Navigating ‘blue screen of death’ blues
Besides crashing computer systems, the global IT failure highlighted the major legal, financial and risk management challenges for business in the digital age, writes Morry Bailes AM in his latest Opinion Piece for InDaily.
There is a contradiction at the heart of our use of technology. It is like yin and yang.
The greater reliance we place on technology to improve productivity, the greater we expose ourselves to technology-caused downsides. The CrowdStrike disaster is a perfect example of what can go wrong. The legal ramifications are difficult at this stage to fully assess. What is clear however, is that as we call on technology more and more, the chances of coming undone become greater and greater. Too little is given over to the risk of technology by those whose job it is to extol its virtues, or who seek to rely on it for productivity gains, failing to sufficiently emphasise the potential for productivity losses.
Most of our attention lately has been around the security of our digital systems and our data, as we face off against sophisticated, often State sponsored, cyber hackers. The CrowdStrike incident demonstrates that technology failure can be a great deal more mundane than that. In this case a patch, presumably inadequately tested, was applied by a third party provider to Microsoft Windows as an upgrade, and it crashed the systems of those who used CrowdStrike for cyber security protection. The official CrowdStrike line was that ‘The outage was caused by a defect found in a Falcon content update for windows hosts.’
Many end users were in an instant left with unusable IT systems, leading to calamitous results. Supermarkets could not function. Planes could not be boarded. Health systems ceased to operate. The dreaded ‘blue screen of death’ greeted users worldwide. In a moment everything that is vulnerable about our reliance on technology was exposed, in stunning and brutal fashion. 24 years on, it was Y2K in the real.
Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, described the CrowdStrike cultural approach as: ‘a fragile software ecosystem that has historically deprioritised security in favour of features and speed to market’, and then said, ‘Any company that builds any kind of software should design, test and deliver it with a priority on dramatically driving down the number of flaws.’
How does business react to this totally unanticipated event that crashed 8.5 million machines worldwide, and what role does the law have to play in this and in other IT and cyber security challenges?
First, in this case Macs were not affected, which is a clue to how we ought to prepare for the unexpected. It is critical to have a thought through and well rehearsed back up plan. Too many businesses today are buying the upside of technology and failing to anticipate the downside. Indeed many are flying blind on such risks as cyber attack, even though in the case of CrowdStrike it was not that nature of failure. This is really a classic risk assessment scenario, and if lawyers are good at anything it is appreciating risk. Why? Because we so often see litigation over what has gone wrong, we are in a better position than most to imagine the worst scenario rather than the best. CrowdStrike was about as bad as it gets, but having alternative systems, even though they may be legacy systems, is better than nothing at all.
I’m certain there were a fair few Macs being dusted off over Friday and the past weekend. The first line of defence however is backup itself, so systems even if delayed can be restored. How many organisations today must be rueing a failure to imagine the unimaginable. All that said, when smaller organisations rely on providers to assist in restoring systems, and there is a conga line of customers in the same position, such as was the case with the CrowdStrike incident, there is only so much that can be done.
The second is to be adequately insured. Insurance policies need to be carefully checked at annual renewal time for their adequacy. No two policies are the same. Moreover, the technological and cyber world is changing so regularly in terms of risk, that your policies may have to too. In analysing an insurance policy, you ought to be looking at scope of cover, exclusions from that cover, and limitations on cover by virtue of aggregating loss clauses. If you are unfamiliar with insurance law and how to read a policy, get some professional advice, from a lawyer or an insurance broker. It may save you a great deal in the long run if you get it right, because it is almost inevitable that at some point you will face at the very least a cyber attack.
Only in the last week the Home Affairs Minister Clare O’Neil told us that cyber security is our fastest growing national security threat. The CrowdStrike event has reminded us all that the risks are much greater than just our cyber security however. Other examples of the mundane can included NBN outages, and software updates gone wrong. We need to properly insure for business interruption, data loss and theft, and damage to our IT systems, that may arise in all types of circumstances.
