The faulty software update that led to massive outages around the world was so destructive, some cybersecurity experts marveled at how it took down a greater number of machines than any malware creator could have ever dreamed of. The global disaster also sent IT teams around the world into crisis mode, since the mishap required a fix to be deployed on a machine-by-machine basis. A tedious recovery for a sudden crash.
What I’ve just described was, in fact, not anything recent — but, rather, a 2010 global Windows PC meltdown sparked at the time by a bungled McAfee update. Of course, that incident certainly sounds quite similar to CrowdStrike’s routine update of its cybersecurity software on Friday, which ended up setting off a snowballing disaster that affected the computer systems of governments, banks, hospitals, media organizations, and much more around the world. Microsoft said the disaster affected 8.5 million Windows devices. For the time being, I can’t even use my Starbucks mobile app to place orders as usual, that’s how pervasive the fallout from the CrowdStrike outage remains.
I didn’t bring up the McAfee situation, however, because of how similar it sounds to CrowdStrike’s. Instead, I simply want to point who was McAfee’s CTO at that time: George Kurtz, the man who’s now the CEO of — that’s right! — CrowdStrike.
Obviously, I’m not suggesting anything untoward here. At the very least, though, it’s pretty coincidental (at a minimum!) to be so adjacent to not one but two global computer system meltdowns. “We’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this,” Kurtz said in an appearance on NBC’s “Today.”
I’ll leave it to smarter people than me to draw any additional insights from the reality of the current situation. All I can say is that it raises certain questions in my mind about corporate governance and about the kind of executives the cybersecurity industry is producing. And for more along these lines, I’d refer you to recent Glassdoor entries that blast things like that “Good pay, great product, iffy management” at CrowdStrike, as well as the fact that its “culture is toxic and can be damaging to one’s health.” Also: “KPIs driving behavior more than building relationships.”
For what it’s worth, Kurtz also reportedly left McAfee to launch CrowdStrike in response to what he perceived as the slow pace of evolution in security technology. He’s also cited, as an inspiration for launching CrowdStrike, watching a passenger on a flight wait for 15 minutes for McAfee software to load on his laptop. Was a “move fast and break things” attitude responsible for what happened yesterday?
Maybe. Given all of the above, it certainly sounds like Friday’s software update was probably rushed, had too few checks, and was the classic definition of an accident waiting to happen.
\