THE recent global IT outage, reportedly caused by a single antivirus update by antivirus firm CrowdStrike for Microsoft’s Windows OS, has wreaked havoc on businesses, governments, and the public worldwide, with losses estimated in the billions.
Banks, airlines, hospitals, government offices, businesses, and the public in Malaysia have not been spared. Despite an apology from Crowdstrike CEO, we have not heard anything about the issue of compensation from CrowdStrike or Microsoft.
Such an obvious silence threatens the confidence and trust of the public and businesses in digitalisation. There cannot be confidence in digitalisation without trust.
Trust requires accountability. Without compensation by those responsible, who are paid millions in licence fees, there is no accountability.
More disturbing is that the incident exposed serious flaws in the vulnerability of digital platforms to a single event.
Despite the basic principle of not putting all your eggs in one basket, we continue to listen to the sales pitch about how safe things are with their product and how important it is for everyone to use the same proprietary systems, even though a single flawed update can wreak havoc on Malaysia and its people.
Imagine if this was a deliberate attack, exploiting the same pathway carried out from within the vendor itself. Or in the future, because of geopolitical reasons, such systems are weaponised to destroy our nation’s economy.
It is therefore critical that an investigative panel of inquiry be established to determine the following:
1. How was it possible for a single IT update to cause this kind of damage, disruption, and loss?
2. What was the cause and whether it was negligence or failure to check the safety of an update? How was the alleged flawed code pushed out as an update without being tested?
3. Whether this can happen again in the future and if so, what measures are in place so it will not happen again?
4. What was the total amount of financial losses suffered in Malaysia?
5. What is the legal and/or moral liability of CrowdStrike and Microsoft to compensate the public, businesses, and the government for all losses?
This is especially important since these vendors must have been aware that their systems were used in critical as well as business sectors in Malaysia and it was clearly foreseeable that disruption of those services would cause not only the government or businesses to suffer but also members of the public who rely on those services.
They must be aware that some bad code, if placed in a critical pathway, can cause serious problems, as it did in this case.
6. What are the financial penalties and compensation that justly should be paid now and also in the event it happens again?
7. To reassess national digital security infrastructure and the accountability of vendors who are paid millions for services.
8. To review all vendor contracts and not renew them until there is sufficient legal provision to protect the public from losses due to negligence and to ensure that those supplying such technologies in critical areas have sufficient insurance.
“There cannot be trust without real accountability. There can be no accountability without compensation.” – July 22, 2024
Derek Fernandez is an expert in cybersecurity law