Stay informed with free updates
Simply sign up to the Technology sector myFT Digest — delivered directly to your inbox.
The writer is a professor at Tufts and author of ‘Cyberinsurance Policy’
Who is to blame for the CrowdStrike software outage that took down millions of computers across every industry sector all over the world last week? As is often the case with cyber security incidents, there’s plenty of blame to go around. CrowdStrike failed to properly vet the channel file it pushed out to its customers, crashing their Windows computers, and it also appeared to roll out that file to everyone all at once, rather than starting with a small number of customers to identify any problems before releasing the update widely.
Meanwhile, Microsoft let CrowdStrike and other third-party developers have kernel-level access to its Windows operating system. The kernel of an operating system has control over the entire computer. Without that level of access, the CrowdStrike update would probably not have had the same impact. It would certainly have been easier to fix without manually rebooting all the affected systems.
Giving software companies that kind of access to an operating system is dangerous — it means you can quickly lose control of your computer if any of the software providers you rely on makes a mistake or is compromised. That is why Apple began informing third-party developers in 2020 that it would no longer grant them kernel-level access to the MacOS operating system (and also quite possibly why the CrowdStrike problem didn’t affect Apple devices).
But not all the fault lies with Microsoft. A 2009 agreement between the company and the European Commission requires it to grant outside developers the same access to Windows that its own security software has. The idea was to make it possible for other software companies to compete with Microsoft by ensuring many of its products and services are interoperable with outside software and tools. That’s a worthy goal, and many provisions in the agreement are entirely reasonable, such as requiring that Outlook support common calendar event and scheduling formats.
But the 2009 agreement is profoundly flawed in requiring Microsoft to make all of the APIs, or programming functions, that its own security software products use available to manufacturers of third-party security software products. This is the provision that requires Microsoft to give kernel-level access to companies such as CrowdStrike. Until it is changed, it’s not clear that Microsoft can implement the chief lesson of this debacle and start phasing out access, as Apple did four years ago.
Beyond changing its agreement with Microsoft, the commission — like other regulators — needs to think about the risks of sacrificing security in the name of competition. Tech companies have long warned that opening up too much of their ecosystem to outside developers could come at the cost of security. These concerns are sometimes dismissed as an excuse for anti-competitive behaviour, but there are some legitimate trade-offs between security and competition.
The commission last month said Apple, in order to comply with the EU’s Digital Markets Act, must make it easier to access and download software provided outside its official App Store. That will open up more competition for apps, but it may mean users will download insecure software not vetted by Apple.
Encouraging competition in this way absolutely requires that operating systems be locked down as much as possible, because we could end up downloading software from many unknown and untrusted developers. That’s why Apple introduced new security measures to its mobile operating system in January to limit potential damage from unvetted code downloaded on iPhones. It’s why regulators must think carefully about the level of access they insist tech companies grant to competitors and third-party developers.
Perhaps we’re willing to sacrifice some security in the name of more competition, but we should never, under any circumstances, sacrifice our computer kernels.