After CrowdStrike, Programmers Deserve Consequences.

by: Ethan McCue

An Anesthesiologist can expect a salary of over $300k. This is because putting you to sleep for surgery is actually kinda risky. If they do their job wrong you die. Their salary reflects the fact that they take on much of the liability for that.

When a Structural Engineer finishes a design, they sign off on it. If something goes wrong with that structure due to their negligence, and it kills someone, that engineer might be on the hook for manslaughter.

Yesterday a friend of mine was stuck in the Hospital all day. Their computer system went down and that led to a delay of care. Delays in care kill people.

All over the world Hospitals, Airlines, Banks, etc. - critical infrastructure - was taken down by a bad patch in some random bit of software. This time it was CrowdStrike but let's be a hundred percent fucking real with ourselves it could have been anything.

It's an open secret that the entire software development field is a bit of a clusterfuck. Attempts to impose standards and restrictions largely fail. It is diminishingly rare to finish a project on budget, on time, and without defects. The education software developers receive is often woefully inadequate. The space is flooded with grifters, conpersons, imbeciles, and fanatics. We idolize and pray to emulate success stories like Facebook (a grand machine which reminds me of birthdays and drives teenagers to suicide.) It's just bad, man.

Software "Engineers" are never held personally accountable for the effects their actions have on the world. That poor bastard or bastard(s) at CrowdStrike weren't paid anesthesiologist rates and yet their mistake is going to kill a lot of people. I doubt they would have signed off on anything they'd done in the last decade as being "defect-free" and yet that is the standard we rightfully hold other fields to.

Something needs to change and I doubt anything other than real, uniformly applied, consequences will make a difference.

For a more intelligently spoken, less emotionally driven, take on this watch the David Sankel talk I embedded below.

EDIT

To clarify, I am not saying that an individual at the bottom of the chain of decision-making is materially responsible for this outage.

Based on the degree to which what was in my head was received as almost the opposite message by so many, I am pretty sure I wrote this poorly.

I think this reddit comment did a good job distilling something I wish I got across.

The reason why anethesiologists and structural engineers can take responsibility for their work is because they are legally responsible for the consequences of their actions, specifically of things within their individual control. They are members of regulated, professional credentialing organisations (i.e., only a licensed 'professional engineer' can sign off certain things; only a board-certified anethesiologist can perform on patients.) It has nothing to do with 'respect'.

Software developers as individuals should not be scapegoated in this Crowdstrike situation specifically because they are not licensed, there are no legal standards to be met for the title or the role, and therefore they are the 'peasants' (as the author calls them) who must do as they are told by the business.

And also this post I wrote and this one a reply down are at least a little clearer on where I think the blame lies for this particular outage.

I am not and wish I never came so close to implying that in this exact instance we should blame a coder for what was clearly a process issue.

It's just that even though we all know that not unit testing or performing QA is negligent behavior our field doesn't actually have any codes that are enforced by law.

The reason I implied that programmers should see consequences isn't because I misunderstood how development works or that CrowdStrike was largely caused by chains of terrible management. It's because without any codes similar to those fields we will never be taken seriously. My thought process was "if it matters, we will make codes. If we make codes then maybe we edge closer to being an actual engineering discipline."

And seriously watch the video I linked. It did a way less shitty job than I did.


Yeah I'm a demonstrably bad communicator.

I agree with everything you are saying and i think we agree on what they shape of things should be.

But I think without actual codes that you can hold someone to there is no basis upon which to punish a company for not following them.

Skipping past how we get from here to there, in a world where development of critical systems is regulated and folks are licensed as engineers there should be consequences if one of those licensed engineers is negligent.

But I fucked up hard by just saying programmers deserve consequences. People assumed I meant "yeah let's get the guy who did this!" I really mean "programmers deserve to live in the world where their actions are given weight and recognized as an engineering discipline with consequences for negligence all the way up the chain."


<- Index