Global IT Outage Live Updates: Microsoft and CrowdStrike Issues Affect Flights and Businesses
A flawed software update sent out by a little-known cybersecurity company caused major computer outages around the world on Friday, affecting airlines, hospitals, emergency responders and scores of other businesses and services. How could that happen?
The chaos stemmed from an update sent by CrowdStrike, a cybersecurity company based in Austin, Texas, to businesses that use its software to protect against hackers and online intruders. But when CrowdStrike’s new code reached computers that run Microsoft Windows software, the machines began to crash.
The fallout was immediate and harmful. CrowdStrike and Microsoft underpin many major businesses. Airlines canceled flights and airports fell into chaos in the United States, Europe and Asia. In the United States, operators of 911 lines in multiple states could not respond to emergencies. Parts of Britain’s National Health Service reported problems. New driver’s licenses could not be issued in some areas. Some television broadcasters could not go on the air.
The cascading effects highlighted the world’s reliance on Microsoft and a handful of cybersecurity firms like CrowdStrike that provide the world’s technological backbone. When a single flawed piece of software is released over the internet, it can almost instantly damage countless companies and organizations that depend on those software providers to conduct everyday business.
“This is a very, very uncomfortable illustration of the fragility of the world’s core internet infrastructure,” said Ciaran Martin, the former chief executive of Britain’s National Cyber Security Center and a professor at the Blavatnik School of Government at Oxford University.
A cyberattack did not cause the widespread outage, but the issues on Friday raised broader questions about what repercussions software firms should face when flaws in their code cause major disruptions.
George Kurtz, CrowdStrike’s chief executive, said that the company took responsibility for the mistake and that a software fix had been released. He warned that it could be some time before everything was restored and tech systems returned to normal.
“We’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this,” Mr. Kurtz said in an interview on Friday on NBC’s “Today” show.
Microsoft blamed CrowdStrike for the problem and said it expected that “a resolution is forthcoming.” Apple and Linux machines were not affected by the flawed CrowdStrike software.
How quickly such a fix can be implemented remains an open question because of the number of computers that have been affected.
The issues appeared to originate with an update to CrowdStrike software called Falcon Sensor, said Lukasz Olejnik, an independent cybersecurity researcher and consultant. Falcon Sensor scans a computer for intrusions and signs of hacking.
Mr. Olejnik said outages would probably take time to resolve because the suggested solution involved rebooting each computer manually into safe mode, deleting a specific file and then restarting the computer. While it is a relatively straightforward process, security experts say, it may not be easy to automate at scale. Those with organized and well-staffed information technology teams could potentially fix the issues more quickly, Mr. Olejnik said.
Unlike the iPhone software updates that Apple sends to customers, the incident involved information technology systems in the background that people typically don’t see businesses use. Companies rely on many other companies to make the software that underpins their operations.
A major problem with the CrowdStrike issues was that the software being updated performed critical cybersecurity tasks, giving it access to scan a computer to look for viruses and other malicious attacks.
“One of the tricky parts of security software is it needs to have absolute privileges over your entire computer in order to do its job,” said Thomas Parenty, a cybersecurity consultant and a former U.S. National Security Agency analyst.
“So if there’s something wrong with it, the consequences are vastly greater than if your spreadsheet doesn’t work,” he added.
The CrowdStrike flaw was not the only problem facing Microsoft. On Thursday, some Microsoft clients in the central United States, including some airlines, were affected by an outage on its cloud service system, Azure. Microsoft’s cloud service status page indicated that it had identified a preliminary cause, though some users may still be unable to access certain Microsoft 365 apps and services, including Teams video conferencing.
Microsoft said that the issue was not related to the CrowdStrike outage, but that it was “working to restore services for those still experiencing disruptions as quickly as possible.”
The outages underscored an uncomfortable reality that software companies face few liabilities for major disruptions and cybersecurity incidents. The economic and legal penalties for such significant outages can be so minimal that companies are not motivated to make more fundamental changes. While a car manufacturer would face stiff penalties for faulty brakes, a software provider can often issue another update and move on.
“Until software companies have to pay a price for faulty products, we will be no safer tomorrow than we are today,” Mr. Parenty said.