Most people had never heard of Crowdstrike until last week. The cyber-security firm had been operating quietly in the background of our lives, defending services we depend on from digital attacks. That changed on July 19, when a catastrophic failure in the software brought large parts of the world to a halt – bringing to the forefront not just the firm and its responsibilities, but also raising questions over our dependence on software and what happens when it goes wrong.

 As a result of the outage, millions of passengers across the world faced delayed flights and cancellations. Hospitals were thrown into chaos as doctors were unable to access patient records. Banks were hit, leaving some customers unable to access their money online or over the phone. The apparent lack of fail-safe systems left many with nowhere to turn.

The outage has led experts to warn over the dangers of consolidation in the tech space. The current regulatory framework around cybersecurity means in some jurisdictions installing Crowdstrike is an easy way to ‘tick the box’. That means if, as happened last week, Crowdstrike issues an update which causes a failure, the impact is widespread.

Days out from what is being termed the biggest IT outage in history, lingering problems remain. But also, important questions about cloud computing, and the impact of this crisis on the sector more broadly loom large.

What is Crowdstrike?

Crowdstrike is an American company, founded in 2011 by George Kurtz, Dmitri Alperovitch and Gregg Marston. The company was noted for its role in revealing North Korea’s part in the 2014 hack of Sony Pictures and for producing reports which helped the DOJ bring charges against Chinese hackers bent on espionage.

The company boasts that its software “combines the most advanced endpoint protection with expert intelligence to pinpoint the adversaries perpetrating the attacks, not just the malware.” In recent years Crowdstrike has seen investment from tech giants like Google, as it expanded its reach to help protect more than half of the companies listed on the Fortune 1000.

Unlike McAfee or Norton anti-virus software, Crowdstrike has never been a household name, largely because its focus is on corporate clients. That Crowdstrike is now dominating headlines for the wrong reasons, might challenge old assumptions about all publicity being good publicity.

Why did Crowdstrike fail?

Crowdstrike caused a worldwide outage as the result of an update which conflicted with computers using the Windows operating system. According to reports the update was issued globally, rather than staggered, resulting in huge numbers of computers showing error screens, sometimes referred to as the ‘blue screen of death.’

Speaking to CNBC, Nick Hyatt at Blackpoint Cyber blamed “Buggy code” and said the incident highlighted our reliance on software – and the catastrophic consequences that occur when it fails:

“One mistake has had catastrophic results. This is a great example of how closely tied to IT our modern society is — from coffee shops to hospitals to airports, a mistake like this has massive ramifications.”

Is there an opportunity in Crowdstrike?

On Thursday, July 17, Crowdstrike closed at $345.10 per share. By Monday, July 22, its price had fallen to as low as $263, before beginning what appeared to be a modest recovery on Tuesday – though it remained way below pre-outage prices.

Analysts expect the fallout from the outage will have a lasting impact on Crowdstrike, with fewer firms buying the software, as per CNBC. The outlet reported Guggenheim Securities downgraded its rating on Crowdstrike from ‘buy to ‘neutral’ – however analyst John DiFucci said Crowdstrike’s long-term prospects remain strong:

“We still have the utmost respect for the leadership team at CrowdStrike and believe that the company will eventually become even stronger as a result of this incident, and if investors have a multi-year horizon, they can ride it out.”

There are conflicting views over whether investors should buy the dip – with most analysts arguing against it and some dissenting. Tech and consumer goods specialist Leo Sun owns Crowdstrike stocks, but in an article for the Motley Fool said its share price would need to fall further before being considered a bargain.

The outage was described as a buying opportunity for investors by The Morning Star, which said the sell-off presented a good prospect for long-term investors. Writing for the outlet Malik Ahmend Khan said he felt the market reaction had been “overly punitive” and that “the current pullback represents a good buying opportunity for long-term investors looking for high-quality security/software exposure.”

How vulnerable are we to software failures?

When we think of threats to society, we might consider cyber-attacks, conflict or terrorism – but perhaps the Crowdstrike outage reveals a more startling vulnerability – a system without a failsafe.

A key lesson to take away from the outage is the importance of issuing software updates in a staggered manner – rather than in one fell swoop – according to former FBI operative Eric O’Neill. Speaking to CNBC he said:

“What Crowdstrike was doing was rolling out its updates to everyone at once. That is not the best idea.  Send it to one group and test it. There are levels of quality control it should go through.”

However, the difficulties with cloud computing and software reliance may be as much subject as form. Technology specialist Simon Pardo said the crisis showed the dangers of ‘putting all our eggs in one basket.’ Writing for the Express, he said:

“The extent to which Crowdstrike has penetrated the market has created a dangerous monoculture in our digital ecosystem. When we put all of our eggs in one basket, even a minor crack can lead to catastrophic consequences.

“Businesses, organisations and governments need to urgently reassess their disaster recovery plans and build more resilient systems.”

In an analysis for The Guardian, Edward Ongweso Jr went further, saying an ‘oligopoly’ of tech giants running the show presented a clear vulnerability:

“It’s not just that so many firms rely on CrowdStrike, but that cloud infrastructure relies on hugely powerful companies such as Microsoft, which then subject firms to exclusionary and anticompetitive practices that concentrate services and offerings into an increasingly narrow range of options.”

There might also be a wider problem – about which there is no obvious solution. That is the consolidation of a huge number of personal and professional services and functions within a single device type upon which we are all reliant.

That is to say unlike the office space of twenty or thirty years ago, which might have been populated with fax machines, landlines, mobile phones, desktop computers, physical files and perhaps even residually the odd typewriter – most of us now use a single device to get all of our work done. What’s more, those devices largely operate on the same software. So, when the software goes wrong, there is no other tool to reach for – the system just breaks.

How has Crowdstrike responded to the outage?

Issuing a statement following the outage the CEO of Crowdstrike apologised for the disruption. He said:

“I want to sincerely apologize directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.

“The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.

“We are working closely with impacted customers and partners to ensure that all systems are restored, so you can deliver the services your customers rely on.

“CrowdStrike is operating normally, and this issue does not affect our Falcon platform systems. There is no impact to any protection if the Falcon sensor is installed. Falcon Complete and Falcon OverWatch services are not disrupted.

“We will provide continuous updates through our Support Portal at https://supportportal.crowdstrike.com/s/login/.

“We have mobilized all of CrowdStrike to help you and your teams. If you have questions or need additional support, please reach out to your CrowdStrike representative or Technical Support.

“We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.

“Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.”

On Tuesday Crowdstrike updated customers and service users, telling them:

“To prevent Windows systems from further disruption, the impacted version of channel file 291 was added to Falcon’s known-bad list in the CrowdStrike Cloud. When a Windows system with Falcon installed contacts the CrowdStrike Cloud, a request to remove the bad channel file and place it in quarantine, which is visible in your Falcon UI, will be issued. If the file does not exist, no quarantine will occur and systems will continue to operate normally.

“Adding the impacted version of channel file 291 to Falcon’s known-bad list prevents inadvertent reuse by operational or recovered systems. With strong network connectivity, this action could also result in the automatic recovery of systems in a boot loop.

“This was configured in US-1, US-2, and EU on July 23, 2024.

“Gov-1 and Gov-2 customers can request a channel file 291 known-bad classification by contacting CrowdStrike Support.

“No sensor updates, channel files, or code was deployed from the CrowdStrike Cloud.”