Friday, July 19th, 2024, should have been a typical business day. Instead, people in companies worldwide encountered the dreaded “blue screen of death” on their computers. The situation quickly devolved into something straight out of a movie, as flights were grounded, payments stalled, and TV broadcasts silenced, leaving people and organisations in limbo.
The cause: A faulty software update to Crowdstrike’s Falcon platform, a widely used Endpoint Detection and Response (EDR) solution designed to protect organisations against a wide range of cyber threats. When the update was released, a minor defect in the code triggered a chain reaction that impacted IT systems and business operations worldwide. Ironically, the tool designed to protect endpoints crashed it instead. This also earned Crowdstrike the “Biggest Epic Fail” award at the DefCon conference a few weeks later.
The rise of digital monocultures
Environments dominated by a single species, technology, supplier or strategy are commonly referred to as monocultures. As it has evolved, our modern IT infrastructure, with its standardised hardware, software, and network configurations, has evolved into what some describe as a digital monoculture.
The commercial benefits of monocultures include cost savings, increased efficiency and more streamlined management. A uniform IT environment, for example, is easier and cheaper to manage than one with diverse systems. Updates, patches, and system monitoring can be centralised so IT staff don’t have to juggle diverse systems. Also, getting different systems, software, and applications to work together seamlessly (known as interoperability) is more readily achievable in monoculture-like IT environments. Finally, with standardisation, users don’t need to learn multiple platforms, which shortens training times and makes it easier for employees to adapt to new software updates or system changes.
However, monocultures are inherently less resilient. Lacking diversity and natural defences, a single threat or incident can have widespread and devastating effects. In the 19th century, for instance, a previously unknown species of potato blight, Phytophthora infestans, arrived in Ireland. Since all of Ireland’s potatoes were genetically similar, a classic monoculture, the disease spread quickly, decimating the country’s food supply and causing mass starvation.
Although mass starvation and business interruption losses are hardly equivalent, the Crowdstrike Falcon incident reinforced how a handful of software developers, cloud service providers, telecommunications networks, and data centres dominate today’s modern IT infrastructure. As in other monocultures, it also showed how a single flaw or threat can disperse rapidly in uniform environments or systems.
IT monocultures are also more susceptible to cyberattacks. For instance, the 2017 WannaCry ransomware attack exploited a vulnerability in the Windows operating system. Because so many organisations used the same operating system version, the ransomware quickly infected hundreds of thousands of computers worldwide.
In other words, although today’s digital monoculture offers efficiency and predictability, it also comes with significant operational risk, including the potential for extensive losses when mistakes are made or threats are introduced.
An uncomfortable reality
This raises the question: Can companies today opt out of this digital monoculture? The short answer is “not really”. The major providers are firmly established, and given their scope and heft, a more diverse and resilient IT ecosystem is unlikely to emerge, at least in the short term.
This reality underscores the critical need to minimise and mitigate the threats. That could include, for instance, deploying a multi-cloud strategy where IT networks are distributed across vendors. Companies should also develop robust redundancy plans, including provisions for maintaining business continuity under various scenarios. Finally, a proactive approach to cybersecurity is not just a competitive advantage but a necessity; here are some suggestions for fostering an environment where cybersecurity is everyone’s responsibility and a routine part of everyday life.
Nonetheless, the risks inherent in a digital monoculture can’t be ignored and aren’t going away. The problem for re/insurers like 色多多视频is that a widespread, immediate and catastrophic event could generate massive losses affecting entire re/insurance portfolios worldwide and destabilise individual countries' traditional insurance markets.
A possible solution: Federally backed insurance pools
Given this situation—embedded, systemic risk representing potential losses far exceeding available re/insurance capacity—some have proposed federally backed insurance pools as a potential remedy. As a 2022 report by the U.S. Government Accountability Office put it:
“In the event of a catastrophic cyber incident, the Federal Government could be called upon to stabilise the economy and aid recovery. Structuring that response before a catastrophic event occurs—rather than rushing to develop an aid package after the fact—could provide certainty to markets and make the nation more resilient.”
Such pools have already been implemented in several countries for risks ranging from floods and earthquakes in the U.S., Japan and Mexico, terrorism in the UK, and nuclear energy in France. These structures have emerged in recent decades as an effective way to ensure sufficient resources are available to address high-impact claims and maintain stable insurance markets.
As with other insurance pools, spreading the financial burden would protect individual businesses and industry sectors from catastrophic losses and reduce the risks to the broader economy. Such a pool could also set requirements or incentivise organisations to adopt strong cybersecurity practices in exchange for coverage, improving overall cyber defence strategies and resilience across industries. For instance, Japan’s and Mexico’s earthquake pools have similar provisions; these have proven to be highly effective in helping maintain rigorous safety standards. Lastly, a federal pool could expedite financial relief after significant cyber incidents and help affected businesses return to normal operations quickly.
These benefits, however, are countered by several disadvantages and obstacles, particularly moral hazard. Individual companies might be less incentivised to invest in cybersecurity if they have a government-backed safety net. Similarly, major technology providers’ quality control programs could become less rigorous.
Another equally prominent issue is that taxpayer funds ultimately would be needed to establish and maintain the pool. If claims from cyber incidents are exceptionally high, the burden on federal budgets could increase, especially if the frequency or severity of cyberattacks continues to rise.
Additionally, creating and managing such a pool would involve significant regulatory and administrative challenges. Determining who qualifies for coverage, what types of incidents are covered, and how payouts are handled would be complex. Different industries have varying levels of cyber risk, and tailoring the coverages to account for these differences could be difficult. Fraud detection and prevention mechanisms would also be needed, but these are often costly and challenging to implement.
The time is now
Our experiences with earthquakes, hurricanes/typhoons, and other natural disasters indicate that public-private partnerships—where governments provide financial resources and oversight, and the private sector brings technical underwriting and claims management expertise--can effectively limit losses and speed recovery efforts.
Like natural disasters, massively disruptive cyber incidents are becoming more frequent and severe. Moreover, given the monoculture-like characteristics of our modern IT infrastructure, this trend isn’t likely to abate. Thus, perhaps the time has come to discuss creating federally backed insurance pools or similar structures to minimise and mitigate the risks. Although the challenges and obstacles are daunting, as outlined above, starting to plan now is preferable to hastily developing a solution in the aftermath of the next major incident.
About the author:
Grace Goleman is a Cyber Underwriter with AXA XL’s Financial Lines team in Australia. Her work on “The Risk of Digital Monocultures” has earned Grace the APIG Wotton + Kearney scholarship, which supports the development of young professionals practicing in professional indemnity and financial lines insurance in Australia.
