After Boeing and its litany of difficulties, another major American company is in the hot seat: Microsoft. The giant computer failure that hit it on Friday, July 19 affected companies and public administrations using the Windows system in many countries (United States, France, United Kingdom, Japan, Australia, etc.). The transport, media, hospital and many financial markets sectors were also affected. In reality, the responsibility for the failure lies mainly with Crowdstrike, a Microsoft supplier specializing in cybersecurity.
A first reaction would be caution. After all, digital technology – which is perhaps an opportunity, given that AI is fueling so many fears of seeing the human factor sidelined – also has its weaknesses, and it is not surprising that malfunctions can occur.
In this case, however, there was no shortage of warning signs. For example, the American Cyber Safety Review Board (CSRB) has repeatedly drawn attention to the security flaws to which users of certain Microsoft services were exposed. This was particularly the case last April when this American government body issued a critical report on the Exchange Online cybersecurity incidents in 2023. Microsoft did not deny them and promised to deal with them diligently. In France, too, concerns have been expressed, for example by IncertFrance, which estimated that the Redmond firm’s operating system could constitute a major point of vulnerability for its users.
While it is unnecessary to emphasize how online security is an absolute necessity, economic, political, social, the real question is how providers of digital goods and services can protect themselves from such blunders. Two avenues should be favored.
“Diversify suppliers”
First, work is needed to secure hardware and services at the design stage (“security by design”). Because Microsoft has made no secret of the fact that the July 19 outage was not the result of a deliberate computer attack (hacking) but rather a traditional product update. It is therefore essential that digital products and services provided to public and private agents undergo a rigorous initial security check, which can then be completed throughout the product’s life cycle.
Above all, risk reduction requires major public and private buyers to diversify their suppliers. Whether it is the war in Ukraine and Russian gas, the conflict over Taiwan and electronic chips, or more broadly the “reshoring” that is disrupting value chains, geoeconomics is now driven by the need not to, as the saying goes, “put all your eggs in one basket”. The outage that affected Windows attests, if proof were needed, that digital technology is/will be no exception, even though AI is experiencing extremely rapid developments that the authorities are trying to understand (such as the partnership with OpenAI). Diversifying suppliers must therefore be a priority for buyers, for their own security, and when it comes to public administrations also for public funds, as the Court of Auditors recalled in its April 2024 report on the digital transformation of the State. But they still need to have the choice. Public regulation has an essential role to play in this area. Upstream by defining strict standards intended to guarantee the greatest interoperability between ecosystems. Downstream, when these standards are not sufficient or are circumvented, by competition law.
Recent news confirms, if need be, that competition authorities will have a key role to play. Microsoft, in fact, has just concluded an agreement with CISPE (Cloud Infrastructure Services Providers in Europe), an association of cloud users in Europe. CISPE has agreed to withdraw its complaint to the European competition authority, in which Microsoft was accused of making it difficult for its cloud customers to join other providers. A similar agreement was signed with OVHcloud. While a new Commission is about to take office, one thing is clear: in terms of digital security, European regulation has some great challenges ahead of it.
*Bruno Alomar, author of “Reform or Insignificance: 10 Years to Save the European Union” (Ed. Ecole de Guerre), worked at the Directorate-General for Competition of the European Commission