The post pushes the view that CrowdStrike's engineers should be held responsible. That's one way of looking at it.
But there is an entire chain of responsibility here. The hospital IT department that chose to use a computer instead of dumber technologies. The IT department that chose to run Windows. The security team that chose to purchase CrowdStrike's software, possibly without vetting them.
If a software's license has clear terms stating that there is no warranty, and the buyer buys it anyway, why shouldn't this be a caveat emptor situation? If they didn't like it, they could negotiate indemnity clauses, go to a competitor, or not use the software at all.
Don't get me wrong, I absolutely think that CrowdStrike did a shitty thing. But maybe they already disclosed that in their license agreement, and the purchasers decided to overlook that to their own peril. After all, running kernel-mode software is equivalent to handing over the keys to your computers. Maybe negotiating/selling software with liability clauses should be more normalized?
Not only protections, but financial incentives. As a society and civilization, but can't depend on accidental heroes to be the ones that safeguard and correct the course of the entire group. Especially when we idolize money and power, and have a workforce that is manipulated across so many dimensions (healthcare, non-competes, historical admissions, union/anti-union, gig-economy, salary/hourly).
Imagine, to use the articles example, an anesthesiologist making you sign a ToS that says they're not responsible if they fuck up. It would not be enforceable. Licenses and terms aren't blanket protections.
At some point, some rep came and sold software to customers engaged in business that their license stated their software was not fit for.
Ths error is on indiviual IT department to allow Crowdstrike DIRECT access to their system without check and balance. Have they just delay update by 1 day, they will not get affected. Clearly the CIO allowed extrrnal company to have the power to flip the off switch. Then again, we now see the wisdom of Xi and Putin. Diversity is good!
But there is an entire chain of responsibility here. The hospital IT department that chose to use a computer instead of dumber technologies. The IT department that chose to run Windows. The security team that chose to purchase CrowdStrike's software, possibly without vetting them.
If a software's license has clear terms stating that there is no warranty, and the buyer buys it anyway, why shouldn't this be a caveat emptor situation? If they didn't like it, they could negotiate indemnity clauses, go to a competitor, or not use the software at all.
Don't get me wrong, I absolutely think that CrowdStrike did a shitty thing. But maybe they already disclosed that in their license agreement, and the purchasers decided to overlook that to their own peril. After all, running kernel-mode software is equivalent to handing over the keys to your computers. Maybe negotiating/selling software with liability clauses should be more normalized?