On July 19, the blue screen of death appeared on computers all over the world, and nobody knew why. The CrowdStrike outage crashed 8.5 million computers, leaving staff at hospitals and airports staring at the blue oblivion. The outage caused hospitals to cancel surgeries and turn away non-emergency patients. Banking transactions froze. It also led to the cancellation of 2,500 flights. Delta alone canceled 800 flights and has been seeking ways to make it up to customers.
The economic losses tallied into the billions and it knocked 23% off the stock price of the Texas-based security giant, which ended up being $16 billion. Short sellers profited to the tune of $978 million on the drop, according to S3 Partners LLC. On Monday, four days later, CrowdStrike’s shares fell by another 13%. Only Microsoft has had a higher volume of short-selling.
According to the company’s post-incident review, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques.
The first solution offered by CrowdStrike required rebooting in safe mode, deleting a certain file, and then restarting each machine individually.
Commentators rued our dependence on technology and the chain-linked structure of operating systems and extensions. The world would be a better place if Microsoft was more like Apple. I think the story starts and ends with George Kurtz, the owner of CrowdStrike.
George and a Terrible, Horrible, Not Good Very Bad PR Strategy
For George Kurtz, this new blundered update must have an ominous ring. George Kurtz participated in another catastrophic update in 2010 at McAfee. Dave DeWalt was CEO and Kurtz was chief technology officer. The main difference, according to DeWalt, is the scope and scale.
The Washington Post consulted a tech expert in an article more whimsical than usual, entitled “Hug your IT Folks: The CrowdStrike outage turned technicians into heroes.” The only tech fracas the guy could think of on a similar scale was actually the McAfee update, but the article failed to acknowledge the commonality between these two events is George Kurtz, the legend.
Most people’s first introduction to Kurtz was from a tone-deaf tweet that had everything except an apology.
In an interview with Founders Fund, Lulu Cheng Meservey, founder and CEO of Rostra, explained, “Some committee of corporate comms people and lawyers wrote this very heartless, indifferent-sounding tweet, which became the first thing to really travel.”
She found so much fault with Kurtz’s initial response that she posted her own version on X:
Kurtz put on a little TV media blitz, but mostly his company stuck with platitudes and boilerplate statements from the legal people. That’s not always advisable, according to Cheng Meservey because losing a battle in court can be cheaper than losing your reputation. That seems like a likely outcome for CrowdStrike. Losing the trust of its clients.
On Sunday, two days after the outage, Shawn Henry, chief security officer of Crowdstrike, tried to nail the apology that Kurtz bungled. It was a classic strategy of self-mortification.
It began, “On Friday we failed you, and for that I’m deeply sorry…”
He went on, at length, “…The past two days have been the most challenging 48 hours for me over 12+ years. The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch. But this pales in comparison to the pain we’ve caused our customers and our partners. We let down the very people we committed to protect, and to say we’re devastated is a huge understatement. I, and the entire company, take that personally.”
It was good stuff, but it was too long and didn’t have near the reach as the CEO’s initial statement.
Pointing Fingers
A more insightful critique of the fiasco assigns blame to the privileges Microsoft allows its internal software contractors. Apple does not offer the same access to software providers, preferring to handle most of its extensions in-house. According to the Washington Post, Microsoft spokesman Frank Shaw said Microsoft must offer security companies the same powers as it does its own security products because of a 2009 agreement with European antitrust officials.
European government officials aren’t the only ones worried, although they might levy the most severe fines against the company due to GDPR. Even before this, the U.S. Cyber Safety Review Board noted that Microsoft’s “ubiquitous and critical products … underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Microsoft marshaled its tech support forces with the most urgent incident level, the dreaded “sev0” or “severity zero.” It is seldom used and calls for all hands on deck to resolve the issue, meaning that Microsoft personnel were in constant contact with CrowdStrike as they navigated the situation.
It was already well-known that Microsoft’s security culture was inadequate, but Microsoft pledged to adopt “a new culture of engineering security in our own networks.”
Obviously, that was more aspirational than actual.
Even though it wasn’t their fault, Delta caught a lot of flack for not giving customers sufficient information in the wake of the outage. Transportation Secretary Pete Buttigieg called out Delta for its lack of proactive communications in the face of fulminating customer dissatisfaction. Now looking for vengeance, Delta has hired a powerful litigator to seek compensation from CrowdStrike.
Communications experts around the world were taking notes and posting their advice on social media. It was a teachable moment for everyone.
Project Your Own Meaning
The outage also elicited all of the boisterous voices in American public life to the social media mic. Rightwingers blamed DEI.
Leftwingers recalled Trump’s obsession with a computer server supposedly possessed by the owner of CrowdStrike, which he brought up in the course of his notorious call with Ukrainian President Zelensky.
Anybody who is having a bad day and needs affirmation that life is worth living might consider searching #CrowdStrike on X. All the best minds of the internet have been hard at work crafting exquisite memes.
They have been finding videos that perfectly express the deep irony surrounding the event.
They have cast about for alternative explanations of what happened behind the scenes.
Someone declared July 19 “International Blue Screen Day.”
It is a welcome reminder that as long as there is internet, the creativity of humanity will never cease to make our collective angst a little lighter. However, the CrowdStrike outage is just a little taste of the chaos that could result from a massive solar flare, which could take down the global electric grid for weeks or months.
At the end of the day, George Kurtz is the man most responsible and the person who Congress is planning to put on blast. It will be interesting to see how much this costs him and his company.
People looking for a lawyer to go after CrowdStrike won’t have to look far. Lieff Cabraser, a San Francisco-based law firm, is already urging businesses that experienced losses to get in touch. A class action lawsuit will likely be forthcoming.
Author: Laird Dilorenzo
#Crypto #Blockchain #DigitalAssets #DeFi
Laird Dilorenzo is a hatchet thrower and wordsmith.
The editorial team at #DisruptionBanking has taken all precautions to ensure that no persons or organizations have been adversely affected or offered any sort of financial advice in this article. This article is most definitely not financial advice.
