More Frequent—and Disruptive—Tech Outages Are on the Way
Last July, one of the world’s largest cybersecurity firms, CrowdStrike, released a routine software update containing a bug that crashed 8.5 million computers worldwide. It was the largest IT outage in history, grounding 17,000 flights, preventing doctors from accessing medical records, interrupting 911 services and plunging broadcasters into blackouts. It compromised more than a quarter of Fortune 500 companies, causing more than US$5 billion in losses.
Such massive outages are rare. But smaller outages and data breaches—due to both accidents and malicious attacks—will happen more often in 2025, as companies increasingly rely on third-party software and suppliers. And those disruptions will occur almost instantaneously, with no warning.
The logic is simple: more complex systems contain more vulnerabilities. For example, software engineers today often rely on open-source code, which performs simple tasks like calculating time zone differences. The code is free and saves time. But it can also be buggy and plagued with compatibility problems, leading to accidental disruptions. This past March, a misconfiguration in OpenSSL—an open-source software library that encrypts a large volume of internet traffic—triggered crashes in web services and databases. It took days to patch the issue.
Intentional breaches are even scarier: attackers can take advantage of smaller, less secure suppliers to target bigger fish. In March of 2023, hackers linked to North Korea broke into communications software maker 3CX, whose clients include American Express, McDonald’s and Coca-Cola. They did so by compromising a stock-trading app called X_Trader, installed on a 3CX employee’s computer. From there the malware spread to the company and then to its unwitting clients. It happened again a few months later: hackers exposed the data of a payroll company called Zellis, which is used by companies including British Airways, Aer Lingus, the BBC and U.K. pharmacy chain Boots.
As software supply chains get more convoluted, keeping systems secure will also become more expensive. Between 2021 and 2023, Canadian companies’ spending on cybercrime doubled, from $600 million to $1.2 billion. Cybersecurity Ventures, a California-based research outfit, estimates that global cybercrime losses, including lost revenue, reputational damage and recovery costs, hit a new high of US$8 trillion in 2023. That’s expected to grow to $10.5 trillion this year. A large chunk of these losses comes from smaller-scale attacks. Though these don’t grab the headlines like major breaches, they’re just as alarming. Smaller systems, after all, are interconnected to larger ones.
Special Holiday Offer
Authorities are starting to understand the need for more robust security. U.S. government agencies are pushing for a software bill of materials to map out supply chains. This “ingredients list” would require companies to detail all the software in their systems, helping them track vulnerabilities in supply chains. The U.S. Cybersecurity and Infrastructure Security Agency now requires this for government contractors, and the EU is recommending a similar mandate for its critical infrastructure. Canada, however, lags behind its peers—our government has not yet adopted anything similar.
On the business side, the U.K.’s Cyber Essentials certification program has boosted cybersecurity standards for small and medium-sized businesses. Certification demonstrates to clients and others that the company takes security seriously. It also helps firms keep on top of evolving threats: certified companies have to implement firewalls, malware defences and other protections. Since its inception in 2014, over 132,000 certifications have been issued, including more than 40,000 in the past year. Canada’s CyberSecure certification, introduced in 2020, mirrors Cyber Essentials but has had much slower uptake. Only a few dozen certifications have been issued in the past few years.
In the future, cyberattacks on hospitals could disable life-saving equipment. Infrastructure breaches could bring transportation and electricity systems to a halt. Hacks targeting internet-of-things devices—gadgets and gizmos connected to the web—could expose our homes to breaches. In 2024, hackers gained control of robot vacuums in the U.S., shouting racial slurs through their speakers. CrowdStrike-scale outages are likely to remain rare, for now. But our systems are only growing more exposed.
Kami Vaniea is an associate professor of computer engineering at the University of Waterloo.