Sheldon H. Jacobson: Who will pay for the Crowdstrike outage?

Crowdstrike did not have a good day on July 19. During a routine software update, the file that the cybersecurity firm issued triggered a logic error that prohibited Windows machines from rebooting. Microsoft estimates that about 8.5 million computers may have been affected by the event.

This created a tsunami of downstream consequences, as computers that supported numerous industry operations were unable to coordinate and process data.

For air travel, the net effect was the cancellation of more than 10,000 flights since July 19., as reported by FlightAware, with Delta Air Lines particularly hit hard Using very conservative estimates, if each flight was booked on average with 64 people, and the average cost of a ticket was $290, the lost direct revenue on these days totaled more than $180 million.

Given that some of these people had to cancel hotel rooms and car rentals, and perhaps even miss cruises, the secondary effects of the outage in the hospitality industry alone are likely many times more than this.

Numerous other industries were affected, with similar analyses that can be undertaken.

Such a massive disruption has not gone unnoticed. The House Homeland Security Subcommittee on Cyber­security and Infrastructure Protection requested a meeting with Crowdstrike CEO George Kurtz.

The question now being asked is: Who will pay for all these delays, cancellations and consequences?

The irony of the situation is that Crowdstrike software is designed to protect computers against viruses and malicious software. Yet the current outages did harm that rivals what a computer virus or malicious software could have unleashed. Using a war metaphor, what happened with Crowdstrike was akin to friendly fire.

The one saving grace from this event is that the fix to the problem file was not complicated, taking less than 80 minutes to identify and implement. However, damage had already been done to the 8.5 million computers affected.

Does this make Crowdstrike liable for all such work and efforts and the associated downstream damages?

Every software product that is available carries with it terms and conditions that limit its liability to the user in the events of any type of malfunction or disruption. In essence, users agree to hold the software owner harmless. Few of us ever take the time to read such agreements, even though we are bound by them.

Unfortunately, the outage is likely to spur a series of class-action lawsuits that will allow attorneys to argue on behalf of different classes of those harmed, seeking damages that ultimately will be settled out of court.

However, of greater importance is that the Crowdstrike outage shines a bright light on the fact that all organizations and entities that rely on computers are one bad file, one inadvertent keystroke or one software update away from a potentially destructive technology meltdown. Every organization and entity are exposed to such risks.

What happened with Crowdstrike could have happened with any one of the many other security software companies, though perhaps not on such a large scale. This is the price that we all pay for enjoying the benefits of cyber efficiency and access to the digital economy.

No one wants to return to a paper-centered world, manually undertaking tasks that can be completed digitally thousands of times faster and more accurately.

This outage also provides a sneak peek into the future of how glitches in artificial intelligence systems may lead to cyber meltdowns, disrupting financial, transportation and health systems far beyond what any group of people could cause on its own.

Crowdstrike may carry some liability for what happened July 19, yet the demand for efficiency offered by our digital economy is just as complicit. The congressional committee that will question the Crowdstrike CEO may be unable to appreciate this fact.