How Regulations Contributed to the CrowdStrike Fiasco
On July 19th, something peculiar struck workers and consumers around the world. A global computer outage brought many industries to a sudden halt. Employees at airports, financial institutions, and other businesses showed up to work only to find that they had no access to company systems. The fallout of the outage was huge. Experts estimate that it totaled businesses $5 billion in direct costs.
The company responsible, CrowdStrike, was also severely impacted. Shareholders lost about $25 billion in value, and some are suing the company. The outage has led to expectations of, and calls for, stricter regulations in the industry.
But how did the blunder of one company lead to such a massive outage? It turns out that the supposed solution of “regulation” may have been one of the primary culprits.
Regulatory Compliance
CrowdStrike, ironically, is a cybersecurity firm. In theory, they protect business networks and provide “cloud security” for online cloud computing systems.
Cloud security, in and of itself, is likely a service that businesses would demand on the market, but the benefit of increased security isn’t the only reason that businesses go to CrowdStrike. On their own website, the company boasts about one of its most important features: regulatory compliance.
As the website points out, many countries have extensive regulations for businesses which store consumer data. In the EU, for instance, there is the General Data Protection Regulation (GDPR). The GDPR “mandates robust data security measures,” and it extends to companies outside of the EU because it:
appl[ies] to any organization that processes or stores personal data about EEA residents, regardless of the organization’s location. Penalties for noncompliance are significant, with fines up to €20 million or 4% of annual global turnover, whichever is higher.
These types of regulations exist in the US as well. Connor Harris, and adjunct fellow for the Manhattan Institute, details the impact of regulation on the CrowdStrike outage extensively. He highlights that Executive Order 14028 requires federal agencies to use the sort of software CrowdStrike offers. But that’s not all. As Harris observes:
Similar regulatory issues exist in many private industries: for instance, the Federal Financial Institutions Examination Center, a United States federal agency that regulates banks, has a Cybersecurity Assessment Tool that spells out expectations for cybersecurity, including several provisions that require EDR-like monitoring. Though compliance with the Cybersecurity Assessment Tool is nominally voluntary, federal auditors are increasingly demanding compliance.
Anti-trust regulations may also be playing a part in this debacle. Craig Hale, a writer for Techradar, has pointed out that a Microsoft spokesperson has argued that a 2009 decision by the European Commission could be partly to blame. In 2009, Microsoft attempted to limit the extent to which third party security systems were able to perform certain functions.
At the time, many regulators argued that Windows’s limiting access to third-party companies was anti-competitive. The resulting pressure caused Microsoft to cave, even though these limitations would have prevented an outage of this kind.
Regulatory Capture
Connor Harris’s insight doesn’t stop there, though. Harris points out that regulators may have a preference for industry leaders on cybersecurity rather than new, upstart companies. In his words, “even organizations willing to build custom cybersecurity platforms may find auditors uncooperative: the path of least resistance is to use what they expect to see.”
Harris builds on an insight made by senior software engineer Mark Atwood on Twitter who argues this may be a case of regulatory capture. But what is regulatory capture?
The theory of regulatory capture has had many contributors, but many cite Nobel Prize-winning economist George Stigler as the primary exponent of the idea.
Most regulations require a certain amount of technical expertise to craft. Politicians and even more technical bureaucrats are forced to lean on outside experts to write regulations related to complex fields.
The issue is, the leading experts in a field tend to be members of the field themselves. So if, for example, Congress wanted to write a cybersecurity law, they may have to lean on relationships with people in established firms like CrowdStrike.
When experts who have relationships with companies are called in to help write regulations, they may do so in a way favorable to industry insiders rather than outsiders. Thus, regulation is “captured” by the subjects of regulation.
We can’t say with certainty that this particular outage is the result of an intentional regulatory capture by CrowdStrike, but it seems clear that CrowdStrike’s dominance is, at least in part, a result of the regulatory environment, and, like most large tech companies, they’re not afraid to spend money lobbying.
In any case, without cumbersome regulations, it’s unlikely that cybersecurity would take on such a centralized form. Despite this, as is often the case, issues caused by regulation often lead to more calls for regulation. As economist Ludwig von Mises pointed out:
Popular opinion ascribes all these evils to the capitalistic system. As a remedy for the undesirable effects of interventionism they ask for still more interventionism. They blame capitalism for the effects of the actions of governments which pursue an anti-capitalistic policy.
So despite the reflexive call for regulation that happens after any disaster, perhaps the best way to avoid problems like this would be to argue that in terms of regulation, less is more.
Editor’s note: This article originally was posted by the Foundation for Economic Education.