Crowdstrike did not have a good day on July 19. During a routine software update, the file that the cybersecurity firm issued triggered a logic error that prohibited Windows machines from rebooting. Microsoft estimates that around 8.5 million computers may have been affected by the event.
This created a tsunami of downstream consequences, as computers that supported numerous industry operations were unable to coordinate and process data.
For air travel, the net effect was the cancellation of more than 10,000 flights since July 19, as reported by FlightAware, with Delta Air Lines particularly hit hard. Using very conservative estimates, if each flight was booked on average with 64 people, and the average cost of a ticket was $290, the lost direct revenue on these days totaled more than $180 million.
Given that some of these people had to cancel hotel rooms and car rentals, and perhaps even miss cruises, the secondary effects of the outage in the hospitality industry alone are likely many times more than this.
In some areas, 911 services were unreachable, which meant that emergency calls for heart attacks and accidents went unanswered. Some of these missed calls may have resulted in deaths, for which no financial value can be placed.
Numerous large hospital systems around the nation were also affected, forcing nonemergency procedures and office appointments to be canceled or delayed.
Such a massive disruption has not gone unnoticed. The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection requested a meeting with Crowdstrike CEO George Kurtz.
The question now being asked is: Who will pay for all these delays, cancellations and consequences?
The first group affected is investors on Wall Street, where more than $10 billion of value was trimmed from Crowdstrike’s market capitalization through July 22. How long it will take for Crowdstrike’s shares to recoup such losses remains to be seen.
The irony of the situation is that Crowdstrike software is designed to protect computers against viruses and malicious software. Yet the current outages did harm that rivals what a computer virus or malicious software could have unleashed. Using a war metaphor, what happened with Crowdstrike was akin to friendly fire.
The one saving grace from this event is that the fix to the problem file was not complicated, taking less than 80 minutes to identify and implement. However, damage had already been done to the 8.5 million computers affected, with some requiring manual deletion of the problem file and reboot.
Does this make Crowdstrike liable for all such work and efforts and the associated downstream damages?
Every software product that is available carries with it terms and conditions that limit its liability to the user in the events of any type of malfunction or disruption. In essence, users agree to hold the software owner harmless. Few of us ever take the time to read such agreements, even though we are bound by them.
Unfortunately, the outage is likely to spur a series of class-action lawsuits that will allow attorneys to argue on behalf of different classes of those harmed, seeking damages that ultimately will be settled out of court.
However, of greater importance is that the Crowdstrike outage shines a bright light on the fact that all organizations and entities that rely on computers are one bad file, one inadvertent keystroke or one software update away from a potentially destructive technology meltdown. Every organization and entity are exposed to such risks.
What happened with Crowdstrike could have happened with any one of the many other security software companies, though perhaps not on such a large scale. This is the price that we all pay for enjoying the benefits of cyber efficiency and access to the digital economy.
No one wants to return to a paper-centered world, manually undertaking tasks that can be completed digitally thousands of times faster and more accurately.
This outage also provides a sneak peek into the future of how glitches in artificial intelligence systems may lead to cyber meltdowns, disrupting financial, transportation and health systems far beyond what any group of people could cause on its own.
Crowdstrike may carry some liability for what happened July 19, yet the demand for efficiency offered by our digital economy is just as complicit.
The next several months will be interesting to observe as these liability issues are unraveled, discussed and explored. The alternative to what Crowdstrike offers — namely, no cyber protection — is far more dangerous than what transpired July 19.
This is the reality of living in a digital economy. It carries numerous benefits and conveniences that we all enjoy. It also carries risks, some of which are obvious, such as viruses and malicious software, and some are not, as many organizations learned July 19.