October 2024 - Security | Digital Transformation

IT Technologies Need to Become Significantly More Robust for the Digital Future

To prevent future disruptions from minor software errors, Prof. Dr. Norbert Pohlmann from eco highlights the urgent need for robust IT security architectures.

IT Technologies Need to Become Significantly More Robust for the Digital Future-web

©Tippapatt | istockphoto.com

Small cause, but a big effect

On Friday, 19 July 2024, we once again confronted the significant consequences that a single software error can have. This latest major IT crash, triggered by a software error in an update from the IT security company Crowdstrike, caused not only their IT security solution, but the entire Microsoft system and therefore the application to stop functioning. According to estimates by Microsoft, this affected a total of 8.5 million IT systems worldwide.

This in turn had catastrophic consequences for the operations of airports, hospitals, and banking systems. As a result, multiple flights were cancelled, surgeries could not be performed, payments had to be postponed, and a vast number of employees were unable to carry out their activities. Immense damage was caused worldwide, estimated to reach $1.5 billion, highlighting the immense global impact of such failures. The scale of direct and indirect damages is therefore enormous, and will certainly be analyzed in greater detail.

Our current IT is not a solid foundation for the digital future

In our IT systems, IT infrastructures, and application systems, more and more software from a wide variety of third-party providers is being integrated, given that the technological challenges posed by rapid digitalization are becoming ever larger. This increases the complexity of our IT and the Internet. At the same time, however, the degree of dependency on all the third-party providers used are also increasing and the risks are growing, as demonstrated by the software error at Crowdstrike. Even though software quality is continuously being improved, such software errors, as well as targeted attacks, will continue to occur in the future. For this reason, new IT security architectures, concepts, and functions that are significantly more robust are urgently needed.

To strengthen our digital future, companies and institutions must prioritize investment in modern, resilient IT systems. Moving away from outdated monolithic systems towards modular, flexible designs will improve recovery from potential breakdowns. This shift, underscored by the recent Crowdstrike incident, should be accompanied by enhanced software testing and rollout procedures. Updates and patches must be thoroughly tested before widespread deployment, ideally by running them on a controlled, smaller set of systems to identify potential issues early. This proactive approach could prevent widespread system failures and mitigate the risks posed by unforeseen software errors.

Expert perspectives on the software error

On 14 August 2024, on a Deutschlandfunk radio broadcast in Cologne, I got to discuss this issue with the interviewer Petra Ensminger and two other IT experts: Thomas Caspers from the German Federal Office for Information Security, and IT lawyer Caroline Glasmacher. Together, we explored how seemingly small errors can have devastating consequences in today’s interconnected digital landscape. Our conversation highlighted the vulnerability to IT failures and cyberattacks due to outdated, monolithic systems that are prone to bugs and overly reliant on third-party software.

As we emphasized, IT providers, particularly those with significant market power like Microsoft and Google, must recognize their responsibility in ensuring system stability. Stronger emphasis on trustworthiness, accountability, and collaboration between providers is essential to avoid leaving users vulnerable to such catastrophic failures.

Based on our insights, Ensminger acknowledged that, “the dependencies are enormous, and we need to ensure that our systems are robust enough to handle them.” In being asked how to counter the vulnerability, we stressed how IT architectures are needed to be built on a smaller, more trustworthy software base. While technologies like trusted computing* can help create modular systems that prevent localized errors from bringing down entire networks, adoption of these technologies remains limited due to resistance from dominant tech companies with vested interests. As such, the solution lies in collaboration.

In the broadcast, we also called for European-led digital ecosystems that reduce dependence on big tech, as well as a push for more secure open-source software. As we noted, this transformation requires the cooperation of businesses, academia, and government. Policymakers must set clear goals and provide the resources needed to make our digital future safer and more resilient.

Our IT must become more robust

To ensure that all IT systems (smartphones, notebooks, servers, cloud systems, etc.) can be implemented robustly, we need modern and secure IT security architectures, concepts, and functions that can be implemented to achieve a significantly higher level of robustness and a higher level of IT security.

In addition to building robust IT architectures, organizations must enhance their cybersecurity measures to counter increasingly sophisticated attacks. Regular security updates, rigorous testing of third-party software, and improving redundancy in critical systems are essential steps towards mitigating risks and protecting essential services.

With the aid of robust IT security architectures, the impact of software errors, as well as malicious manipulation by attackers, can be significantly reduced.

Robust IT security architectures operate with a small, trustworthy software base that is implemented with a particularly high level of security. On this trustworthy software basis, software applications are executed in isolated virtual machines in a modular fashion. The advantage of this modular IT architecture is that any errors that occur in a virtual machine remain confined within a closed environment and do not cause the entire IT system to crash. A software error that would occur in such an IT architecture would only have a limited impact.

Where are the problems, and can they be fixed?

Modern and secure IT security architectures have been available in principle for a very long time, but are not yet being implemented sufficiently and openly enough by the monopolistic providers.

The reasons for this are that these robust IT security architectures have slightly higher performance requirements – which, however, is not really a problem with increasingly powerful IT systems. Nonetheless, such new IT architectures need to be implemented more openly with a wide range of third-party providers, which goes against the business models of monopolists.

However, in order to continue investing in a reliable digital future, we must build our IT in such a way that catastrophic consequences like these no longer occur.

We will only be able to implement such a radical change to the IT security architecture if all stakeholders from business, academia, and government work much more closely together and take joint, targeted action.

Now is the right time to act

The digital future can only be realized with secure, trustworthy, and, above all, robust IT technologies, as the Crowdstrike incident clearly shows. We should take this fatal incident as a wake-up call to actively shape our digital future in such a way that we have control over IT – and not the other way around.

The full recording of the German-language radio broadcast is available here: ▶ https://lnkd.in/gKuZWdX4

*Trusted computing is the belief that a computer will operate in a predictable manner, and provide an environment where data (software and information) within the system is authenticated and protected.

 

Norbert Pohlmann is a Professor of Computer Science in the field of cybersecurity and is Managing Director of the Institute for Internet Security - if(is) at the Westphalian University of Applied Sciences in Gelsenkirchen, Germany. He is also Chair of the Board of the German IT Security Association TeleTrusT, and Board Member for IT Security at eco – Association of the Internet Industry.