Jacobson: Who will pay for the Crowdstrike outage?
Crowdstrike did not have a good day on July 19. During a routine software update, the file that the cybersecurity firm issued triggered a logic error that prohibited Windows machines from rebooting. Microsoft estimates that around 8.5 million computers may have been affected by the event.
This created a tsunami of downstream consequences, as computers that supported numerous industry operations were unable to coordinate and process data.
For air travel, the net effect was the cancellation of more than 10,000 flights since July 19, as reported by FlightAware, with Delta Air Lines particularly hit hard. Using very conservative estimates, if each flight was booked on average with 64 people, and the average cost of a ticket was $290, the lost direct revenue on these days totaled more than $180 million.
Given that some of these people had to cancel hotel rooms and car rentals, and perhaps even miss cruises, the secondary effects of the outage in the hospitality industry alone are likely many times more than this.
Numerous other industries were affected, with similar analyses that can be undertaken.
Such a massive disruption has not gone unnoticed. The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection requested a meeting with Crowdstrike CEO George Kurtz.
The question now being asked is: Who will pay for all these delays, cancellations and consequences?
The first group affected is investors on Wall Street, where more than $10 billion of value was trimmed from Crowdstrike’s market capitalization through July 22. How long it will take for Crowdstrike’s shares to recoup such losses remains to be seen.
The one saving grace from this event is that the fix to the problem file was not complicated, taking less than 80 minutes to identify and implement. However, damage had already been done to the 8.5 million computers affected, with some requiring manual deletion of the problem file and reboot.
Does this make Crowdstrike liable for all such work and efforts and the associated downstream damages?
Every software product that is available carries with it terms and conditions that limit its liability to the user in the events of any type of malfunction or disruption. In essence, users agree to hold the software owner harmless.
The outage is likely to spur a series of class-action lawsuits that will allow attorneys to argue on behalf of different classes of those harmed, seeking damages that ultimately will be settled out of court.
This outage also provides a sneak peek into the future of how glitches in artificial intelligence systems may lead to cyber meltdowns, disrupting financial, transportation and health systems far beyond what any group of people could cause on its own.
The next several months will be interesting to observe as these liability issues are unraveled, discussed and explored. The alternative to what Crowdstrike offers — namely, no cyber protection — is far more dangerous than what transpired July 19.
Sheldon H. Jacobson, Ph.D., is a professor of computer science at the University of Illinois Urbana-Champaign. /Tribune News Service