How a faulty software update sparked tech disruptions worldwide

A tech outage around the globe halted flights, disrupted emergency services and created headaches for businesses. The underlying problems behind the glitch were fixed by Friday afternoon, but the ripple effects lasted throughout the day and may continue into the weekend. William Brangham discussed what went wrong and the risks with Bruce Schneier, an expert in computer security and technology.

Read the Full Transcript

Amna Nawaz: The pressure is mounting on President Biden to step aside from his campaign a day after the Republican National Convention wrapped up with a highly anticipated speech from former President Donald Trump.

Geoff Bennett: We will have more on the shifting political landscape in a moment.

But we start tonight with a tech outage around the world that halted flights, disrupted emergency services, and created headaches for businesses.

Amna Nawaz: The underlying problems behind the glitch were fixed by the afternoon, but the ripple effects have lasted throughout the day and may continue well into tomorrow.

Geoff Bennett: And, as William Brangham reports, thousands of passengers are still trying to get to their destinations tonight.

William Brangham: It was the glitch felt around the world. Today’s software failure triggered far-reaching and frustrating outages globally. Air travelers were among the most directly affected, with tens of thousands of flights delayed and thousands more canceled.

Becca Maynard, Stranded Passenger: I have never seen it like this before, especially in this airport. This airport is my favorite because it’s usually getting it out.

William Brangham: The outage was caused by a faulty software update within Microsoft’s Windows operating system. Many users first noticed the problem when they saw the notorious so-called blue screen of death.

The faulty update was issued by the cybersecurity firm CrowdStrike.

CEO George Kurtz offered a mea culpa this morning on “The Today Show.”

George Kurtz, CEO and Founder, CrowdStrike: We’re deeply sorry for the impact that we have caused to customers, to travelers, to anyone affected by this, including our companies. So we know what the issue is. We’re resolving and have resolved the issue now.

William Brangham: The FAA temporarily grounded major U.S. airlines, including United, American, and Delta.

Woman: Please wait on the passenger load. We aren’t checking right now.

William Brangham: With flights stalled, check-ins were brought to a standstill.

This passenger in Minneapolis was disappointed with his airline’s response.

Matt Jordan, Stranded Passenger: What’s interesting to watch is that airlines have no idea what’s happening because it is such an issue that they don’t have a grasp on yet, at least here at the Minneapolis Airport.

William Brangham: Across the world, in Australia, travelers had to fend for themselves.

Christine Poulton, Stranded Passenger: Our flight’s been canceled, so now we’re trying to find accommodation in Sydney, which is not easy. Our daughters are trying to do that online. And then we will have to try and get a flight home somehow, somewhere, sometime. Don’t know.

William Brangham: It wasn’t just air travel that was affected. Hospitals and health care systems overseas were also locked up, forcing the cancellation of appointments and the closing of clinics.

Massachusetts General Hospital had to limit operations, announcing — quote — “Due to the severity of this issue, all previously scheduled, non-urgent surgeries, procedures, and medical visits are canceled today.”

The outage also impacted 911 call systems in many places, in emergency services in Oregon, Alaska, and Arizona. Global news outlets like Sky News were unable to broadcast their regular programs.

Woman: And a major global I.T. outage is impacting many of the world’s largest companies, including us here at Sky News.

William Brangham: In Paris, Olympic officials say some of their systems were also down.

In many places, courts were also closed or delayed. While the underlying software problem has been fixed, security experts say residual problems could continue for several days.

So, to help us understand more about what went wrong and the broader risks to our system, we turn again to Bruce Schneier. He’s an expert in computer security and technology, a lecturer at the Harvard Kennedy School, and writes the wonderful blog Schneier on Security.

Bruce Schneier, thanks so much for being here again.

Help us understand the basics here. What is it that went wrong?

Bruce Schneier, Harvard University: You know, basically there are hundreds of companies that do small things that are critical to the Internet functioning.

And, today, one of them failed, this company you have probably never heard of and wouldn’t hear of if it didn’t fail. It’s one of many. I mean, the details are geeky, but basically one of the critical things that holds the Internet up fell down.

William Brangham: OK, but that simple little glitch today grounded planes, stopped surgeries from happening, had 911 systems go down. I mean, if that can be happening because of an accident, I mean, what would happen if there was a motivated bad actor getting into these systems?

Bruce Schneier: We see that. Do you remember Change Healthcare, when no one got prescriptions because of ransomware?

Remember Colonial Pipeline,where oil stopped flowing in the East Coast because of ransomware? We see this again and again. Sometimes, it’s malice, sometimes it’s accident, but there are so many critical things that make this network function. And if any one of them fails, the network fails.

William Brangham: So is it just that we are too overreliant on a concentrated number of companies?

Bruce Schneier: Yes, it’s concentrated and the fact that there’s no — no resilience, that it’s a very fragile system. And a lot of that is the way — is the economics, right?

Redundancies are viewed as inefficient, so they’re pulled out of the system because of profits, but that ends up with a very fragile system. It all works great when it works. When it fails, it fails catastrophically, which is what we saw today.

William Brangham: So is that the incentive here? Is that to change — to make a meaningful incentive, to sort of build in that redundancy? Is it economics principally?

Bruce Schneier: It’s economics.

We have the technology here. I could describe ways that CrowdStrike could have rolled out this change incrementally and caught this before it was a disaster. We can talk about maybe there being a dozen companies do the same thing, so that the disaster is contained.

But, really, it is fundamentally economics. The business incentive is to grow and become critical and then run as lean as absolutely possible.

William Brangham: So what do you think the downstream consequences for CrowdStrike and/or Microsoft will be? Or will there be none?

Bruce Schneier: There will be none. What were the downstream consequences for Colonial Pipeline or Change Healthcare or the dozens of other incidents like this in the past few years?

We move on, right? Politics is all-consuming. This is a blip. Tomorrow, I don’t even think it’s going to be news.

William Brangham: On a practical basis, for an individual who late last night or today might have done some online transaction, paid a bill, transferred money, do they need to worry? Could this have impacted them in some way?

Bruce Schneier: I mean, they could have if they were flying today, if they wanted to needed 911 services, hospitals. A lot of things collapsed. But, really, as an individual, there’s nothing you can do.

You’re not in charge of these networks. You don’t get to say what products and services are used or not. We are all at the mercy of these very large consolidated systems. And when they fail, our life is impacted. The only way to make this change is at the political level, right?

Agitate for some meaningful rules here that will keep companies from being this lean.

William Brangham: But you know the difficulties of that kind of a thing. One, that’s not a constituency that’s naturally out there that’s organically fighting for this kind of a thing.

Absent that, are there political leaders that could be doing this, that could be pressing this in a regulatory way?

Bruce Schneier: I mean, there can. I don’t think there will be. We have a lot of trouble, especially the United States, regulating anything. And this is certainly not the worst disaster.

This is just one of many. This is today’s disaster. So, yes, there could be change. I wouldn’t expect it. E.U. is doing better. You see more meaningful regulation there. But even there, they’re not doing the kind of things that will make our critical infrastructure more redundant, more resilient.

William Brangham: All right, Bruce Schneier of Schneier on Security, thanks so much for being here.

Bruce Schneier: Yes, thanks for having me. Later on.

Amna Nawaz: Thank you, William.