I started writing about something in the comment section, but I decided it’s relevant enough to make it an article.
The CrowdStrike event looks like a very mild example of something I’ve been worrying about for years, namely a widespread systemic persistent IT outage that puts payment systems worldwide out of commission.
Basically, everybody is using digital payment for everything these days, so what happens if it all goes out for some reason? Oh, you’ll use cash. You mean, the ATM is going to work? No it isn’t. You mean, you have cash and will just use it? You mean, the cash register computer will not be afflicted, and the cashier will be willing to take your money without the ability to print out the invoice and register the transaction? Or will all the stores close until this is dealt with? In which case you will have to rely on whatever food and hygienic/medical supplies you have at your place, because you’ve been prepping? Oh wait, you’ve been prepping but since nothing happened you just consumed all the stuff and there isn’t any now? Yeah, that.
I mean, the first level of preparing for an IT outage is to have an air-gapped spare laptop stashed in some drawer, with Linux/Windows dual boot in case one of those two is the cause of failure, but the next question is, what do you connect to, if the cause of the problem is general, so the telecoms are down, banks are down, online services are down, AWS/Azure can’t process your credit card so it locks you out of your servers, GoDaddy is down so you can’t transfer your domains somewhere out of the afflicted area, or DNS is down so you can’t reach anything, or the satellites are down so Starlink doesn’t work. And let’s say it’s something really major so the consequences take so long to clear, there’s serious breakdown of services everywhere.
The first answer everybody has to this is something along the lines of “it’s unlikely that all the computer systems will go out at once”. True, it’s unlikely, but it was also previously unseen that all the enterprise win10 machines go out at once and half the world gets instantly paralyzed. Those machines aren’t independent. Microsoft enforces push updates, and the big corporations have unified IT policies which means they all enforce updates to all their machines. Also, everybody seems to run Windows, which means it’s no longer necessary for an attack vector or a blunder to target billions of computers independently, because it’s a single failure that can propagate from a single point and instantly take down enough of the network that the rest have nothing to connect to.
Also, there have recently been revelations that OpenSSL had severe vulnerabilities. The vast majority of Internet infrastructure uses OpenSSL. A systemic vulnerability that can be targeted everywhere means… you tell me.
Someone will say that people would adapt, and my answer is, what does that even mean? Every single store I’ve been in for the last decade or so uses bar-code readers to scan items, and then the computer pulls out the item data, most notably the price, from the database, so that the cashier can charge you. More recently, all those computers are required to connect to the state tax service where every bill needs to be “fiscalised” for taxation purposes. If Internet fails, the cash register can’t “fiscalise” bills and that’s going to be a problem. If the cash register is out because it’s always a Windows machine and you saw what can happen to those, and it’s connected to the Internet or the “fiscalisation” won’t work, the cashier won’t be able to tell how much the item you want to purchase costs and thus won’t be able to charge you. They don’t have prices on items anymore, like they did in the ‘80s. Everything is in the database.
Some say, run Linux, or buy a Mac. Great, but it doesn’t actually solve anything, because if every Enterprise and most smaller companies run everything on Windows, and those computers all bluescreen, what are you going to connect to, with your Linux PC? How does your computer even matter if you go to a store and you can’t buy anything, and how does it matter if you try to go online and most of everything is down, because OpenSSL has been attacked by something that gets root permissions on your computer and encrypts its filesystem?
I’ve been recently thinking that Internet isn’t so much a framework for connecting computers, but really a separate plane of existence. When I’m using my computer, I’m not really on an island in Croatia, I’m on the Internet. Imagine all the beings that exist in the physical world, but without an Internet connection, like trees, birds, cats and so on. In order to interact with them or even perceive them, you need to switch planes of existence, between physical world and the Internet. However, some aspects of the physical world, like our civilization for instance, have been abstracted into the Internet to such a degree that you can’t even use them anymore if you don’t have access to all kinds of Internet-based infrastructure, which is not currently perceived as a problem, but might become one really fast if something fundamental breaks down with the Internet.
Also, if a nefarious government or a corporation wants to lock you out of the Internet for “non-compliance”, you are really fucked, which makes it a really big sword of Damocles hanging over our heads, forcing everybody to be good and obedient slaves.