Microsoft has blamed the European Union for a global IT outage it has said affected 8.5 million Windows devices.
The US software company “cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint,” a Microsoft spokesperson told the Wall Street Journal.
The outages occurred because the EU prevented Microsoft from excluding external software providers such as Texas-based cybersecurity company CrowdStrike from “God tier” access to its Windows operating system, the company argues.
“In 2009, Microsoft agreed it would give makers of security software” such as CrowdStrike “the same level of access to Windows that Microsoft gets”, the Microsoft spokesperson added.
Microsoft’s communications lead Frank Shaw afterward quoted the spokesperson’s comment on X.
CrowdStrike pushed out an update on July 19 to devices using its antivirus software, but unfortunately, the update contained “a defect”, admitted the company’s chief executive George Kurtz.
“Crowdstrike (and others) hold a very privileged position in the Microsoft operating system stack,” Ross Brewer, managing director of the software company Graylog, tells Brussels Signal.
“The truth is, with great power comes great responsibility,” said Brewer.
“Microsoft most likely don’t have a program for real time testing of CrowdStrike’s daily (maybe hourly in certain circumstances) updates,” he added.
CrowdStrike “are saving the world every day” from hackers, “until the day someone messes up and doesn’t do the update properly, and releases it and blue screens everybody”, Brewer said.
“Last week was a bad week when the cure was worse than the cause,” he said.
CrowdStrike’s “agents require installation and maintenance of software on multiple different operating systems, adding layers of complexity and potential points of failure,” Al Lakhani, head of cybersecurity firm IDEE, told Brussels Signal.
This means “they can become a single point of failure, as a bad update can compromise the entire network,” he explained.
The crash, which spread to 8.5 million devices, caused chaos around the world. Altogether around 5,000 flights were cancelled, while television channels were knocked off the airwaves and doctors could not access their patients’ medical records.
Microsoft argues all these outages occurred because the EU has required it to give companies such as CrowdStrike unrestricted access to devices running Windows.
“We can all appreciate the EU’s goal of advancing tech competition, but when it comes at the expense of depriving consumers and businesses of services, the consequences can be devastating–as we saw with the blue screen of death debacle,” New York-based consultant Glen Gilmore told Brussels Signal.
“Regulatory restrictions that limit freedom of choice in tech services can easily disenfranchise and harm the very people and entities they are intended to protect,” he added.
In 2009, Microsoft promised the EC it would give other security software makers complete (also called “kernel”, or more colloquially “God mode”) access to its Windows operating system.
The agreement was made to resolve an anti-competition complaint from the EC, after Microsoft lost a 2007 court case on the matter.
It stated: “Microsoft shall ensure that third-party software products can interoperate with Microsoft’s Relevant Software Products using the same Interoperability Information on an equal footing as other Microsoft Software Products.”
Critics pointed out that, under the agreement, Microsoft could still have created an out-of-kernel API (a software interface that lets two programs communicate with each other), for it and third-party security software makers to use.
This would have offered a more secure approach, experts said, while also observing the “equal footing” clause in its agreement with the EC.
Microsoft “have a point here, sort of”, said Ciaran Martin, an Oxford academic who was previously head of the UK’s National Cyber Security Centre.
He added: “I’m not sure that Friday’s global IT disaster was caused by the EU’s ineptly executed attempt 15 years ago to curb our monopolistic ambitions in the cybersecurity market” is the slam-dunk argument the company seems to think it is.”
One computer scientist lamented to the BBC on July 19.”Never push an update on a Friday.”
The outage caused some 8.5 million devices to become stuck in a so-called boot loop and was the largest cyber-crash incident ever.
By comparison, the 2017 WannaCry ransomware attack, linked to North Korea’s Lazarus Group, affected just 200,000 computers.
By failing to prevent ransomware attacks such as WannaCry, the cybersecurity industry “has failed upwards to the point of having administrator access to almost every PC on earth, out of apparent necessity”, said Kevin Beaumont, director of emerging threats at the Arcadia Group.
A “small group of private cybersecurity companies with no external governance or assurance”, such as CloudStrike, have managed to get “the keys to the kingdom — basically the global economy” by convincing regulators such as the EU they needed “God mode”, he said.
Standards and regulations in software security, in the EU and elsewhere, are set by “a small group of cybersecurity vendors in reality by whispering in the ears of governments and industry groups”, added Beaumont.
Therefore businesses, as a result, were “one bad cyber update away from losing control of their company”, he concluded.
The controversy over the outage has not, though, led to an EU pause in tech regulation.
On June 22, the EC said tech giant Meta was “misleading” customers by describing Facebook and Instagram as “free”, when the company was actually selling users’ data to advertisers.
These are “sneaky practices that mislead consumers”, said Věra Jourová, the EC’s vice-president for values and transparency.
Microsoft has until September 1, 2024 to reply to the EC and its Consumer Protection Co-operation Network and propose solutions, according to the EC, or it will face fines and enforcement action.
“Subscriptions as an alternative to advertising are a well-established business model across many industries,” a Meta spokesperson told Brussels Signal.
“Subscription for no ads follows the direction of the highest court in Europe, and we are confident it complies with European regulation”, the spokesperson added.
Brussels Signal has approached Microsoft for comment.
