Editorial | IT meltdown – who pays?

The world woke up to unsettling news Friday that a massive IT outage overnight was affecting airlines and transport systems, banks, media, health systems and emergency operations, stock exchanges and other businesses that rely on Microsoft 365 apps.

The global-scale disruption was related to issues with Texas-based cybersecurity firm CrowdStrike, which provides technology to protect devices from cyberattacks. Indeed, CrowdStrike offers cloud-based solutions to detect and respond to threats beyond traditional anti-virus software. With some 23,000 subscription customers, CrowdStrike reportedly earned US$2.24 billion in 2023. This was, however, not a cyberattack, or security incident, reported CrowdStrike, they were simply performing a content update.

With about 110,000 flights scheduled around the world Friday, by early morning, thousands were cancelled. This incident demonstrated in a most dramatic way how a technical problem with one provider can have a domino effect on various organisations which use their products. And, therein, we saw how a relatively small company based in Austin, Texas can cripple operations all over the world.

While computer glitches are deemed to be inevitable, failure on a such a massive scale can make users edgy and even uncomfortable. It suggests weak links in the technology chain. Most likely, in the aftermath of this system failure, there will be plenty of discussions about building resilience and establishing workaround systems.

BACKUP PLAN

Above all, this incident highlights the critical need for governments and sensitive organisations such as banks to have a backup plan for future scenarios. Hopefully, those looking at Jamaica’s technology architecture will focus on its dependency and identify the key risks and have backup systems in place.

Fresh in our memories is the problem associated with the introduction of the C5 entry form by the Passport, Immigration and Citizenship Agency (PICA) in the early days last year, where cybercriminals, purporting to charge a user fee on behalf of government, literally captured the service.

Computer-shy persons, pejoratively referred to as ‘old school’ or ‘primitive’, who were somewhat suspicious of cyberthreats, can be expected to be even more nervous about trusting the new technology systems that have taken over our daily lives.

We daresay the public relations language used by the companies did nothing to calm nerves and smooth a rather confusing situation on Friday. For example, airlines informed passengers that they were “on pause”, which really meant they had been grounded. And CrowdStrike put out a statement saying: “the issue has been identified, isolated and a fix has been deployed”. While Microsoft said this, “the underlying cause has been fixed, however, residual impact is continuing to affect some Microsoft 365 apps and services.” The fact is, no one can say exactly when things will return to normal.

There are multiple lessons to be learnt from this incident, we believe. The main one is how best to respond to such incidents to keep the population and sensitive operating systems safe. The other thing is, who is liable for the economic fallout from such situations? Jamaica would have been affected, since major carriers such as American, Delta, and United, which operate in the local airspace, had to cancel flights. Customers of FLOW, local telecoms provider, have been advised of the disruptive effects. Who bears these costs?

The Ministry of Technology has not, up to the time of writing, given a public reaction to the global disruptions. If there is a grand plan in place to deal with similar situations, it is time to review it, based on Friday’s events.

With the full understanding that this was not a cyberattack, the prime minister is obliged to bring the country up to speed on what are the measures already in place to cope with any kind of technology outage, and who is charged with coordinating such efforts.