What is CrowdStrike and has it caused the global Microsoft IT outage?

The outage meant Microsoft Windows 10 and Windows 11 users around the world, including banks, airlines, TV broadcasters, energy firms and supermarkets, went to boot up their operating systems as normal, only to be confronted with what is known as the blue screen of death (BSOD), otherwise known as STOP code errors. Unfortunately, the time-honoured solution of turning machines off and back on again will not fix such fundamental problems.

What is CrowdStrike and what does the company do?

The issues stem from an malfunctioning update from a company called CrowdStrike, which provides endpoint security for many Windows systems, particularly in the business community. Consequently, computers reliant on the automatic updates, which run in the background unseen, are being forced into a recovery boot loop, meaning they are unable to start properly.

In a support note, CrowdStrike, based in the US state of Texas, said it had “widespread reports of BSODs on Windows hosts, occurring on multiple sensor versions”. The firm said it had identified the issue and reverted the faulty update, but it is unclear how long it will take for machines and services already impacted to get back to normal. It is believed the problems stem from a platform known as the Falcon Sensor, run by CrowdStrike. The firm’s founder and chief executive, George Kurtzhas, said he was “deeply sorry” for the problems.

How many countries are impacted by the IT outage and what is happening in Scotland?

At the time of writing, few countries appeared to be unaffected by the global outages, Scotland among them. As Friday afternoon, Edinburgh Airport was no longer accepting incoming flights that had not already taken off, while passengers whose flights had been cancelled were being asked to leave. A fire alarm also sounded in the airport’s main terminal building, which is thought to have been triggered by the same computer problems.

Glasgow Airport said it was “largely unaffected” by the outage, with a small number of airlines moving to manual check-in, and some retailers only accepting cash. Elsewhere, NHS Shetland said issues had affected its fire alarm system, while a medical practice in NHS Grampian had asked patients to only contact them with urgent issues.

Pets ‘n’ Vets, a veterinarian firm with several practices in and around Glasgow, said many of its computers were down, causing disruption and forcing it to work with “limited IT access” to patient files and payments. Some cross-border rail services, including TransPenine Express, Avanti West Coast and Lumo, were also affected.

Data from Downdetector shows outages started creeping up in the early hours of the morning, from around 6am on Friday. Visa was one of the worst affected, with half of the reports citing issues with purchases and 46 per cent with payments. The number of reports of Visa outages peaked at 753 at 8.21am.

How did the problem cause such disruption and what needs to change?

Toby Murray, associate professor in the School of Computing and Information Systems at The University of Melbourne, explained how the problems meant computer systems around the world were unable to operate, apparently as a result of the update. Some IT departments trying to mitigate the damage have reportedly removed CrowdStrike-related files from affected systems to try and restore functionality. Others have reported success by restarting their Windows machines in ‘safe’ mode.

“CrowdStrike Falcon has been linked to this widespread outage,” Prof Murray explained. “CrowdStrike is a global cybersecurity and threat intelligence company. Falcon is what is known as an endpoint detection and response platform, which monitors the computers that it is installed on to detect intrusions – hacks – and respond to them. That means that Falcon is a pretty privileged piece of software in that it is able to influence how the computers it is installed on behave.”

He added: “Falcon is a bit like anti-virus software. It is regularly updated with information about the latest online threats, so it can better detect them. We have certainly seen anti-virus updates in the past causing problems. It is possible that today's outage may have been caused by a buggy update to Falcon.”

While Crowdstrike is far from a household name, the IT shambles will ensure it is better known from now on. As a provider of cybersecurity services, the firm has previously been enlisted to help firms in the aftermath of online attacks. For example, it was involved in the investigation into how Sony Pictures had its computer system hacked in 2014.

The scale of Friday’s disruption represented the biggest IT outage since the WannaCry cyberattack seven years ago, which impacted an old version of Windows and spread like wildfire to any computer that had the out-of-date and unprotected operating system software installed. That attack hit an estimated 300,000 computers in around 150 countries.

The outage will raise questions of how an issue with a content update to one firm’s software can have such a devastating international impact, and spark debate over whether global systems should be so reliant on such a package.

Ilkka Turunen, field chief technical officer at open source software firm Sonatype, said: “It’s definitely a supply chain style incident – what it shows is that one popular vendor botching an update can have a huge impact on its customers and how far a single well-orchestrated update can spread in a single night. It’s not yet clear if the contents were due to malicious reasons, but it shows how quickly targeted attacks on popular vendors could spread.”