Introduction
In July 2024 [5], a major technology outage occurred due to a faulty update released by CrowdStrike, significantly impacting Microsoft Windows hosts worldwide. This incident highlighted the critical need for operational resilience and a balanced approach to cybersecurity, emphasizing the importance of integrity and availability alongside confidentiality.
Description
In July 2024 [5], a significant technology outage occurred on July 19 when CrowdStrike released a faulty Falcon content update for Microsoft Windows hosts. This defect rendered devices inoperable for users worldwide [4], impacting millions of Windows systems across various industries, including healthcare [2] [6], banking [6], and air travel [6], and leading to widespread fears of a massive cyber-attack. The incident [1] [3] [4] [5] [6] [7] [8], attributed to inadequate testing and quality assurance [4], resulted in system crashes affecting approximately 8.5 million Windows hosts and caused severe operational disruptions, particularly for Delta Air Lines [3], which experienced the cancellation of 7,000 flights over five days [3]. The outage [5] [6] [7] [8], which led to an estimated $5.4 billion in damages, underscored the critical need for operational resilience among firms, particularly in delivering essential business services during severe disruptions [8].
This event highlighted the necessity for a reassessment of the balance within the CIA triad—Confidentiality [1], Integrity [1] [6], and Availability—in cybersecurity [1]. Historically, the industry has focused predominantly on confidentiality [1], often at the expense of integrity and availability [1], resulting in mistakes and inadequate testing of updates [1]. The outage was triggered by a complex phased global update process that included a configuration file and a subsequent Rapid Response Content Update [1], which failed due to a logic bug in the exception handling routines [1]. This failure not only caused widespread system disruptions, affecting IT systems, major airports [7], and critical infrastructure globally [7], but also emphasized the importance of firms having well-mapped essential business services and resources to prioritize recovery efforts effectively [7].
In the aftermath of the outage, New York State Comptroller Thomas P DiNapoli was named the lead plaintiff in a securities fraud class action lawsuit against CrowdStrike Holdings Inc [2]. The lawsuit [2] [3], filed in the US District Court for the Western District of Texas [2], alleges that CrowdStrike misled investors regarding its safeguards and quality assurance [2], claiming that the company’s failure to meet industry standards and inadequate software testing contributed to one of the largest cyber-disasters in history [2]. Delta Air Lines also filed a lawsuit against CrowdStrike [3], claiming negligence and demanding accountability for the incident [3], while CrowdStrike countersued [3], asserting that Delta’s slow recovery was due to its own outdated IT infrastructure and incident response processes [3].
Firms that had conducted scenario testing for severe but plausible incidents fared better during the outage, demonstrating the value of effective communication strategies that allowed them to quickly inform customers and stakeholders. The Financial Conduct Authority (FCA) engaged with firms to assess the incident’s impact, operational responses [5], and recovery efforts [5], finding that those investing in operational resilience and adhering to FCA rules were better equipped to identify impacts and prioritize important business services [5]. Organizations that had mapped their services and resources effectively managed to restore key services quickly [5], minimizing overall operational disruption [5].
The incident revealed the need for organizations to identify single points of failure in their infrastructure and technology [8], as well as to consider diverse procurement strategies to enhance resilience [8]. Regulated firms affected by the outage [8], which also provided services to other firms [8], experienced amplified disruptions. However, firms with detailed mappings of third-party relationships were able to swiftly assess their exposure and implement mitigating actions [8], aided by existing communication pathways with third-party providers [8].
To address these issues [1], three key shifts are necessary: enhancing transparency in product updates [1], reevaluating vendor testing practices [1], and improving testing environments for cybersecurity teams [1]. Vendors should allow customers to manually control updates and implement staggered deployment strategies to ensure stability and integrity [1]. Additionally, organizations must prioritize the establishment of robust testing environments to certify security updates [1], recognizing that security is now a critical component of infrastructure [1].
The CrowdStrike incident illustrates the potential consequences of neglecting the integrity and availability aspects of the CIA triad [1], urging both vendors and customers to recommit to a balanced approach that fosters resilience in cybersecurity systems [1]. Furthermore, awareness of incident response and crisis management processes among staff and management proved crucial [8], as firms with pre-defined communication plans were able to respond more effectively [8]. The FCA has emphasized the necessity for banks and other firms to prepare for severe scenarios similar to the CrowdStrike incident by March 2025 [7], recommending regular reviews of third-party management frameworks to strengthen risk controls [7]. A post-incident review is recommended to evaluate the overall effects of the disruption and to determine necessary changes to important business services or impact tolerances [8].
Conclusion
The CrowdStrike outage of July 2024 serves as a stark reminder of the vulnerabilities inherent in modern cybersecurity practices, particularly the need for a balanced focus on confidentiality, integrity [1] [6], and availability [1] [4] [6]. The incident underscores the importance of rigorous testing, transparent update processes, and robust incident response strategies. Moving forward, organizations must prioritize operational resilience, ensuring they are prepared for severe disruptions and capable of maintaining essential services. The lessons learned from this event should guide future cybersecurity strategies, emphasizing the need for comprehensive risk management and the strengthening of third-party relationships to mitigate potential impacts.
References
[1] https://www.darkreading.com/vulnerabilities-threats/can-automatic-updates-critical-infrastructure-be-trusted
[2] https://cbs6albany.com/news/local/new-york-comptroller-named-as-lead-plaintiff-in-lawsuit-against-crowdstrike
[3] https://securitydive.in/2024/11/04/delta-air-lines-it-outage-lawsuit-crowdstrike-countersues/
[4] https://dzone.com/articles/what-the-crowdstrike-crash-exposed-about-testing
[5] https://www.lexology.com/library/detail.aspx?g=5613de5e-fe99-4377-b189-671bbef8ac7e
[6] https://www.healthcarefinancenews.com/news/majority-cyberattacks-are-through-third-party-vendors
[7] https://www.digit.fyi/fca-declares-operational-resilience-deadline-for-crowdstrike-outage/
[8] https://www.grip.globalrelay.com/crowdstrike-outage-fca-publishes-lessons-for-operational-resilience/