United Airlines employees wait by a departures monitor displaying a blue error screen, also known as the 'Blue Screen of Death' inside Terminal C in Newark International Airport.Bing Guan/Reuters
Kean Birch is director of the Institute for Technoscience & Society at York University.
As I write this, I don’t know whether I’m going to get home Sunday because of the global Microsoft outage. I’m sitting and writing in an Amsterdam hotel at the end of a long conference week. Fellow delegates have already been heading to the airport expecting long queues and uncertain flight times. Funnily enough, the conference was about all about the vagaries and implications of our social, political, and economic dependence upon science and technology, including the fragility of infrastructures.
In my academic field of science and technology studies, there’s an argument made by the sociologist Susan Leigh Starr that we only really notice infrastructures when they break down. Here, we need to think of infrastructures as going beyond physical objects; they also entail rules, regulations, norms and standards that hold infrastructures together. In fact, infrastructures include a range of these often very diverse components. Infrastructure breakdowns include flooded roads as well as cellphone network outages, to pick on recent Canadian examples, demonstrating how fragile infrastructures can be.
Unfortunately, the Microsoft outage, caused by an errant update from the cybersecurity provider CrowdStrike, illustrates several problems with our current infrastructures.
Globally, we’ve become overly dependent upon multinationals such as Microsoft to run the underlying infrastructures on which our increasingly digital societies and economies run. And, seemingly, there is no backup or redundancy built into the system. Something banal such as a cybersecurity update gone wrong can disrupt airlines, workplaces, banking, government, medical procedures and more all around the globe.
There are several reasons for this that we could point to here, but I think one major political-economic shift over the past decade or so explains much of it.
Our economies are increasingly shaped by the transformation of more and more things into assets. An asset is a resource that a business, government or individual can own or control, deriving future benefits from it. Assets can range from tangible objects such as cars or machinery to intangible things such as intellectual property or brands; their value reflects the expectations of future returns, meaning that assets with regular, secure and recurring revenue streams are very valuable.
This brings me to software. It is no longer a product we buy and install under the assumption that all the bugs have been massaged out of the system. Rather, today software is packaged as a service, requiring repeat subscription fees and regular maintenance – such as this CrowdStrike update – to fix bugs that are expected to emerge during its use. As a service, software has been assetized: Annual subscription fees generate far more revenues than product sales, while giving companies significantly more control over how their software is used.
Other companies are or have already gone down this assetization route. Software in tractors can stop farmers from doing repairs on their own machines, requiring them to pay the tractor manufacturers instead. Software in automobiles means car owners are increasingly being asked to pay for heated seats and other basic functions. Software updates by printer manufacturers can brick the printer, rendering it inoperable, if generic ink is used. And so on.
With the assetization of software through its transformation into a service – and an asset for the companies – we’ve lost control of it. And in losing control of it, we’ve lost control over the infrastructures we all rely upon for everyday activities.
Sitting here writing these words with the uncertainty of my travel plans hanging over me makes me wonder why CrowdStrike doesn’t test its updates before rolling them out worldwide. If it does, then what happened this time? And how is Microsoft so vulnerable that an update from a third party can crash its systems this way?
Infrastructure fragility is going to get worse with time as we rely more and more on software as a service, especially as we don’t have the governance means to assert some oversight of what companies are doing to the infrastructures we rely upon.