Companies need to be accountable for blunders like the IT “meltdown” last week and governments must act to stop it happening again, leading experts said.
Louise Hurel, a research fellow at the defence and security think tank, The Royal United Services Institute, said last week’s disruption – caused by a bug in an update from antivirus company Crowdstrike – was a “wake up call” for how “fragile” our critical IT infrastructure is.
She said companies in charge of our IT systems must be forced to explain breaches such as last week’s outage – dubbed the ‘blue screen of death’ – which disabled a thousands of global institutions including hospitals, GP surgeries, pharmacies, major banks, media outlets and airlines, she said.
She added that governments need to measure the societal as well as the financial cost of IT outages such as the impact on healthcare and force companies to be accountable when things go wrong.
“How can a computer bug literally result in a cascade effect not only hitting the UK and USA but many other countries, with thousands of flights cancelled, healthcare systems grounded and people having to draw out cash to buy goods? There are financial costs but also tangible human costs and huge harms to society
“Governments need to impose legislation to properly measure the costs of these outages beyond the economic ones and companies need to be accountable for things that go wrong and potentially be forced to pay compensation.
“This week should be a wake up call and a moment to grab the attention of both governments and the private sector. Standards need to be discussed and there may be a need for proper regulation to prevent something like this happening again.
“We now need a public debate on how to make these tech giants accountable for things at this scale and a bigger discussion about the frailty of our global IT infrastructure.”
Cyber expert Dr Ian Batten, from School of Computer Science, at the University of Birmingham said antiviral companies – who do continuous monitoring and updates – may be causing more harm than good.
He said: “The crucial question we must ask is whether these antiviral companies are potentially doing more harm than good. Software today already has built in antivirus protections, more than in the past. We need to ask if the additional protection provided by an antivirus company is worth the risk of a problem like this?”
He added that some of the problems caused by Crowdstrike’s computer blunder are ongoing.
“Though the fault has been rectified, and some machines are being rebooted, the problem is that many machines have died – they won’t boot. Microsoft is now saying to turn it on and off 15 times, but it is unknown if it is effective. Software like that is designed to keep employers’ sticky fingers from removing it.
“If removal requires the admin password or encryption key remote workers are frozen out. Crowdstrike will not be able to cover the hundreds of billions of pounds in compensation calls, even if it tried to protect itself with a contract that said it was not liable.”
Robert Pritchard, former deputy head of the UK government’s Cyber Security Operations Centre said: “A scenario like this is terrifying. All anti virus companies have made mistakes like this over the years. But the scale of the impact of last week’s outage has highlighted the vulnerability of the systems we take for granted.
Mr Pritchard, founder of The Cyber Security Expert consultancy, added: “The problem is that we have only a few antivirus providers who are now underpinning our critical IT infrastructure. We need to diversify the number of companies in the space so we are no longer relying on a small group that have such a large market share that the impact is so big when something goes wrong.”
He added: “It is bad for society when one company is so dominant because a failure like yesterday becomes so damaging. Governments need to understand this and take action to reduce this risk.”
