The Aftermath: Who is to Blame, Microsoft or CrowdStrike or both?
The Aftermath: Who is to Blame, Microsoft or CrowdStrike or both?
Guest writer Kevin Landers asks the question we all have asked after the recent CrowdStrike failures in, “The Aftermath: Who is to Blame, Microsoft or CrowdStrike or both?”
The recent lawsuit and threat of additional legal action by Delta has left many questioning who should be held accountable: Microsoft, CrowdStrike, or both?
You have to be living under a rock not to have heard about the incident. In mid-July, a significant IT outage affected 8.5 million Microsoft Windows machines, resulting in operational and financial damages estimated in the billions of dollars.
The Fallout Begins: Legal Actions and Blame Game
As the dust begins to settle, the next phase in such incidents, the lawsuit stage, has commenced. Shareholders have already filed at least one class action lawsuit against CrowdStrike, and Delta Air Lines might soon join the fray. In an interview with CNBC, Delta Air Lines CEO Ed Bastian revealed that the July 19th outage, triggered by a CrowdStrike update, cost his company half a billion dollars over five days. The airline had to cancel over 5,000 flights, and blue error screens were visible at airports days after the initial crash. Delta incurred significant costs, including physically resetting over 40,000 servers and compensating affected travelers.
Where Does the Responsibility Lie?
The primary question now is: who is to blame for this fiasco?
CrowdStrike’s Accountability
At the forefront of the controversy is CrowdStrike, whose apparent negligence led to the cybersecurity provider pushing a kernel-accessing content update through flawed QA-testing software. The criticism directed at CrowdStrike is severe and, many argue, well-deserved. Their oversight caused substantial operational disruptions and will likely face significant legal repercussions.
Microsoft’s Role
Microsoft’s role in this incident is also under scrutiny. However, the situation isn’t as straightforward. To understand this, it is essential to delve into the background of how Microsoft’s developer tools work.
Microsoft provides developers with various layers of access to the operating system, from high-level UI features to low-level system kernel functions. This tiered access system has traditionally ensured the safety of Windows desktop applications. However, a 2009 EU regulatory ruling forced Microsoft to grant third parties more kernel access, aiming to create a level playing field between third-party security vendors and Microsoft’s own products.
Opinions and Arguments
Argument 1: Microsoft’s Limited Accountability
Some argue that Microsoft cannot be held fully accountable, as they were compelled by regulatory requirements to provide more kernel access. The company was forced into a position where it had to allow third-party developers, including security vendors, the same access as its own products. From this perspective, Microsoft’s hands were tied, and the responsibility for the flawed update lies squarely with CrowdStrike.
Argument 2: Microsoft’s Responsibility
On the other hand, some contend that Microsoft still had a responsibility to ensure the safety and integrity of kernel-level code. Critics argue that Microsoft should have implemented more rigorous testing or alternative approaches, such as creating an out-of-kernel API for security vendors to use. The fact that a flawed update could cause such widespread damage suggests a lapse in Microsoft’s oversight.
The Broader Implications
This situation raises broader questions about Microsoft’s approach to software development. Has the company prioritized feature cramming and quick releases over quality, testing, and maintenance? The incident with CrowdStrike might indicate a shift in focus that could have far-reaching implications for the software giant and its users.
Conclusion: A Prolonged Legal Battle Ahead
As the legal proceedings unfold, it is clear that this will be a lengthy and complex case. Both CrowdStrike and Microsoft will likely face intense scrutiny as the courts determine who bears the ultimate responsibility. The outcome will not only affect these companies but also set a precedent for how similar cases might be handled in the future.