Portland Mayor Ted Wheeler declared a state of emergency on Friday morning due to a global IT outage that has significantly impacted airlines, hospitals, and other services. The chaos originated from a flawed software update by CrowdStrike, a cybersecurity company based in Austin, Texas. When the new code was sent to computers running Microsoft Windows, the machines began to crash, leading to widespread disruptions.
The city of Portland is specifically experiencing outages with city servers, data centers, and employee computers. This extensive technology failure is also causing problems for travelers at Portland International Airport. Major airlines such as American, United, and Delta grounded their flights early Friday morning due to the technical issues. Some of these airlines have since started to come back online and resume services.
Waking up as a Linux user today #Crowdstrike pic.twitter.com/rkC4hGQhLY
— It's FOSS (@itsfoss2) July 19, 2024
The cascading effects of the outage highlighted the world’s reliance on Microsoft and a handful of cybersecurity firms like CrowdStrike that provide the backbone of technological infrastructure. The fallout was immediate and harmful, with airlines canceling flights and airports falling into chaos across the United States, Europe, and Asia. In the United States, operators of 911 lines in multiple states could not respond to emergencies. Parts of Britain’s National Health Service reported problems, new driver’s licenses could not be issued in some areas, and some television broadcasters could not go on the air.
“This is a very, very uncomfortable illustration of the fragility of the world’s core internet infrastructure,” said Ciaran Martin, former chief executive of Britain’s National Cyber Security Center and a professor at the Blavatnik School of Government at Oxford University. The incident raised broader questions about what repercussions software firms should face when flaws in their code cause major disruptions.
George Kurtz, CrowdStrike’s chief executive, said that the company took responsibility for the mistake and that a software fix had been released. He warned that it could be some time before everything was restored and tech systems returned to normal. “We’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this,” Mr. Kurtz said in an interview on Friday on NBC’s “Today” show.
Microsoft blamed CrowdStrike for the problem and said it expected that “a resolution is forthcoming.” Apple and Linux machines were not affected by the flawed CrowdStrike software. Lukasz Olejnik, an independent cybersecurity researcher and consultant, said the issues appeared to originate with an update to CrowdStrike software called Falcon Sensor, which scans a computer for intrusions and signs of hacking.
Unlike consumer-facing software updates, the incident involved IT systems that businesses use in the background. Companies rely on many other companies to make the software that underpins their operations. A major problem with the CrowdStrike issues was that the software being updated performed critical cybersecurity tasks, giving it access to scan a computer for viruses and other malicious attacks.
“One of the tricky parts of security software is it needs to have absolute privileges over your entire computer in order to do its job,” said Thomas Parenty, a cybersecurity consultant and a former U.S. National Security Agency analyst. “So if there’s something wrong with it, the consequences are vastly greater than if your spreadsheet doesn’t work.”
The CrowdStrike flaw was not the only problem facing Microsoft. On Thursday, some Microsoft clients in the central United States, including some airlines, were affected by an outage on its cloud service system, Azure. Microsoft’s cloud service status page indicated that it had identified a preliminary cause, though some users may still be unable to access certain Microsoft 365 apps and services, including Teams video conferencing.
Microsoft said that the issue was not related to the CrowdStrike outage, but that it was “working to restore services for those still experiencing disruptions as quickly as possible.” The outages underscored an uncomfortable reality that software companies face few liabilities for major disruptions and cybersecurity incidents. The economic and legal penalties for such significant outages can be so minimal that companies are not motivated to make more fundamental changes.
“Until software companies have to pay a price for faulty products, we will be no safer tomorrow than we are today,” Mr. Parenty said.