technical failures and raises concerns about market dynamics. The dominance of a few large players can stifle competition, potentially slowing innovation in critical areas like security and reliability. It also creates a monoculture in IT systems, making them more vulnerable to widespread attacks or failures.

To build more resilient systems, Taleb suggests the concept of "antifragility" — the ability to withstand shocks and benefit from disorder. In the context of IT infrastructure, this could involve:

1. Embracing diversity: Instead of standardizing on a single platform, organizations could use a mix of solutions to reduce dependency on one provider. A course of action is using different security tools for network parts or maintaining alternative cloud providers.
2. Stress testing and Sandboxing changes: Regularly simulating failures and outages to identify weaknesses and improve response capabilities.
3. Decentralization: Moving away from monolithic systems towards more distributed architectures that can better isolate and contain failures. This might involve breaking down large applications into microservices or adopting edge computing strategies.
4. Redundancy: Building in excess capacity and backup systems, even if it seems inefficient in the short term. This could include maintaining offline backups, having alternate communication channels, or keeping spare hardware on hand.
5. Continuous learning: Treating each incident as an opportunity to improve systems and processes, fostering a culture of adaptation and resilience. But beware, today's issue will not be tomorrow

The incident also raises questions about the broader technology landscape. As we eagerly embrace AI, cloud computing, and other advanced technologies, are we adequately considering the risks? The concentration of power among a few tech giants creates single points of failure and raises concerns about privacy, data control, and the potential for abuse of market power.

Moreover, this incident underscores the critical role of cybersecurity in our digital infrastructure. It's ironic that a tool designed to protect against cyber threats ended up causing disruption itself. The incident highlights the importance of adopting a comprehensive approach to security that addresses not only external threats but also the potential for internal failures or unintended consequences.

Policymakers and industry leaders need to address these challenges. Encouraging competition in the tech sector can help spread risk and promote innovation in reliability and security. Investing in national-level digital infrastructure resilience can help reduce the impact of future incidents. Creating robust incident response plans and improving coordination between the public and private sectors is vital.

Organizations should also reassess their IT strategies, balancing the benefits of standardization against the need for resilience. This might involve:

Diversifying technology providers and maintaining fallback options
Investing in robust backup and recovery systems
Improving incident response capabilities and regularly testing them
Fostering a culture of security awareness and continuous improvement
Considering the trade-offs between efficiency and resilience in system design

My 2 Cents

Building systems that can withstand and adapt to disruptions is essential in this age of increasing reliance on technology. The recent incident showed that even advanced tech companies are not immune to failures, and the consequences of these failures are becoming more severe as our digital dependence grows.

To create a more robust and resilient digital future, we must embrace antifragility principles and address concentration risks. This will require a shift in mindset—from viewing technology as a mere efficiency tool to recognizing it as a critical infrastructure that demands careful stewardship. Only by acknowledging the fragility of our current systems can we hope to build a digital world that is truly prepared for the challenges ahead.

As always — Opinions are my own.