Crowdstrike's calamity

It might be because your company is a customer of Crowdstrike Holdings Inc. More likely, you were trying to catch a flight that was delayed or cancelled because the airline relied on Crowdstrike. Or you walked through New York's Times Square with the eery sight of blank digital billboards around you.

Millions of Windows computers, and especially ones running large, global systems, were afflicted by a botched update for the cybersecurity company's anti-ransomware software last week. It wasn't a hostile act but rather a snafu with the digital infrastructure designed to guard against bad actors.

The event, with impacts propagating from Tokyo and Mumbai to London and Zurich, was the biggest global IT outage in recent memory — and quickly let the world know how much of the private and public sector relied on this single name, Crowdstrike. A leader in the business of so-called endpoint security, the company has played a prominent role in fighting against cyberattacks. This time, it earned less flattering headlines.

A storm of online comments coincided with a media tour by Crowdstrike CEO George Kurtz and a memo from the cyber firm's support teams to some customers prompting them to try rebooting 15 times.

This was the latest example in a series of IT incidents this year, including hacks, which show how large swaths of the corporate and government realms depend on very few, or even single, vendors for stuff that's really important. And while that's a risk, in a world where everything is a computer and cyber threats are constant, is that just the cost of doing business?

As my colleague Jordan Robertson noted in his reporting, Crowdstrike's technology is expensive. It's effective, but if it's almost $50 per machine, and you're an organization running thousands of Windows computers, only mission-critical PCs are going to have it installed. And if those super important computers go down, you'll have a problem running the business.

"Nearly every industry around the world has been affected, Salesforce included," Salesforce AI CEO Clara Shih told me on Bloomberg Technology. "I think there's an inevitability when it comes to technology, and it really underscores the importance of working with trusted partners."

Last month, people all over the US (myself included) learned more than you could ever imagine about the importance of a little-known software company called CDK. Its software helps dealers with the buying and selling of cars, and a cyberattack had knocked CDK's dealership management system offline for almost two weeks.

The impact was so severe that big dealer networks like AutoNation had to warn there'd be an impact to bottom lines. It served as a reminder that having a single system for all front and back office functions in many of the car dealerships around the country was probably not such a hot idea.

Sticking with four wheels and returning to the Crowdstrike saga, Tesla Inc. boss Elon Musk said on X that "unfortunately, many of our suppliers and logistics companies use it." He'd stated in an earlier post on his social network that "we just deleted Crowdstrike from all our systems, so no rollouts at all."

In its most recent 10-K regulatory filing, Crowdstrike says it had 29,000 customers with a subscription. That figure refers only to companies or organizations — each one of those could have many, many computers covered by the deal. The math's hard to do, but it's easy to see the bigger picture.

I also had coffee last week, prior to the Windows mayhem, with another CEO in the world of finance. They argued that each company you partner with represents potential exposure or a risk down the road. This West Coast executive saw such vulnerabilities as a part of doing business today and offered a way to limit risk: have lots of partner companies supporting different segments of your operation.

"We as an industry will learn from this, we always do," McAfee CTO Steve Grobman told me on Bloomberg Technology, reflecting on the parallels in scale between the Crowdstrike outage and the WannaCry ransomware attack in 2017. "We are moving very quickly and we need to learn how to do that with the minimal risk possible of introducing technology defects that cause the issue that we saw."

Markets reacted severely to Friday's event, in part because financial market exchanges and trading floors were early victims of a hit to shared IT infrastructure.

One idea put forward by our Bloomberg Intelligence colleagues (Bloomberg's in-house analysts) is that the outage could spur a move by cloud service providers — like Windows maker Microsoft Corp. — away from allowing additional software access to make underlying system changes in securing that system.

The curious bit about this whole story is that Microsoft is probably the closest rival and No. 2 player to Crowdstrike in the market for endpoint security. If you're going to flee Crowdstrike because of this mishap, do you really want to land in the lap of the other company involved in Friday's fiasco?—Ed Ludlow