Thirdly, if you are inadequately insured, or uninsured, there will almost certainly be a class action or actions brought against Microsoft who will likely join CrowdStrike, or against CrowdStrike direct. Whilst we don’t entirely understand the extent of the losses from Friday’s global incident, it is likely that these corporations will themselves be insured against such risk, and there will follow litigation aimed at compensating those who have suffered otherwise unrecoverable losses. There will also inevitably be litigation between insurers, likely to last many years in the future. Subject to the user terms and conditions being fully understood, the relevant jurisdiction for such class actions may be the U.S., but watch this space.
Most importantly though is the psyche of business, that must wake up to what it means to exist almost entirely in the digital world. The risks are now existential. Losses from cyber attack for instance can be so great as to tip a business into insolvency. Anything short of that can nonetheless become a veritable nightmare and can cost business owners a great deal of time, effort and money to put right, particularly if you are holding identifying data documents, such as passports, that may need to be replaced in the event of a cyber hack, such as hit Optus. It may also involve serious regulatory consequences if client, customer or employee data is lost in for instance a ransomware attack.
There still remains a significant failure by business large and small to fully understand that in placing such a reliance on technology generally, and reliance on third party and cloud providers specifically, just how badly it can all go wrong. To count on technology purely to bolster results and ignore the fact that it could be the factor that brings an organisation to its knees is reckless. The law demands that directors of companies, particularly when they are dealing with other people’s money and data, have duties that go beyond just concentrating on returns to include policies that adequately address the ever increasing risk that goes hand in hand with using advanced and advancing technology.
The Office of the Australian Information Commissioner now has considerable power to impose civil penalties on organisations for data loss in breach of the Privacy Act, particularly if they are repeat offenders, and the penalties can be very high for both individuals and corporations as follows:
‘The ‘civil penalty provisions’ in the Privacy Act include:
- a serious or repeated interference with privacy (s 13G) with maximum penalties including $2,500,000 for a person other than a body corporate, and for a body corporate, an amount not exceeding the greater of:
- $50,000,000; or
- three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the contravention; or
- if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention.’
Much the same can be said for the use of Generative AI. Sure, there are upsides, but the accompanying risks are huge. No corporate conversation about technology should occur in the current age without an accompanying discussion about risk, and directors and companies will ultimately be found to have liabilities to shareholders, customers, staff and regulators, if a proper balance between reward and risk is not struck.
If an organisation today cannot point to a technology risk management plan, with the necessary contingencies to assuage risk, it runs the danger of answering to stakeholders through a process of law, compensatory and regulatory. That plan must self evidently demonstrate compliance with identified risk regimes, or they will found to be useless. Thus the implementation of any technology system must necessarily be accompanied with the additional implementation of risk and compliance systems.
The seductive qualities of Generative AI, advancing technology aiding productivity and process, and the many third party providers promising to make management of IT systems and data management easier, is a potent mix for not only success but unexpected failure. The CrowdStrike incident, characterised by its entirely random nature, is a significant reminder for us all that a black swan event can as likely happen by use of technology as it can in markets. Further, with that comes likely significant legal and regulatory liabilities. One cannot imagine that an investor in CrowdStrike now must be expecting the company to necessarily survive this event. Its share price has been hammered, and its end users are reeling from their mounting losses.
Sometimes moments like these can sound a clarion call to the world about just how badly things can become from one moment to the next. The CrowdStrike incident will not be easily forgotten. It was confronting and sudden. That said, it gives us a chance to consider or reconsider, what are our potential liabilities, what are our contingency plans, and what are our protections? Most of all, it gives us an understanding, if we needed it, that technology can wreck as much as it can help.
If you are only thinking of the upside to technology, think again. The downside can be the end of organisations and reputations. With technology, plan to expect the unexpected, and act accordingly, perhaps adopting Douglas Adams’ definition that ‘technology is a word that describes something that doesn’t work yet’. Just ask CrowdStrike.