SUBSCRIBER+ EXCLUSIVE REPORTING — While the world has gotten used to warnings about cyberattacks and the vulnerability of technology, Friday brought a different wake-up call – a reminder that it doesn’t take an attacker to bring about a global meltdown.
A huge and widespread technology outage disrupted operations across multiple industries in several parts of the world Friday, grounding flights and impacting health care, banking, media, and government services, in what some called a “historic” breakdown, and the “largest IT outage in history.”
The outage was linked to a single software update pushed out by the cybersecurity firm CrowdStrike, which serves thousands of companies. The company’s CEO, George Kurtz, said the update was for Microsoft Windows systems, and in a morning media blitz he sought to assure his clients and millions of others who had been affected. Kurtz said terrorism had not been a factor, a fix had been shared with companies, and he expressed regret.
“We’re deeply sorry for the impact that we’ve caused,” he said on NBC’s “Today” show.
But the damage was profound, and experts said the episode served as a dramatic reminder of the world’s dependence on certain technologies, and the vulnerabilities many companies and individuals face when something goes wrong.
“As we get more and more dependent on complex IT systems, the points of vulnerability multiply,” said Michael Chertoff, a former Secretary of Homeland Security and a Cipher Brief expert. “We’ve become so dependent on using cyberspace as a way of controlling our physical activities and not just information, that increasingly we see that even an innocent error can cause a ripple effect across a whole number of different infrastructures.”
The outage even prompted questions for Secretary of State Antony Blinken and Joint Chiefs Chairman Charles Q. Brown, who were at a global security conference speaking about Ukraine, Gaza and other global flashpoints.
While Gen. Brown said there had been “no impact on DOD operations,” he called the incident a warning of the nation’s vulnerability to cyberattacks.
“It does underscore some very basic things,” Blinken said. “We have to continue to build resilience in our systems. We have to continue to build redundancy. We have to continue to diversify, so we're not reliant…on any single point of failure.”
For several hours Friday, that “single point” sent many companies and customers into a tailspin. All because of what Kurtz called a “content bug.”
The impact
The CrowdStrike error occurred early Friday and quickly crippled operations in a range of sectors, in many parts of the world. The CNBC host Sara Eisen said the impact was felt “from McDonald's stores in Japan to 911 Emergency Services to the airlines.”
At least five U.S. air carriers grounded flights in the immediate aftermath – a shutdown that canceled more than 2,000 flights. United, Delta, American, Allegiant and Spirit Airlines all reported cancellations, and major airports in other countries were affected – among them Sydney, Berlin, London and the busy Asian hubs of Singapore and Hong Kong. Some carriers resorted to manually checking in passengers.
Major shippers were hit – FedEx and UPS reported disruptions – as were several banks in the U.S., India, Australia and Germany. Perhaps most alarming, health-care systems were impacted in several countries; major hospitals reportedly canceled non-critical surgeries, and in the U.K., booking systems for doctors were shut down. The U.S. Emergency Alert System said that in some parts of the country, 911 emergency lines were offline for several hours.
Many of the affected companies had begun to recover by Friday afternoon, but spillover impacts lingered in many sectors, and above all concerns about how to avoid getting battered if and when the next outage comes.
The repair job – and the fears
Kurtz said that while many affected companies were able to simply reboot their systems, others might require a manual update – a “hand fix” – to correct the problems. And he acknowledged that may take time.
“Some systems may not fully recover, and we're working individually with each and every customer to make sure that we can get them up and running and operational,” Kurtz told CNBC. “There could be some manual steps involved.”
And while CrowdStrike insisted that the event had no connection to America’s adversaries, experts and officials worried that would-be hackers might use the episode to glean information about systemic weak points. Officials have blamed Iran, Russia and China for recent hacks against U.S. critical infrastructure, and Friday’s outage prompted questions about American vulnerabilities to future attacks.
“I’m sure there’ll be those…bad actors that seek to exploit the opportunity to infiltrate their own malware,” Chertoff said, and Gen. Brown, the joint chiefs chair, acknowledged the danger.
“This should be a reminder to us of why it's important from a cybersecurity piece, not only at the governmental level (but) all the way down to your local homes, to protect ourselves and be best postured,” Gen. Brown said. “I am sure our adversaries are looking at this as a way to…put sand into gears if we're trying to generate combat power to go to respond to a crisis anywhere around the world.”
As CNBC’s David Faber put it to Kurtz, the CrowdStrike CEO: ”I think a lot of people say, ‘My God, if this can happen just from a simple update of content, what in the world could our real adversaries, such as the Chinese, do to us?’ How do you answer that?”
Kurtz’s reply was only mildly reassuring.
“Well, this is the challenge with cybersecurity,” he said. “When you look at infrastructure and you look at keeping the bad guys out, I mean, there's incredible capabilities that the Chinese government has, and this is…why we focus on being able to protect against these sort of attacks. Obviously it was an issue that we're dealing with, but the sophistication of the adversary shows how vulnerable we are.”
Who’s Reading this? More than 500K of the most influential national security experts in the world. Need full access to what the Experts are reading?
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
