CrowdStrike, Antitrust, and the Digital Monoculture

Business

Last month’s unprecedented global IT failure should be a wakeup call. Decades of antitrust inaction have made many industries dangerously reliant on the same tools, making such crises inevitable. We must demand regulators break up the digital monocultures that are creating a less competitive, less safe, and less free digital world.

The Federal Trade Commission (FTC) solicited public comments last year on the state of the cloud computing market. EFF made it clear that the consolidation of service providers has created new dangers for everyone and urged the commission to encourage interoperability so customers could more easily switch and mix cloud services. Microsoft cautioned against intervention, touting the benefits of centralized cloud services for IT security.

A year later, a key cloud-based cybersecurity firm released a bug unique to Microsoft systems. Vital IT systems were disrupted for millions worldwide. 

This fragility goes beyond issues at a specific firm, it results from power being overly concentrated around a few major companies.

What Happened

The widespread and disruptive tech outage last month happened thanks to an overreliance on one particular tool, CrowdStrike’s Falcon sensor software. While not a monopoly, this tool is the most popular in end-point protection platforms.

This niche service often used by companies is best understood as an antivirus tool for devices, controlled by a cloud platform. “End-point” computers run the agent with very deep system permissions to scan for security issues, and the company CrowdStrike regularly pushes remote software updates to this tool. This setup means many devices rely on a single source for their security, leveraging shared insights learned across devices. It also means that many devices share a single point of failure.

Instead of an inconvenience for a few companies, it more closely resembled a government shutdown or a natural disaster.

An early sign of this problem came last April, when a CrowdStrike update disrupted devices running Debian and Rocky Linux operating systems. Linux “end-point” devices are uncommon, let alone those running these specific distributions with CrowdStrike software. What should have been a red flag in April was instead barely a blip.

Last month CrowdStike disrupted two other operating systems with a bad update: Windows 10 and 11. This time it spurred a Y2K-like collapse of crucial computer systems around the globe. Airlines, hospitals, financial institutions, schools, broadcasters, and more were brought to a standstill as an erroneous update on CrowdStrike’s platform caused system crashes. Instead of an inconvenience for a few companies, it more closely resembled a government shutdown or a natural disaster.

Both cases had similar impacts to devices, but the later case was an absolute disaster for infrastructure because of a digital landscape dominated by a few key players. Having so many sectors rely on a handful of services for the same operating systems makes them all susceptible to the same bugs, with even systems running absurdly old versions of Windows gaining an advantage for providing some diversity.

Whatever went wrong at CrowdStrike was just a spark. Last month it ignited the powder keg of digital monocultures.

Digital Monoculture

All computers are broken. Every piece of software and hardware is just waiting to fail in unexpected ways, and while your friendly neighborhood hackers and researchers can often hold off some of the worst problems by finding and reporting them, we need to mitigate inevitable failures. A resilient and secure digital future can’t be built on hope alone.

Yet, that’s exactly what we’re doing. The US has not just tolerated but encouraged a monopolistic tech industry with too little competition in key markets. Decades of antitrust policy have been based on the wrongheaded idea that sheer size will make tech companies efficient and better able to serve customers. Instead, we have airports, hospitals, schools, financial systems, and more all reliant on the same software, vulnerable to the same bugs and hacks. We created a tech industry that is too big to fail.

The lack of diversity makes the whole ecosystem more fragile

We live in the age of the digital monoculture, where single vulnerabilities can tear through systems globally; sabotaging hospitals and city governments with ransomware; electrical systems with state-sponsored attacks; and breaching staggering amounts of private data. Name a class of device or software, and more often than not the majority of the market is controlled by a few companies—often the same ones: Android and iPhone; Windows and Mac; Gmail and Outlook; Chrome and Safari.  When it comes to endpoint security products three companies control half of the market, the largest being Microsoft and CrowdStrike.

Much like monocultures in agriculture, the lack of diversity makes the whole ecosystem more fragile. A new pest or disease can cause a widespread collapse without a backup plan. The solution, conversely, is to increase diversity in the tech market through tougher antitrust enforcement, and for organizations to make IT system diversity a priority.

