Microsoft global tech outage: When all systems in the world go down

The tech outage marks the risk of depending on a single firm's software, report Shivani Shinde & Ashutosh Mishra

The technology outage on Friday proved the peril of an increasingly interconnected digital world. A software update by cybersecurity firm CrowdStrike affected 8.5 million Microsoft Windows devices, causing one of the largest tech outages. Less than 1 per cent of Windows machines were affected, according to Microsoft, but it had a cascading effect on centralised software systems.

CrowdStrike’s Falcon update led to the ‘blue screens of death’ in Windows systems, disrupting emergency services, airlines, financial transactions and individuals.

The outage raised questions about the rising trend of single point of failure in technology infrastructure and centralised software dependency, where the control of critical systems sits with a single vendor.

Centralised dependency

“This has nothing to do with the Cloud. This was a failure of massive centralised software dependency. When you have one centralised software dependency across so many industries and countries, and when it goes down centrally then this is what happens. Add to this is the fact that it is a proprietary piece of software, which means only its maker knows what is happening. Everyone has to wait for that one company to explain what broke,” said Kailash Nadh, chief technology officer of Zerodha, a leading stockbroker.

A centralised approach means that critical software worldwide relies on one opaque service. “Irrespective of whether there is more than one such product, if they're all controlled online by an external entity which is highly centralised then such issues 

can happen.”
 

Zerodha runs in-house computer security systems and uses open source technologies. “It (security modules) doesn't leave our premises. It doesn't connect to the internet and it's not controlled by an external entity. It's managed and controlled by us fully internally. So even if something went wrong, it would only impact Zerodha, and not the entire world,” said Nadh.

The Falcon glitch is not the first time that failure in a single piece of software has pulled down systems. In 2023, employees of the Federal Aviation Administration in the United States  (US) accidently deleted computer files when they updated a database.

It disrupted a system used to communicate with pilots, leading to the cancellation of thousands of flights. Last year, when AT&T updated a software in the US it caused thousands of customers to lose telecom connectivity. 

The Falcon outage was wider and raises the question of whether enterprises should trust a single vendor like CrowdStrike.

Neil MacDonald, vice-president and distinguished analyst at Gartner, said the issue will force companies to review their vendor portfolio and contracts. “First, where there is concentration risk in an IT (information technology) vendor, does the vendor have documented and third-party evaluated development processes to prevent this type of issue? Second, what penalties does the vendor have for releasing faulty software that results in downtime? 

“Third, outside of cyber insurance (it covers downtime and losses from attacks), does the company have any business outage/downtime coverage? And fourth, in the event IT systems are down, what are the business continuity and resiliency plans for reaching employees in these types of occasions where their computer may be unavailable,” said MacDonald. The CrowdStrike outage is like a “wake-up call for businesses”.

Impact on India

The outage largely spared India because the Falcon software does not have wide adoption. The country’s startup ecosystem largely uses open source technology. 

“A new startup using open source technologies is unlikely to use these dependencies (on a single vendor). Servers would most likely run on Linux. This is also why you would have seen that this outage impacted institutions running old-school technologies, like banks, railways and hospitals,” said Nadh.

Pavan Duggal, a Supreme Court lawyer and cyber law expert, said countries should consider setting up national frameworks for cybersecurity. “India still does not have a dedicated law on cybersecurity. We have still not implemented the National Cyber Security Strategy of 2013. Though India has the Indian Information Technology Act 2000, it not being a cybersecurity law does not effectively cover all ramifications and legalities,” he said.

The Digital Personal Data Protection Act 2023 is silent on cybersecurity, he said.

Mishi Choudhary, founder of Software Freedom Law Centre, said that for any malicious cyber act, one can take action under the IT Act and the Bharatiya Nyaya Sanhita.

“What we do need is mandatory business continuity plans for all companies and vendors to be written into contracts. Such that they are not just paper tigers but actually work. Two, insurance coverage for such outages. Three, move away from reliance on 

one vendor like Microsoft to run all of the systems and move to open source,” she said.