CrowdStrike IT outage: a global meltdown

Millions of people across the globe were affected recently by possibly the most widespread IT outage ever seen.

Starting in Australia, and spreading across the world, companies and organisations experienced problems with PCs, servers and other IT equipment running Microsoft Windows – with many seeing the “blue screen of death”, indicating that Windows had failed to load.

Flights were grounded , NHS surgeries were crippled and media outlets were knocked off air. The issue, which affected 8.5 million computers worldwide, also caused hours of outages for various banks , money managers and stock exchanges , including problems at Bank of America and JPMorgan Chase.

It was a “salutary moment”, said Sam Leith in The Spectator , and a reminder that “for all our technical advances, for all the vast complex architecture of the modern world, we’re never more than a fat-finger error away from a global pratfall”.

How did the CrowdStrike IT outage happen?

The meltdown was caused by an update made by the US cybersecurity firm CrowdStrike to its premium platform, a cloud-based software product called Falcon. Although many people won’t have heard of it before the Friday when it happened, CrowdStrike is a highly successful and well-regarded business, with $3.1 billion of revenues last fiscal year, whose software is widely deployed to protect business-critical IT infrastructure at some of the world’s largest companies.

The Nasdaq-listed firm was founded in 2011 and is based in Austin, Texas. It uses cloud-based software to sell services to businesses worldwide, including (according to its website) 538 of the Fortune 1,000 companies. Early that Friday morning, when CrowdStrike sent out an update to Falcon – which is intended to protect other computer systems and software such as Microsoft’s Windows products – it instead caused a malfunction that disabled those systems. With catastrophic results.

What went wrong?

CrowdStrike has not yet fully explained how the disaster happened. The software update it pushed out was supposed to teach its clients’ systems how to spot a particular type of cyberattack that had already been “observed in the wild”, said Alex Hern in The Guardian .

But, instead, it had a faulty piece of code that “triggered a logic error that resulted in an operating system crash”, according to the company. That didn’t just affect PCs using Windows systems, but also servers and other systems, as overwhelming requests from users, devices, services and businesses caused problems with other Microsoft products.

Ultimately, it seems almost certain that human error at CrowdStrike was to blame. But even so, there’s a more structural question here, about why CrowdStrike was pushing its update to all computers on its network at the same time, and why that update hadn’t been properly tested.

What lessons can we learn?

The scale of the disruption raises obvious questions about the over-reliance on dominant suppliers in critical infrastructure. Ironically, this is something that at least one CrowdStrike executive has drawn attention to. Drew Bagley, a CrowdStrike vice-president, warned of organisations where the “IT stack may include just a single provider for operating system, cloud, productivity, email, chat, collaboration, video conferencing, browser, identity, generative AI and increasingly security as well.”

This means that the building materials, the supply chain and even the building inspector are all the same”. Above all, the CrowdStrike chaos illustrates just how “fragile our networked world has become”, given a global IT system that prizes efficiency over stability, says The Observer . On this occasion, fixing the issue turned out to be relatively straightforward, although time-consuming and tedious.

So, that’s good news?

Good news, unless it lulls us into a false sense that this was just a “hiccup”, rather than a potential “dry run for something much worse”. As the global economy becomes more digitalised and interconnected, the threat from crashes, hacks and data breaches will only grow.

So the outage should serve as a wake-up call for a world and global economy that is becoming increasingly vulnerable to supply shocks, says Diane Swonk, chief economist at KPMG . That also “makes for a world that’s more susceptible to bouts of inflation ”, as witnessed during the pandemic.

Part of the issue comes down to overly concentrated market shares in the business-to-business software sector, says Karen Kwok on Breakingviews . CrowdStrike, which claims to be the most widely used seller of endpoint security, had 19% of the market in the second quarter of 2023, according to research firm Canalys . Meanwhile, just three companies – Google, Amazon and Microsoft – account for two-thirds of the cloud-provider market.

What should be done?

First, business and governments need to understand their exposure in order to build resilience, says the Financial Times .

Second, once vulnerabilities are mapped, organisations “need to build redundancy into their operations” – that is, prepare second systems and contingency plans that ensure continuity of critical operations in the event of crisis. This could include diversifying their IT infrastructure by having more than one cybersecurity, operating system or cloud provider.

Third, there needs to be closer collaboration between government and business to share information on breaches, vulnerabilities and stress tests. There are “single points of failure” lurking within our globalised and highly networked economies.

The CrowdStrike episode is a critical reminder that “building resilience into our physical and digital economic systems is essential, and should not be postponed. This will come at a cost, but will bring the benefit of insuring against even costlier threats”.

This article was first published in MoneyWeek's magazine. Enjoy exclusive early access to news, opinion and analysis from our team of financial experts with a MoneyWeek subscription .