Analysis: CrowdStrike Isn’t The Only One To Blame Here

Amid fallout from a massive worldwide outage, CrowdStrike CEO George Kurtz noted that keeping up with hackers requires frequent updates to security tools—and sometimes, something breaks.

Maybe it’s too soon to make this point, with travelers still stranded at airports, patients facing health-care disruptions and other widely felt impacts worldwide from CrowdStrike’s defective software update.

But I’ll make the point anyway: While CrowdStrike clearly messed up here, it isn’t the only responsible party.

That’s because what CrowdStrike does is fundamentally different from other types of software vendors. CrowdStrike makes software to protect devices against hackers who are changing up their tactics on a continual basis. That means their software has to be updated constantly to keep up with the attackers.

Today, something in one of those software updates broke, leading to the Microsoft outage chaos we’ve been seeing this morning.

In an interview with the Today show Friday, CrowdStrike CEO George Kurtz did not try to shift the blame off his company where it’s deserved for the outage. But he also made the entirely valid point that it’s not exactly easy to keep up with the hackers in 2024.

In his comments, Kurtz put things this way: “When you look at software, it is a very complex world and there’s a lot of interactions. And always staying ahead of the adversary is certainly, you know, a tall task.”

From my experience of interviewing Kurtz multiple times, I can attest that he is much more of a straight shooter than most other major tech CEOs. My take on his comments here is that Kurtz is simply stating the facts of the situation and doesn’t seem to be trying to deflect blame (as some other CEOs are wont to do).

The reality is that cybersecurity is, indeed, a “tall task” and what CrowdStrike and other major security vendors are accomplishing generally doesn’t get noticed. They only get noticed when something goes wrong, such as when an attack gets through, or when there’s an outage like we saw today.

We don’t yet know specifically what CrowdStrike did wrong. But what we do know is that they have been getting things right 99.999 percent of the time, or they wouldn’t have grown to the size they are today, with the ability to hobble global air travel and health-care services with a single software bug.

Long story short, this is a more nuanced story than just saying CrowdStrike deserves all the blame. A healthy share of the blame must also go to the relentless cybercriminal ecosystem that has made this type of constant updating necessary.

Maybe it’s too soon to say for sure, but when the dust settles, I strongly suspect that most customers will come to this perspective on the situation. Threat actors in 2024 are increasingly sophisticated, dynamic and fearless, and stopping them will continue to require constant software updates, not all of which, unfortunately, will be flawless.

A global outage meltdown is awful, but the alternative—using security tools that aren’t equipped to stop hackers—is much, much worse.