Allowing an over-reliance on a shrinking number of companies like Microsoft will only ensure more frequent and more devastating harms in the future.

How we got here

Broken Antitrust

As EFF has pointed out, and argued to the FTC, antitrust has failed to address the realities of a 21st-century internet.

Viewing consumers as more than walking wallets, but as individuals who deserve to live unburdened by monopoly interests.

Since the 1980s, US antitrust has been dominated by “consumer welfare” theory, which suggests corporate monopolies are fine, and maybe even preferable, so long as they are not raising prices. Subtler economic harms of monopoly, along with harms to democracy, labor rights, and the environment are largely ignored.

 For the past several years, the FTC has pressed for a return to the original intent of antitrust law: viewing consumers as more than walking wallets, but as individuals who deserve to live unburdened by monopoly interests.

But we have a long way to go. We are still saddled with fewer and less adequate choices built on a tech industry which subsidizes consumer prices by compromising privacy and diminishing ownership through subscriptions and restrictive DRM. Today’s empires of industry exert more and more influence on our day to day life, building a greater lock-in to their monoculture. When they fail, the scale and impact rival those of a government shutdown.

We deserve a more stable and secure digital future, where an error code puts lives at risk. Vital infrastructure cannot be built on a digital monoculture.

To do this, antitrust enforcers, including the FTC, the Department of Justice (DOJ), and state attorneys general must increase scrutiny in every corner of the tech industry to prevent dangerous levels of centralization. An important first step would be to go after lock-in practices by IT vendors.

Procurement and Vendor Lock-In

Most organizations depend on their IT teams, even if that team is just the one friend who is “good with computers”. It’s quite common for these teams to be significantly under-resourced, forced to meet increasingly complex needs from the organization with a stagnant or shrinking budget.

Lock-in doubles down on a monopoly’s power and entrenches it across different markets.

This squeeze creates a need for off-the-shelf solutions that centralize that expertise among vendors and consultants. Renting these IT solutions from major companies like Microsoft or Google may be cost-effective, but it entrusts a good deal of control to those companies.

All too often however, software vendors take advantage of this dynamic. They will bundle many services for a low initial price, making an organization wholly reliant on them, and then hinder the ability of the organization to adopt alternative tools while later raising prices. This is a longstanding manipulative playbook of vendor lock-in.

Once locked in, a company will discover switching to alternatives is costly both in terms of money and effort. Say you want to switch email providers. Rather than an easy way to port over data and settings, your company will need to resort to manual efforts or expensive consultant groups. This is also often paired with selective interoperability, like having an email client work smoothly with a bundled calendar system, while a competitor’s service faces unstable or deliberately broken support.

Lock-in doubles down on a monopoly’s power and entrenches it across different markets. That is why EFF calls for interoperability to end vendor lock-in, and let IT teams choose the tools that reflect the values and priorities of their organization.

Buying or building more highly-tailored systems makes sense in a competitive market. It’s unlikely a single cloud provider will be the best at every service, and with interoperability, in-house alternatives become more viable to develop and host. Fostering more of that internal expertise can only bolster the resilience of bigger institutions.

Fallout from The Cloud

Allowing the economy and the well-being of countless people to rely on a few cloud services is reprehensible. The CrowdStrike Falcon incident is just the latest and largest in a growing list of hacks, breaches, and collapses coming to define the era. But each time everyday people endure real harms.

Each time, we see the poorest and most marginalized people face costly or even deadly consequences. A grounded flight might mean having to spend money on a hotel, and it might mean losing a job. Strained hospital capacity means fewer people receive lifesaving care. Each time these impacts further exacerbate existing inequalities, and they are happening with increasing frequency.

We must reject this as the status quo. CrowdStrike’s outage is a billion-dollar wake-up call to make antitrust an immediate priority. It’s not just about preventing the next crash—it’s about building a future where our digital world is as diverse and resilient as the people who depend on it.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *