When computer screens worldwide turned blue on Friday, it led to grounded flights, halted hotel check-ins, and stalled freight deliveries. Businesses had to revert to using paper and pen, and initial suspicions pointed to a cyberterrorist attack. However, the true cause was much more mundane: a botched software update from the cybersecurity company CrowdStrike.
“This incident was due to a content update,” explained Nick Hyatt, director of threat intelligence at Blackpoint Cyber.
Given CrowdStrike’s vast customer base, the content update had a global impact.
“A single error has caused widespread disruption. This incident highlights our modern society’s deep reliance on IT — from coffee shops to hospitals to airports, a mistake like this has significant consequences,” Hyatt stated.
The problematic update was related to CrowdStrike Falcon monitoring software, which Hyatt said has deep integrations for monitoring malware and other malicious activities on endpoints such as laptops, desktops, and servers. Falcon automatically updates itself to address new threats.
“Faulty code was deployed via the auto-update feature, and here we are,” Hyatt noted. Auto-update capabilities are standard in many software applications and aren’t unique to CrowdStrike. “However, given CrowdStrike’s role, the fallout here is severe,” Hyatt added.
Despite CrowdStrike quickly identifying the problem and many systems being restored within hours, the global impact isn’t easily reversed for organizations with complex systems.
“We expect it to take three to five days to resolve everything,” said Eric O’Neill, a former FBI counterterrorism and counterintelligence operative and cybersecurity expert. “This is significant downtime for organizations.”
The timing didn’t help either, O’Neill said, as the outage occurred on a summer Friday when many offices were empty and IT support was limited.
Lessons from the Global IT Outage
O’Neill emphasized that one lesson from this outage is the importance of rolling out software updates incrementally.
“CrowdStrike rolled out updates to everyone at once, which isn’t ideal. Updates should be sent to a smaller group first for testing. There should be multiple levels of quality control,” O’Neill said.
The IT industry refers to this as a single-point failure — an error in one part of a system that causes a widespread technical disaster across industries, functions, and interconnected communication networks, creating a massive domino effect.
Friday’s event might prompt companies and individuals to enhance their cyber preparedness.
“The bigger picture is the fragility of our world; it’s not just a cyber or technical issue. Various phenomena, like solar flares, can disrupt communications and electronics,” Avery said.
Ultimately, Friday’s meltdown wasn’t an indictment of CrowdStrike or Microsoft but a reflection on how businesses view cybersecurity, said Javad Abed, an assistant professor of information systems at Johns Hopkins Carey Business School. “Business owners need to see cybersecurity services as essential investments in their company’s future, not merely as a cost,” Abed said.
Businesses should build redundancy into their systems.
“A single point of failure shouldn’t stop a business, which is what happened here. Relying on one cybersecurity tool is a fundamental mistake,” Abed said.
While building redundancy into enterprise systems is expensive, Friday’s incident proved even more costly.
“I hope this serves as a wake-up call, prompting business owners and organizations to rethink their cybersecurity strategies,” Abed said.
Addressing Kernel-Level Code Issues
On a macro level, Nicholas Reese, a former Department of Homeland Security official and instructor at New York University’s SPS Center for Global Affairs, pointed to systemic issues within enterprise IT, where cybersecurity, data security, and the tech supply chain are often seen as optional rather than essential. There is also a general lack of cybersecurity leadership within organizations.
On a micro level, Reese noted that the disruptive code was kernel-level, affecting every aspect of computer hardware and software communication. “Kernel-level code should receive the highest level of scrutiny,” Reese said, emphasizing that the approval and implementation processes should be entirely separate with proper accountability.
This issue will continue across an ecosystem filled with third-party vendor products, each with potential vulnerabilities.
“How can we monitor third-party vendors to identify the next vulnerability? It’s almost impossible, but we must try,” Reese said. “It’s a certainty until we address the numerous potential vulnerabilities. We need to focus on backup and redundancy, but businesses often resist paying for contingencies that might never occur. It’s a tough argument to make,” he concluded.