What can we learn from the CrowdStrike global IT outage?

It was quite the Friday afternoon.

At a time when many Australians are languidly sliding into the weekend, we suddenly couldn’t use our computers, pay for groceries, do our banking or check in to our flights.

But rather than handwringing about the vulnerability of our increasingly networked world, Australia should use the CrowdStrike IT outage to do some sober, clever thinking about the best way to respond in the long term.

Three key policy issues immediately jump out to me. (Spoiler alert: it’s not all doom and gloom.)

Should we update the way we do updates?

CrowdStrike advises that the outage was caused by a defect in a content update pushed by CrowdStrike to Windows hosts.

The big question is what caused this ‘defect’. Was it a one-off human error? Or a systemic failure in how updates are reviewed, tested, and deployed?

As the dust settles on the immediate restoration efforts, the focus must shift to reviewing the governance frameworks around software updates. Any such reviews must examine not only the internal processes of individual companies (in this instance CrowdStrike) but also coordination between major providers when updates are released (in this instance, CrowdStrike and Microsoft).

CrowdStrike was bad…but what if it had been worse?

As the headlines love telling us, it’s ‘the largest IT outage in history’, but what’s lost in that framing is that the fix was identified quickly and a patch was pushed out in six hours. That’s pretty fast.

And while the outage affected media, airports, banks, and supermarkets, it had minimal impact on the telecommunications sector or other critical infrastructure.

The Government performed well too.

It was impressive to see the National Coordination Mechanism in action over the weekend. It demonstrated how far crisis coordination on cyber and tech issues between government and industry has come since the WannaCry and NotPetya ransomware attacks in 2017.

However, if the outage had lasted longer, or impacted critical infrastructure, including telcos, public messaging would have become more urgent and challenging. How would Australia have responded then? That’s a conversation Australia should be having.

My hope is that this incident brings focus and urgency to existing government efforts to enhance communication channels with the public in digitally degraded environments, especially if either or both media and telcos are impacted.

How can we be resilient in a digitally degraded environment?

Outages like this will happen again — whether due to malicious intent, technical failures, or climate disruptions (as seen during the bushfires).

If we accept that such outages will occur, do we focus on minimising the duration of the resulting chaos? Or do we adapt and, for example, purposefully put in place analogue or unnetworked redundancies?

Businesses maintaining the ability to revert to cash payment. Media switching to manual control decks and analogue broadcast. Handwritten boarding passes.  Strategic retention of copper wires in the telecommunication network.  While these resilience enhancing redundancies may sound attractive, they come with significant cost implications – not just in maintaining the infrastructure, but also in exercising and ensuring staff know how to use it.

Both approaches have pros and cons, and a blend of the two might be necessary. This requires thoughtful deliberation, with some urgency.

Tech isn’t all bad

Finally, while it’s easy to focus on the negatives of our networked world at times like this, don’t forget the benefits: online banking (no more lunch break bank queues), working from home (instead of open-plan offices), and Aussie businesses selling products to global customers (without needing to establish costly overseas offices).

It’s not all bad. But we shouldn’t just accept the status quo. This is an excellent opportunity to take stock and evolve our tech policy settings to help shape a better future.

This article was co-published with ANU Policy Brief.