Stay up to date with free updates
Simply sign up to the myFT digest for the technology sector, delivered straight to your inbox.
The author is a professor at Tufts University and author of “Cyber Insurance Policy.”
Who is to blame for the CrowdStrike software outage that took down millions of computers across every industry around the world last week? As is often the case with cybersecurity incidents, the blame is wide-ranging. CrowdStrike appears to have failed to properly inspect the channel file it distributed to customers, causing Windows computers to crash, and then distributed the file to everyone at once, rather than first identifying issues with a small number of customers before distributing the update more widely.
Meanwhile, Microsoft granted CrowdStrike and other third-party developers kernel-level access to the Windows operating system. The operating system kernel controls the entire computer. Without that level of access, CrowdStrike’s updates likely would not have had the same impact, and it would have been easier to fix without manually rebooting all affected systems.
Giving software companies that kind of access to your operating system is risky; it means that if the software provider you rely on makes a mistake or is compromised, you could quickly lose control of your computer. This is why Apple began informing third-party developers in 2020 that they would no longer allow kernel-level access to the macOS operating system (and perhaps why the CrowdStrike issue did not affect Apple devices).
But not all the blame lies with Microsoft. A 2009 deal between the company and the European Commission requires Microsoft to give outside developers the same access to Windows as its own security software. The aim is to help other software companies compete with Microsoft by ensuring that many of its products and services are interoperable with outside software and tools. That’s a worthy goal, and many of the agreement’s provisions are perfectly reasonable, such as requiring Outlook to support common calendar event and scheduling formats.
But the 2009 deal has a major flaw: it requires Microsoft to provide all APIs, or programming functions, that its security software products use to manufacturers of third-party security software products — a provision that obligates Microsoft to give kernel-level access to companies like CrowdStrike. Until this provision is changed, it’s unclear whether Microsoft can implement the main lesson of this debacle and phase out access as Apple did four years ago.
Beyond the changes to the Microsoft deal, the Commission, like other regulators, needs to consider the risks of sacrificing security in the name of competition. Technology companies have long warned that security could be compromised by opening up their ecosystems too much to outside developers. While these concerns are sometimes dismissed as an excuse for anti-competitive behavior, there are legitimate trade-offs between security and competition.
The European Commission said last month that to comply with EU digital market laws, Apple must make it easier to access and download software offered outside its official App Store, which would increase competition for apps but could lead to users downloading unsafe software that hasn’t been vetted by Apple.
To foster this kind of competition, it’s imperative that the OS be locked down as much as possible, since users could end up downloading software from a lot of unknown and untrusted developers. That’s why Apple introduced new security measures to its mobile OS in January to limit the potential damage from untested code downloaded to iPhones. This is why regulators must think carefully about the level of access they require tech companies to grant to competitors and third-party developers.
Perhaps we might sacrifice some security for increased competition, but under no circumstances should we sacrifice the computer kernel.
