The recent chaos caused by a faulty software update from cybersecurity firm CrowdStrike was a warning that the world’s technological infrastructure may be a tad more fragile then we’d been led to believe. Business was disrupted, people were inconvenienced, and billions of dollars in damages were suffered because of the screw-up. Delta Airlines, Microsoft, and CrowdStrike are only a few of the companies pointing fingers at each other and getting ready for courtroom battles. But it appears that, yet again, government regulation made a bad situation even worse.
It Started With an E.U.-Imposed Settlement
Early stories about the worldwide outage revealed a glimpse of the problem.
“CrowdStrike’s bug was so devastating because its security software, called Falcon, runs at the most central level of Windows, the kernel, so when an update to Falcon caused it to crash, it also took out the brains of the operating system,” The Wall Street Journal‘s Tom Dotan and Robert McMillan reported July 21. “A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.”
That agreement resulted from European Union (E.U.) concerns that Microsoft was stifling rivals by limiting the interoperability of its software with systems produced by other companies. The E.U. imposed a hefty €497 million fine in 2004 and then continued its pressure on the company to ease access to its systems.
“On the basis of market test results, we have serious doubts that Microsoft is complying with the interoperability remedy,” then–E.U. competition spokesman Jonathan Todd told the Irish Times in 2005.
After continued wrangling, Microsoft reached an interoperability agreement with the E.U. in 2009. Among other provisions, Microsoft guaranteed that “third-party security software products” would have the same access to its operating system as its own security products. That’s handy for competing companies, but potentially dangerous. “Any error at the kernel level could potentially disable any operating system, that’s why Apple locked macOS and stopped giving developers access to its kernels,” Jowi Morales emphasized for Tom’s Hardware.
In fact, notes TechRadar‘s Craig Hale, “Apple has been restricting developers from kernel-level access to its OSs since 2020. Google is also not bound by similar regulations.”
For its part, an E.U. spokesman countered, “Microsoft is free to decide on its business model. It is for Microsoft to adapt its security infrastructure to respond to threats in line with EU competition law.”
Yes, well, “in line with EU competition law” may be the issue if it compromises security. But that was an agreement with the European Union. Why would it cause global problems?
The Brussels Effect Regulates the World
An agreement with the European Union affected the entire world because of something called “the Brussels Effect.” It’s a result of a large jurisdiction with economic clout and a tendency to meddle imposing rules that become defaults for everybody because it’s just easier to abide by the most restrictive standard than to craft different products and services for less-regulated markets.
“The Brussels Effect refers to the EU’s unilateral power to regulate global markets,” wrote Columbia Law School’s Anu Bradford, author of The Brussels Effect: How the European Union Rules the World (2019). “The EU does not need to impose its standards coercively on anyone—market forces alone are often sufficient to convert the EU standard into the global standard as multinational companies voluntarily extend the EU rule to govern their global operations.”
In the case of a security weakness turned into a mandatory feature, the E.U., governed from Brussels, effectively imposed its preferences on the entire planet.
“As the issue with CrowdStrike shows, the impact of European regulation is no longer isolated to just Europe,” the Cato Institute’s Jennifer Huddleston wrote this week. “As with many regulatory compliance requirements, it may not be technologically or economically feasible to simply offer a different product in Europe.”
Huddleston points out that the effects of European regulations have already shown up in small ways that are usually little noticed by consumers, such as the redesign of Apple’s charging cords to use USB-C ports. That might or might not benefit the public—if they had clamored for it, the company likely would have responded accordingly. But this was a politically driven change.
Of course, if Apple has to redesign charging cords to please European regulators, it might lose its security advantage over Microsoft if forced into a similar interoperability agreement. Then we’d get all the resistance to buggy software updates allowed to both companies “in line with EU competition law.”
American Regulators Work Hand-in-Hand With Brussels
Worse, notes Huddleston, “some American regulators like the Federal Trade Commission are actively working with EU bureaucrats to regulate US companies.” If the Federal Trade Commission doesn’t have the authority to impose certain rules on American businesses, it will ask its E.U. counterparts to do so. Then the regulations will flow back to the U.S. courtesy of the Brussels Effect.
Federal Trade Commission Chair Lina Khan’s “foreign collusion came up during a House hearing on Tuesday when she was grilled about recent revelations that her office is helping Europe target U.S. tech companies,” The Wall Street Journal editorial board warned last year.
The end result is something approaching a global regulatory regime as dictated by European Union bureaucrats. Europe’s rules become the default for the planet not because they make sense, but because they’re the most restrictive and so will pass muster everywhere.
None of this gives CrowdStrike a pass on its truly mindboggling software update fumble. There’s a good reason why people are lining up to sue the company for the harm its failure caused.
But the fallout from one company’s serious error might have been limited if Microsoft hadn’t been forced to compromise security by meddling bureaucrats who didn’t understand what they were doing. It’s fair to assume this won’t be the last bad outcome of intrusive regulators and the Brussels Effect.
The post E.U. Regulations Made the CrowdStrike Fiasco Much Worse appeared first on Reason.com.