Microsoft should take cyber security into the firm, instead of outsourcing it

Cyber security is a core function, and providing it through contractual commitments has evidently not been effective

Microsoft should stop outsourcing cyber security and take it inside the company

To say that modern life is dependent on being able to take our cyber infrastructure for granted, is to state the obvious. The global outage of Microsoft’s services for some time on Friday shows that being obvious is no guarantee that systems and procedures would, in practice, be secure enough for people to take them for granted.

We should be thankful that the malfunction resulted from an incorrectly configured update to Microsoft’s cyber security software, rather than from a deliberate attack by a malignant actor. That, in no way, makes the disruption of vital services, ranging from air traffic control at airports to hospital procedures, any less of a concern.

It is vital to understand what exactly happened, determine who is to be held accountable, and devise ways to prevent recurrence of such disruption.

What happened is straightforward enough. The fence ate the crop. Crowd Strike, the cyber security company, whose software Microsoft deploys to safeguard its systems form hacking, uploaded an upgrade to its Falcon software. It interfered with the normal working of Microsoft’s software, leading to the outage.

Microsoft’s clients, who depend on its Azure cloud platform to not just store data but also house programs that run their operations, would hold Microsoft accountable for the disruption of services. Microsoft, in turn, would try to pass on the damage claims to Crowd Strike, whose faulty implementation of its security software upgrade caused the disruption. Whether their mutual contract terms and their agreements with their respective insurance providers allow such damages to be recovered would be determined by complex litigation.

Prima facie, Cloud Strike’s culpability is not in doubt. Any software upgrade should have been first tested out in isolated networks, and only later, after they have been found to be foolproof, applied to the deployed and operational systems the upgrade is meant to protect. However, Microsoft bears responsibility for the malfunction in a larger, economic sense.

Two Nobel prizes, one in 1991, to Robert Coase, and the other to Oliver Williamson, in 2009, have been awarded for coherent explanations for why firms exist, instead of individual economic agents interacting via the market to produce everything the firms produce.

Coase offered the insight that the transaction cost of accomplishing certain activities is lower, when these activities are directly controlled by a firm, rather than accomplished via the market. Williamson offered a refinement that conflict resolution, associated with performing certain activities, is done more efficiently under the command structure of the firm, than when outsourced to a third party.

If these Nobel-prize-winning insights are of any value, Microsoft should be performing cyber security in-house, instead of outsourcing it to a third party. Individual consumers are familiar with Windows Security and Microsoft Defender. Most consumers, instead of just relying on the security offered by these programs, end up buying and installing third-party security software, because the in-house offerings are not considered good enough.

This should change. Microsoft is best placed to understand the vulnerability of every chunk of its code and devise ways to guard against exploitation of that vulnerability. If that means transforming Microsoft into a giant cyber security operation, in addition to whatever else it does, so be it.

That brings us to the insurance story. It is not obvious that current insurance arrangements would cover contingencies such as the cost imposed on clients by faulty implementation of cyber security. Cyber-attacks and the costs they impose are likely to be covered by individual clients of Microsoft, and the agreement between Microsoft and Crowd Strike. Whether the language of insurance terms would cover damages arising from faulty implementation of cyber security upgrades is not something that can be taken for granted. The final payout by insurance companies and the change in the cost of future insurance premia would offer a good guide to the economics of taking cyber security internal to the firm, instead of outsourcing it.

Modern life is way too intertwined with and reliant on cyber infrastructure for us to have chinks in its security architecture. We should be able to take the security of our cyber infrastructure for granted.

As Microsoft suffers reputational damage, its competitors in the cloud service business would seek to take advantage. Whether Amazon Web Services, Google Cloud, Oracle Cloud, IBM Cloud, all American service providers, OVHcloud, French, and Alibaba Cloud and Ten Cent Cloud, both Chinese, would see migration of clients from Microsoft remains to be seen.

It is vital that Microsoft should announce short-term and long-term measures to prevent recurrence of the outage that happened on Friday. For these to carry conviction, an approach of forgive and forget would not do. Accountability must be fixed, and action taken, visibly. Our modern, interconnected lives must not just have protection in every node, but also carry visibility for such protection,

Comments

[Vipin Gupta]

It's a full alarming signal for entire world. We are going towards AI technology and other side we are helpless. Back up or plan-B OR PLAN - C must be ready for instant solution.