Novedades del derecho y las leyes argentinas para el ciudadano

Global IT Chaos: CrowdStrike Update Crashes Windows Systems Worldwide. Legal issues

Unforeseen Incompatibility with Windows Leads to Major Operational Disruptions and a 13% Stock Drop for the Cybersecurity Leader. What is the legal liabilty?

On the night of July 18th, CrowdStrike, a leading provider of cybersecurity solutions, released an update to its Falcon platform. This update turned out to be incompatible with Windows, causing numerous computers to display the dreaded “blue screen of death” (BSOD), a critical error that prevents systems from booting up. The infamous Windows blue screen.

Technical Details of the System Crash

The CrowdStrike update aimed to enhance security on millions of devices. However, due to an unforeseen incompatibility with the Windows operating system, the update caused massive system failures, significantly impacting operations of numerous businesses and organizations worldwide.

Affected systems couldn’t start, leading to widespread operational paralysis in many globally impactful organizations. This incident highlighted…

As an emergency measure, CrowdStrike recommended users delete a specific file and restart the affected systems. However, this file was protected by BitLocker, Windows’ encryption system, complicating the implementation of this solution. Companies are resolving everything manually.

BitLocker is a Microsoft tool that encrypts hard drives, protecting data with highly secure passwords. In many companies, only a few people know these passwords, meaning CrowdStrike’s solution required physical access to each affected computer. This process was slow, increasing downtime and user frustration (see below for legal issues).

Stock Market Impact

As a direct consequence of the incident, CrowdStrike’s shares fell by 13% in pre-market trading. Investors responded negatively to the news, reflecting a loss of confidence in the company’s ability to handle critical updates without causing significant disruptions. The economic impact of CrowdStrike’s massive failure could be enormous.

Delays in Bank Applications and Flights

As a result of the incident, several flights were delayed. Although work is being done around the clock to resolve it, the involvement of specialized IT personnel is required. This may entail legal liability and the right to compensation for lost time.

Microsoft 365 Access Issues

Some users may still be unable to access certain Microsoft 365 applications and services, including Teams video conferencing. The company was aware of the issue “affecting a subset of customers,” according to a Microsoft representative in a statement. “We recognize the impact this can have on customers, and we are working to restore services for those still experiencing interruptions as quickly as possible.” (Source: NY Times).

Other System Failures and Outages

Major banks, media outlets, and airlines were affected by a significant IT disruption.
Significant disruption to some Microsoft services.
911 emergency services were interrupted in several U.S. states.
Services on the London Stock Exchange were disrupted.
Sky News went off the air.

Solutions undwerway for the Massive Failure

While CrowdStrike stated that “a solution has been implemented,” it is unclear how long it will take to distribute it to the large number of affected customers and all of their employees’ devices. The issues could “take days, if not weeks, to resolve,” said Vasileios Karagiannopoulos, a cybersecurity researcher at the University of Portsmouth. He added that the problems were “so global and extensive in the systems that technical support might be scarce due to demand.”

Kevin Beaumont, a cybersecurity researcher, said on social media posts that CrowdStrike customers were facing an “incredibly painful” process to resolve the issue. “Recovery is only possible manually,” he said. “You have to go to a server or PC, start it in safe mode in the console, log in as an administrator, and basically hack the system to bring it back online.” (Source: Financial Times).

Meanwhile, CrowdStrike communicated that “it is actively working with customers affected by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not affected. This is not a security incident or cyberattack.”

Its CEO added that “the issue has been identified, isolated, and a solution has been implemented. We refer customers to the support portal for the latest updates and will continue to provide comprehensive and ongoing updates on our website. We also recommend that organizations ensure they contact CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of our customers” (source).

Legal Implications of the Microsoft Windows System Failure

This incident raises several relevant legal issues:

Liability for Damages: Affected companies might consider lawsuits for damages against CrowdStrike due to the interruption of their operations. Whether CrowdStrike was negligent in not foreseeing the update’s incompatibility with Windows will be central in any litigation. Possibly, that will depende on relevant clauses of the agreements of software and IT providers.

Data Protection: The need to access systems protected by BitLocker involves additional risks related to data protection and privacy. Companies must ensure that any access to passwords and encrypted data complies with current data protection regulations.

Compliance with Security Standards: This incident underscores the importance of cybersecurity standards and risk management. Organizations must review and update their security protocols to prevent similar issues in the future. Unfortunately, there was a single point of failure.

User Responsibility: Companies must compensate users and affected individuals for lost time and incurred expenses. The failure of their own systems, even if global, does not qualify as force majeure.

“One of the complicated parts of security software is that it needs to have absolute privileges over the entire computer to do its job,” a cybersecurity consultant told The New York Times. “So, if something is wrong with it, the consequences are much greater than if your spreadsheet doesn’t work.”

Software companies face few responsibilities for major disruptions and cybersecurity incidents. The economic and legal penalties for such massive disruptions may be so minimal that companies are not motivated to make more fundamental changes. “Until software companies have to pay a price for defective products, we won’t be any safer tomorrow than we are today,” they added.

Los comentarios están cerrados, pero trackbacks Y pingbacks están abiertos.