CrowdStrike failure highlights vulnerability of globally connected technology

Airlines, banks, hospitals and other risk-averse organizations around the world have chosen cybersecurity company CrowdStrike to protect their computer systems from hackers and data breaches.

But all it took was one faulty software update for CrowdStrike to cause global disruptions on Friday, grounding flights, taking banks and media offline, and disrupting hospitals, stores and other services.

“This is a function of the very homogeneous technology that is the backbone of all of our IT infrastructure,” said Gregory Falco, an assistant professor of engineering at Cornell University. “What really creates this mess is that we rely on very few companies, and everyone uses the same people, so everyone goes down at the same time.”

According to CrowdStrike, the issue with the update CrowdStrike released that affects computers running Microsoft’s Windows operating system is not a hacking incident or cyberattack. CrowdStrike apologized and said a fix is ​​underway.

But it wasn’t an easy fix. It took “boots on the ground” to fix it, said Gartner analyst Eric Grenier.

“The solution works, it’s just a very manual process and there’s no magic key to unlock it,” Grenier said. “I think that’s probably where companies struggle the most.”

While not everyone is a customer of CrowdStrike and its Falcon platform, it is one of the leading cybersecurity providers, particularly in transportation, healthcare, banking and other industries that have a vested interest in keeping their computer systems running.

“They tend to be risk-averse organizations that don’t want something that’s crazy innovative, but that can work and also cover their ass if something goes wrong. That’s CrowdStrike,” Falco said. “And they look at their peers in other industries and say, ‘Oh, you know, this company is using that, so I’m going to need them too.'”

Worrying about the fragility of a globally connected technological ecosystem is nothing new. It was what fueled fears in the 1990s that a technological glitch could unleash chaos at the turn of the millennium.

“This is basically what we were all worried about with Y2K, except this time it actually happened,” Australian cybersecurity consultant Troy Hunt wrote on the social platform X.

On Friday, affected computers around the world displayed the “blue screen of death,” a sign that something was wrong with Microsoft’s Windows operating system.

But what’s different now is that “these companies are even more entrenched,” Falco said. “We like to think we have a lot of players available. But at the end of the day, the biggest companies are all using the same stuff.”

Founded in 2011 and publicly traded since 2019, CrowdStrike describes itself in its annual report to financial regulators as “reinventing cybersecurity for the cloud era and transforming how cybersecurity is delivered and experienced by customers.” It emphasizes the use of artificial intelligence to keep pace with adversaries. It reported 29,000 subscribers at the start of the year.

The Austin, Texas-based company is one of the most visible cybersecurity firms in the world, spending heavily on marketing, including Super Bowl ads. At cybersecurity conferences, it has become known for large booths featuring oversized action figures representing various state-sponsored hacking groups that CrowdStrike technology promises to protect against.

CrowdStrike CEO George Kurtz is among the highest paid in the world, with total compensation of more than $230 million over the past three years. Kurtz is also a driver for a CrowdStrike-sponsored auto racing team.

After his initial statement on the issue was criticized for lack of remorse, Kurtz apologized later Friday in a social media post and on NBC’s “Today Show.”

“We understand the seriousness of the situation and deeply regret the inconvenience and disruption,” he said on X.

Richard Stiennon, a cybersecurity industry analyst, said this was a historic mistake by CrowdStrike.

“This is easily the worst faux pas, technical faux pas or failure by a security software vendor ever,” said Stiennon, who has followed the cybersecurity industry for 24 years.

While the problem has a simple technical fix, he said, the impact could be long-lasting for some organizations because of the hands-on work required to fix each affected computer. “It’s really, really hard to touch millions of machines. And people are on vacation right now, so you know, the CEO is coming back from his trip to the Bahamas in a couple of weeks and he can’t use his computers.”

Stiennon said he doesn’t think the outage highlights a larger problem within the cybersecurity industry or within CrowdStrike as a company.

“The markets will forgive them, the customers will forgive them, and this will blow over,” he said.

Forrester analyst Allie Mellen praised CrowdStrike for clearly telling customers what they need to do to fix the problem. But rebuilding trust, she said, requires a deeper look at what happened and what changes can be made to prevent it from happening again.

“A lot of this will probably come down to the testing and software development process and the work they put into testing these types of updates before they deploy them,” Mellen said. “But until we see the full retrospective, we won’t know for sure what the failure was.”

___

Alan Suderman, an Associated Press editor in Richmond, Virginia, contributed to this report.