Crowdstrike outage highlights the issue of single-point failure in global software.

• The CrowdStrike software bug that caused a global IT infrastructure outage revealed a single-point-of-failure risk that was not linked to a malicious cyberattack.
• The likelihood of technical outages and cyberattacks is rising, and the market must improve its competitive practices, according to national and cybersecurity experts.
• New software update and patch regulations may be considered by the government.

The rise in large-scale attacks on corporate enterprise IT is not surprising, given the heavy investment in cyber defense by companies in an uneven battle against hackers who can cause significant damage with minimal effort.

The largest IT outage ever on Friday, resulting from a CrowdStrike software bug being uploaded to Microsoft operating systems, highlights a type of tech threat that has been increasing alongside hacks but gets less attention: the single-point failure, where an error in one part of a system creates a technical disaster across industries, functions, and interconnected communications networks, resulting in a massive domino effect.

This year, AT&T experienced a nationwide outage due to a technical update. Last year, the FAA had an outage caused by a single person replacing a critical file in a route update. Now, the FAA has implemented a backup system to prevent such incidents from happening again.

On Friday, Chad Sweet, CEO of The Chertoff Group and former DHS Chief of Staff, informed CNBC that even routine patching and updates occur more frequently.

Companies must plan for and protect against single-point failure risk management, as no software release is immune to needing patches or updates, and best security practices exist for ongoing software maintenance, according to Sweet.

The Chertoff Group's clients are closely examining software development and update standards following the CrowdStrike outage. Sweet suggested utilizing the SSDF (Secure Software Development Framework) provided by the government as a potential guide for the market. This recommendation comes after a series of incidents, including those affecting AT&T, the FAA, and CrowdStrike, which have demonstrated the widespread impact of technical failures on citizens and critical infrastructure operations.

"Get ready on the corporate side," Sweet said.

Aneesh Chopra, Arcadia chief strategy officer and former White House chief technology officer, stated on CNBC on Friday that critical sectors such as energy, banking, health care, and airlines have distinct regulations governing risk, and measures may differ in the most regulated sectors. However, for any business leader, the question now is, "What is plan B if systems go down? We will witness an increase in scenario planning, and if this is not the top priority, it should be either Job No. 2 or 3 to have those scenarios outlined," he said.

While many issues in D.C. are often contentious, Chopra pointed out that there is a bipartisan commitment to addressing critical infrastructure and systemic risk. Technical standards are a key component of the U.S. system, and efforts are being made to improve competition as a way to enhance accountability.

Chopra stated that if there is a mechanism to update in a more open and competitive way, there might be pressure to ensure that it is done in a manner that has all i's and t's dotted and crossed.

CrowdStrike's failure to detect the single-point failure in the DNC hack could lead to concerns about overregulation in the business world, said Sweet. While it is impossible to determine if CrowdStrike could have operated with a more open process, it is a valid question to ask.

According to Sweet, the best way to avoid overregulation is to rely on market-reinforcing mechanisms, such as the insurance industry, which will reward good actors with lower premiums.

Sweet advised that companies should adopt the concept of "anti-fragile" organizations, as he does with his clients, which refers to organizations that not only recover from disruptions but also innovate and outperform their competitors. He believes that any single legislation or regulation would struggle to keep up with both malicious attacks and unintended technical updates.

"It's a wakeup call for sure," Chopra said.