CrowdStrike Outage Has Roots in Microsoft’s Antitrust Problems

Microsoft this morning raised an interesting point about the CrowdStrike Internet outage that continues to bedevil customers using its Azure cloud services and Windows. This point is just the latest in a series of ongoing misunderstandings about the outage, and it’s an important one that further exonerates it from blame.

A Microsoft spokesperson told The Wall Street Journal that it was forced by the European Commission (EC) in 2009 to open up Windows to third-party security companies, giving them the same level of access to Windows that it gets itself. The implication is that this is the root cause of the outage, because CrowdStrike, which caused the outage by deploying a bungled security update, is among those companies that benefited from this deeper level of access to Windows.

Microsoft has been reeling from the misplaced blame that’s been heaped on it since the outage began Friday morning. You can sense the frustration.

“A Microsoft spokesperson would not have to make this point if the reporters did their jobs,” Microsoft chief communications officer pointed out on Twitter.

Fair enough. Also, hilarious.

But we live in a world in which the press—mainstream press, sure, but also tech bloggers who should know better—routinely misreport what people are seeing on borked Windows PCs as “the Blue Screen of Death.” These reports are always accompanied by pictures of what people are seeing: A blue screen, yes, but not the BSoD. It’s a blue recovery screen. The Wall Street Journal article that got that quote noted above includes such a photo, and it starts off with the following: “The blue screen of death has been a dreaded symbol of technological failure since Microsoft’s Windows became the world’s dominant operating system in the 1990s. On Friday, it showed up on millions of computers around the world at once.”

No, it did not. And no, Microsoft was not (totally) to blame for this outage, from what we can see today; it certainly wasn’t the root cause, given that CrowdStrike quickly took responsibility for the outage.

But WSJ also claims that the freedom given to software developers on Windows is “an inherent trade-off” with the platform. “When things go wrong, the results can be catastrophic, as millions discovered on Friday,” it notes.

It then goes on to praise Apple—a company now locking horns with the same European Commission regulators that apparently hobbled Windows—for its closed ecosystems, with a security firm CEO claiming that Apple’s App Store provides “a healthier balance.” But this, too, is a misunderstanding: The “App Store” he refers to is the iPhone/iPad app store, and those platforms are quite different from Windows. Apple also makes the Mac, which has an App Store, but as with Windows, those users are free to get software from anywhere, including the web.

But just as Microsoft has been doing what it can to lock down Windows—this is part of its push away from insecure local accounts to manage Microsoft accounts (MSAs) and Entra ID accounts—Apple has done what it can to lock down the Mac. And Apple, ever more aggressive in cutting off the legacy technologies that Microsoft’s customers rely on with Windows, can do more: In 2020, the WSJ notes, it informed developers that it was cutting off their access to the macOS kernel for security reasons.

I’ll note that this was over a decade after Microsoft was forced to go in the opposite direction, but whatever: The WSJ found another security company CEO who told them that this change means that “a blue screen-style problem couldn’t happen on Macs.” Yes, yes. Macs are perfect, Apple is perfect. We get it. Or maybe it’s just that the Mac has such small market share that the European Commission couldn’t force the issue, and it’s not as big a target for hackers. Something more nuanced.

All platforms have vulnerabilities, and those that are used by the most customers—and/or the most lucrative customers from a theft perspective—are, of course, most commonly targeted by hackers. That this outage wasn’t technically Microsoft’s fault is an important fact, but the software giant has always dealt with being the ultimate responsibility, the super parent, of this platform. When things go wrong, customers—the world—blames Microsoft.

But it is further interesting to me that this vulnerability, which impacted less than 1 percent of Windows PCs worldwide and was not an issue for any Windows PC-owning consumers, unfortunately did impact a small but important slice of the business user base, much of which is world-facing. In airports, train stations, hospitals, and all kinds of other places around the world, people are seeing blue screens—recovery screens, not the BSoD—on displays that should be displaying useful or critical information. And while we all chuckle to ourselves when Windows sometimes betrays its existence on these systems in calmer times, this one was serious. And in a sense, blame is beside the point. The conditions that allowed this problem to happen, to escalate the way it did, need to be addressed.

And that is something Microsoft can’t do by itself. Perhaps this is a good opportunity: In a year in which Microsoft has pledged to take security seriously again by making it a top priority, and as more specifically announced a major new Windows security push, it’s time for the industry—with or without regulators—to agree to new levels of security in Windows that will benefit everyone. This platform is too widespread and too obvious a target to allow this to ever happen again.