Planes grounded, trains delayed, television stations off air, hospital appointments cancelled, electronic payments halted. No, it wasn’t the start of a massive cyber-attack from Russia, or the backdrop to a Hollywood blockbuster, but an IT upgrade that unexpectedly went disastrously wrong.
That it had such widespread effects is to some extent testament to the ubiquity of Microsoft’s Windows’ operating system, a well-known global dependency, and more particularly to a faulty software update pushed out by the security and anti-virus company CrowdStrike to its widely used Falcon software system.
Such software updates are automated – the process should be too boring and too routine to check – but they create a vulnerability and if there is a serious problem (in this case the upgrade crashed Windows computers) it can result in a catastrophic cascade nobody would have anticipated.
The question now is how fast those affected can bounce back. Flights will eventually restart but what about the impact on smaller businesses? Will the UK’s under-pressure health service be able to catch up with missed appointments? Have organisations got effective backup systems? The costs will take time to count.
Only a day ago the first report of the UK Covid inquiry concluded that Britain was far too optimistic in its planning – or rather lack of planning – for a pandemic. “Ministers and officials were guilty of ‘groupthink’ that led to a false consensus that the UK was well prepared,” the 240-page Hallett report concluded.
Some believe the Labour government has an opportunity it can seize, bringing questions of information technology into the discussion about national resilience. “This is a good moment to reflect on the issues raised,” said one former senior civil servant. “The UK – and other countries – need to consider whether they are on top of technology risk.” On Friday’s evidence, it is not obvious this is the case.
This time the cause appears to be human error, though it is too early to be definitive. The system of automatic software updates to core but boring software has been exploited before, and that time it was by a hostile state.
In 2020, Russian hackers linked to Moscow’s SVR foreign intelligence agency managed to hack into an update of the network management software Orion, manufactured by SolarWinds, and used it to gain access to several US government departments, including the Pentagon and the Treasury.
It was not clear how far they were able to use it for espionage, but the US was seriously embarrassed by the vulnerability. More to the point, hacker attacks by Russians have not gone away.
Though the idea of a full-scale cyber conflict with Russia – which, some argue, would amount to a declaration of war – is remote, the fact remains that for a morning at least there was widespread disruption when a software update went wrong and points to a systemic vulnerability that could be exploited more destructively.
Ukraine has come under repeated cyber-attack from Russia since the start of the invasion in February 2022, with the most serious episode occurring in December 2023 when Kyiv’s leading telecoms operator Kyivstar was knocked out for days with a destructive virus wiping out servers. Hackers had been lurking in the system for months, preparing, the phone company believed.
Computer viruses and malicious code do not respect national boundaries, and it remains a concern that a vulnerability exploited for one purpose – the war in Ukraine – could spread elsewhere. It happened before, in 2017, when the NotPetya attack aimed at Ukrainian companies spread indiscriminately, nearly bringing the Danish shipping company Maersk to its knees.
The immediate question is how quickly and completely can affected companies and organisations recover. But the wider concern is that widespread software disasters – whether accidental or malicious – keep happening and there is not an obvious way of eliminating them.
It will not have been CrowdStrike’s intention to produce an update that crashed Windows computers. That it did so underlines how complex and interconnected modern digital systems are. Less than three years ago Facebook went down for several hours, in October 2021, severing communications on the social network and Instagram and affecting hundreds of businesses.
As Ciaran Martin, a former director of Britain’s National Cybersecurity Centre, says: “This is a very, very uncomfortable illustration of the fragility at the core of our technological world.” But the point is more than just philosophical: the consequences of a more serious collapse could be severe.