Global IT meltdown raises profound moral questions about future threats in the digital world
On Friday we all woke up to one of the largest IT failures in the history of computing. Whilst a catastrophe of this magnitude was something of an inevitability in a world so heavily reliant on the microchip, the big surprise was that this was no expected sinister cyberattack but rather what seems to be a human failure to conduct a basic job of work correctly.
At the heart of the disaster was cyber security software company Crowdstrike, an American technology company based in Austin, Texas that provides cloud workload protection and endpoint security, threat intelligence, and cyberattack response services.
The company says that it was “founded in 2011 to fix a fundamental problem: The sophisticated attacks that were forcing the world’s leading businesses into the headlines could not be solved with existing malware-based defenses … a brand new approach was needed — one that combines the most advanced endpoint protection with expert intelligence to pinpoint the adversaries perpetrating the attacks, not just the malware”.
By this year it had an incoming revenue stream in excess of $3 billion, and currently employs more than 8,000 IT workers. It’s software and digital protections systems were regarded as profoundly robust and are in use around the globe across a vastly diverse range of industries and services – from small businesses to multi-national corporations and vital state infrastructures.
The problem with its software surfaced initially on Thursday night across Australia, as business and workers arrived at work in the morning, switched on their computer systems and were greeted with the dreaded ‘blue screen of death’ (BSOD) – a state where a computer tries to fire up but experiences some difficulty in reading its critical software, and slumps into an endless search loop trying to find the missing data.
As Thursday rolled into Friday, it became evident very quickly that this was no local incident, but rather a global failure as airlines, railways, banks, retailers, broadcasters, hospitals, local doctors’ surgeries and all manner of internet-reliant business crashed into the dreaded blue oblivion.
Tesla and X boss Elon Musk summed it up when he said simply that this was the “biggest tech fail ever”. There have been other large-scale outages – the NHS cyberattack of 2017 and the Facebook crash of 2021 – but this incident has affected many more computers and businesses around the world and may take some time to rectify, at a frighteningly unknown cost.
As the world has started piecing itself back together, there have been global sighs of relief that this catastrophe was the result of a human error in the programming and implementation of a relatively minor overnight update to Crowdstrike and not a malicious cyberattack from some foreign agency or government. However, that threat’s only around the corner and this week’s chaos ought to serve as an early warning of more digital disruption to come, as cyber warfare increasingly becomes the weapon of choice with which to destabilise and dismantle your enemies.
As far back as 2007 Estonia was hit by pro-Russian attackers who crippled government servers, and in 2016 Russian hackers were also blamed for an attack on Ukraine’s national power grid that left swathes of the country in blackout and power workers unable to control their own computers. Even more seriously, in 2011 a malicious ‘worm’ called Stuxnet, developed jointly by the USA and Israel, found its way into Iran’s nuclear infrastructure, penetrating critical systems at the country’s Bushehr nuclear plant. Spread via Microsoft Windows, and targeting Siemens industrial control systems, Stuxnet has the capacity to disable nuclear control systems and send centrifuges spinning out of control, causing reactor meltdown and an explosion similar in scale to the Chernobyl disaster.
Such extreme and militarily focussed cyber warfare tactics are not only extremely difficult to control but their consequences have the capacity to make the planet all but uninhabitable, so strategists are increasingly turning their focus to cyber methods that dismantle and destroy the infrastructures upon which nations depend, but effectively leave the physical landscape unaffected.
As we have seen over the past 48 hours, even the most basic of incursions into the global economic infrastructure can very rapidly bring all kinds of organisations to breaking point. This is particularly so given the increasing reliance of society on digital technology for meeting even the most basic of needs.
Looking ahead, we are creating a model of society where states, organisations and commercial companies are going to be able to know pretty much everything about us and our interactive habits, and will aim to meet all our needs through digital means. For our part we will be required to consent to this absolute invisible awareness of our human lives in return for our carefully controlled curation by anonymous organisations that will exist to us in name and pin number only. This may sound like so much science fiction, but we are there already. The bigger question is whether or not God intended that we run his world in this manner.
A key moral dilemma that we’re already having to consider is how we respond when cyber agencies attack, and everything we know as the social order comes tumbling down. This will become especially relevant as we move away from the destructive waste and economic inefficiency of physical weapons of war, and blunder into the world of cyber-retaliation.
The early signals are not very encouraging. The UK’s 2021 Strategic Defence Review included mention of the creation of a National Cyber Force tasked with developing responses to future cyberattacks, but one of their options included responding with Trident nuclear weapons. It says Britain would “reserve the right” to use nuclear weapons to counter “weapons of mass destruction”, including “emerging technologies that could have a comparable impact” to chemical or biological weapons. Admittedly this document came at the height of the Boris Johnson era, when the then Prime Minister was busily unpicking 30 the years of hard fought for and won disarmament since the end of the Cold War.
At the time Mr Johnson came under heavy criticism from the then Labour leader Sir Keir Starmer, who accused the government of abandoning previous pledges made by a succession of governments to reduce the nuclear stockpile.
“This review breaks the goal of successive prime ministers and cross-party efforts to reduce our nuclear stockpile. It doesn’t explain when, why, or for what strategic purpose,” the Labour leader told the Commons.
Sadly time changes things and now in power, Mr Starmer’s position on nuclear deterrence has shifted dangerously. On 3rd June he set out our new government’s defence plans and was resolute that he would be prepared to resort to nuclear weapons to defend the UK.
“Security will always come first” said Starmer, and he not only claimed his party has left behind Jeremy Corbyn’s opposition to the renewal of the Trident nuclear weapons system, but is intending to increase defence spending and will update and expand our nuclear arsenal.
Whilst much of this is clouded in rhetoric and global powerplay, there is a serious moral question about what might constitute a legitimate response to an attack on a nation or group of nations from a cyber enemy. The millennia-old framework of Just War has established a range of proportional military response options to physical threats – but building a cyber war theory into this framework is fraught with difficulties, especially given the uncertain and ambiguous nature of the threat imposed by a cyber attack.
For some theologians, little changes – cyberwarfare is just a new type of threat that can be dealt with sufficiently by existing Just War principles; others believe that cyber warfare is a far more complex moral issue and therefore an entirely new response framework is needed. In this scenario cyber attacks are not regarded as ‘first strike’ incidents that morally justify an immediate and proportional response, rather they are ongoing acts of espionage that are not captured by Just War theory. As such they are fundamentally different from physical force, and some radical theologians even define cyber attacks as an ‘alternative’ to physical violence.
However, cyber attacks can cause physical violence and harm to individuals, and it might even be argued that this is part of their design and intent. The creators of malicious software know only too well that even something as innocuous as disabling and electricity grid can easily result in loss of life – through accidents caused, misdemeanours, the loss of life-supporting equipment – so from a moral perspective death caused by cyber attack is not coincidental, but is a clear and likely consequence. In terms of Just War theory such attacks can therefore reasonably be categorised as intentions to cause physical violence or harm.
The far harder issue is how to respond to such scenarios, as even cyber retaliation contains within it the same moral and physical consequences as an attack with conventional weapons. Cyber aggression and its response are grave moral matters and therefore they need to be treated with exactly the same extreme caution, care – and above all restraint – that we give to the use of the conventional weapons of war.
We must also caution governments that their first priority is actually the defence of the human person and never retaliation or the accumulation of weapons of any kinds, and we must demand that they first pursue with every sinew and argument the path to peace, and the common good of all humanity.
Joseph Kelly is a Catholic publisher and theologian