Global outage shows lack of digital sovereignty and resilience
July 19 saw a CrowdStrike update taking down countless Microsoft systems, disrupting flights, surgeries, banking and more all over the world. The incredible impact this single outage had shows the importance of digital resilience, especially in the public sector. This can only credibly be achieved by decentralization and diversity in infrastructure and technology.
Incredible impact of CrowdStrike-Microsoft outage
While German satirical news site Der Postillion noted that fax machines were not impacted so the German public sector was fine, the effects could be felt everywhere.
Many politicians have already come out with statements about digital resiliency. In the Netherlands the minister of Justice noted there should be plans to deal with the fall-out of events like this. “Concentrating production can concentrate risk, so that a single natural disaster or disruption has cascading effects,” US Federal Trade Commission chair Lina Khan wrote in a series of posts on X.
Existing and upcoming legislation
There is a number of legislative initatives to protect the resilience of infrastructure. Examples include DORA, the Digital Operational Resilience Act, for the financial sector, coming 2025, and the Cyber Resilience Act (CRA) for consumer technology. The Directive on Security of Network and Information Systems, NIS, specifically targets the protection and resilience of critical infrastructure and digital services, mandating security measures and incident reporting.
In the US, the Federal Information Security Management Act (FISMA) mandates federal agencies to implement an information security program, including measures to mitigate the impact of IT outages. Additionally, there’s a National Institute of Standards and Technology (NIST) Framework that provides guidelines for improving critical infrastructure cybersecurity.
But none of the regulations seem to effectively tackle risks related to the centralization of IT. This means that the digital sovereignty and resilience of the public sector, as well as hospitals, banks and other critical infrastructure, continues to be critically endangered. A mono-culture of services delivered by just a handful of big tech firms threatens the continuity of service in case of mistakes, cyber-attacks and political conflicts.
Solutions
While this was just a mistake, a sustained cyber attack would have far more devastating consequences, and that is not to speak of attacks on physical infrastructure. Underseas cables are incredibly vulnerable, and in 2021 Russia also showed that satellites can be downed by rockets.
The key to digital resilience is decentralization and heterogeneity. In the end, every IT system will go down at some point. An over-reliance on a single service is thus inevitably a risk. Even if that vendor is ‚too big too fail‘ and has tons of redundancy and data centers.
Decentralize and federate
The public sector in particular should be following a focused strategy to differentiate their IT infrastructure, reducing the reliance on a small number of big tech giants.
First, a strong multi-vendor, multi-platform strategy can do wonders against cyber threats. But beyond that, the solutions themselves should be less centralized.
The cloud itself is a particular risk – globally connected datacenters might have a bigger capacity to absorb denial of service attacks, but they are simultaneously more vulnerable to mistakes and more advanced cyber attacks. Technologies that are fundamentally distributed and federated, rather than relying on a single point of failure, offer a big advantage.
With on premise solutions, the most critical platforms can even be entirely air gapped, disconnected from the internet, either all the time or in response to attacks. This can ensure their availability even in the worst case scenario.
Open Source brings resilience
Open source solutions are not only more robust in the face of constant security threats. They also provide more transparency in their functioning. When there are issues, engineers can dive deeper than in black-box solutions, to the point where they simply read the code or even modify it to add extra information to hunt down problems. Patches from vendors like Crowdstrike, if they were open source, could be scrutinised before deployment.
Perhaps most importantly, access to their source and more widely distributed knowledge of their code base means open source products can be patched and fixed during emergencies even without vendor help.
There are solutions to the risks and economic damage caused by our dependence on just a few big tech vendors. It’s time for decisions now.
Webinar: How Schleswig-Holstein and Nextcloud collaborate on a sovereign workplace
Schleswig-Holstein is transforming its state administration by adopting open-source solutions, with a key focus on the Nextcloud Hub collaboration platform. Watch back our webinar with Felix Gebauer, Program Lead and Project Manager at the Schleswig-Holstein State Administration.
Watch the webinar