It all started with a software update.
Microsoft’s “blue screen of death” upended government services and businesses across the country Friday, disrupting emergency call centers, banks, airlines and hospitals.
While Microsoft said a faulty software update from U.S. cybersecurity firm CrowdStrike was responsible for the major IT outage, the incident brought attention to just how big of a market share both companies have in their respective sectors.
“When we use all the same vendors, then these sorts of things can become more pronounced when they do happen,” said Dominic Sellitto, clinical assistant professor of management science and systems at the University at Buffalo School of Management in New York.
Why did the CrowdStrike outage happen?
A statement from CrowdStrike said the outage was caused by a defect in a content update to its “Falcon” cybersecurity defense software for Windows hosts.
Holiday deals: Shop this season’s top products and sales curated by our editors.
Computers with Mac and Linux operating systems were not impacted, and CrowdStrike said the incident was not caused by a cyberattack.
There’s always the potential for bugs or errors when new software is launched, but most times they’re small enough the end user is generally unaware, according to Tim Ehrenkaufer, assistant professor of aeronautical science at Embry-Riddle Aeronautical University in Florida.
The nation was certainly aware Friday – the glitch disrupted everything from 911 call centers to the Starbucks mobile app.
“As companies all over the world and governments and agencies and entities are reliant on single technology platforms, it does mean that these types of events are more and more and more painful,” Sellitto of the University at Buffalo said.
CrowdStrike, Microsoft market share
CrowdStrike is advertised as being used by more than half of Fortune 500 companies.
Meanwhile, Microsoft’s Windows is one of the most popular operating systems in the world, and the company provides an estimated 85% of the productivity software used by the federal government, according to statements from Rep. Bennie Thompson, D-Miss., during last month’s House Committee on Homeland Security.
“The issue we’re dealing with is that the world is complex and interdependent, and the fact is that the technology that we use is global,” said Scott White, an associate professor and director of the cybersecurity program and cyber academy at George Washington University in Washington, D.C. “We’ve become dependent on organizations like (Microsoft).”
CrowdStrike outage:Global tech outage hits airlines, banks, health care and public transit
Does Congress need to step in?
Within hours of the outage, some lawmakers and cybersecurity experts discussed whether Congress – or the Biden administration and the Department of Homeland Security – need to add more regulatory guardrails to make sure an outage of this magnitude doesn’t happen again.
Paul Rosenzweig, a former DHS deputy assistant secretary for policy, said the best response to Friday’s outage would be to require companies and governments to have redundant systems so they have a backup when their systems go down.
Asking companies to do that on their own would be prohibitively costly, Rosenzweig said, and few would do it. But it would be hard for Congress or the Biden administration to require them to without doing the same within the government, which would be time-consuming and astronomically expensive.
“It’s an interesting question,” said Rosenzweig, founder of Red Branch Consulting PLLC, a homeland security and cybersecurity consulting company. “The government can’t mandate people diversifying if it won’t do it itself ‒ and it’s the biggest, if not certainly one of the biggest (Microsoft) clients.”
But Rosenzweig also warned that Friday’s outage is likely to happen again, and possibly with more serious repercussions, so governments and the private sector need to be ready.
“They have to spend extra money” to build in better protection including backups, he said. “If companies aren’t going to do that, this will happen again, either by accident like this time or by malicious action.”
Other cybersecurity experts believe the system works as it is, and that CrowdStrike bears full responsibility for the outage in ways that wouldn’t be helped by additional government intervention.
“This incident appears to be a severe failure of quality control, not a malicious act,” cybersecurity strategist and former FBI counterintelligence official Eric O’Neill said of Friday’s paralysis. “While there will be damages assessed, regulation is unnecessary; the market will drive customers to other vendors or reassure them about CrowdStrike.”
O’Neill did say, however, better regulation of cybersecurity investment and best practices is critical because the U.S. government “has reacted poorly in this crucial arena of critical infrastructure.”
“If the U.S. government needs to bail out CrowdStrike, which I believe is too big to fail, then taxpayers will bear the burden,” O’Neill said.
‘Critical infrastructure and international partners’
In recent years, DHS and its Cybersecurity and Infrastructure Security Agency have worked to build out a network of public and private sector partnerships to help it respond to such global incidents, in the belief that the government cannot do it alone.
Educating the private sector and cybersecurity firms on what to do – and not to do – is a critical component of that, whether the problem is a cyberattack or a faulty cybersecurity update, CISA Director Jen Easterly told USA TODAY in a 2022 interview.
To that end, CISA on Friday said it was “aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts.”
CISA also warned its network of public and private partners it observed hackers and other “threat actors taking advantage of this incident for phishing and other malicious activity.”
Where do companies go from here?
CrowdStrike and Microsoft business clients may consider alternate vendors after the global outage, but that’s no solution to the crux of the issue, said Javad Abed, an expert in cybersecurity and data vulnerability and assistant professor at the Carey Business School at Johns Hopkins University in Baltimore.
“The CrowdStrike incident is a stark reminder that relying on a single cybersecurity tool, regardless of a vendor’s reputation, creates a dangerous single point of failure,” Abed said. “And implementing multiple layers with multiple vendors is crucial for business continuity and protecting critical operations.”
This sort of outage can happen to any vendor or company, Abed said, but it is largely preventable, and one of the fundamental principles of cybersecurity is redundancy.
Having redundancies in the infrastructure may be costly in the beginning, but would be an investment in maintaining the trust between the businesses and their customers, Abed said. Companies should also rethink their testing and how they release updates, he says.
It’s a wake-up call for cybersecurity companies to revise their procedures, Abed said.