When in doubt, blame Europe: Microsoft pins fault for CrowdStrike fiasco on the EU

If you were unfortunate enough to spend last weekend in an airport, your travel plans were probably wrecked by a widespread “blue screen of death” mishap that shut down 8.5 million Windows-powered devices, causing US airlines to cancel more than 5,000 flights on Friday and Saturday. The cause of the computer outage was a faulty software update pushed by cybersecurity provider Crowdstrike to Microsoft devices, and Microsoft blamed the system vulnerability that caused this software issue on a 2009 agreement with the EU. From The Telegraph:

Microsoft has blamed EU rules for enabling a faulty security update to cause the world’s biggest IT outage. The software giant said a 2009 agreement with the European Commission meant it was unable to make security changes that would have blocked the CrowdStrike update that triggered widespread travel and healthcare chaos on Friday.

CrowdStrike’s Falcon system, designed to prevent cyber attacks, has privileged access to a key part of a computer known as the kernel. This meant that a faulty update last week resulted in millions of Windows computers and servers being unable to load at all, leading to flight cancellations, contactless payments not working and GP surgeries being unable to make appointments.

Microsoft, which offers its own alternative to CrowdStrike known as Windows Defender, agreed in 2009 to allow multiple security providers to install software at the kernel level amid a European competition investigation.

In contrast, Apple blocked access to the kernel on its Mac computers in 2020, which it said would improve security and reliability. A Microsoft spokesman told the Wall Street Journal that it was unable to make a similar change because of the EU agreement.

For context, the “kernel” is a computer program at the core of its operating system, and buggy software updates that interact with an operating system’s kernel can, as we saw with Crowdstrike, wreak havoc on devices using that OS. Apple runs a closed operating system, locking third-party software providers out of its kernel, which safeguards its devices from incidents like this.

I wrote last week about the EU’s obsession with obscene fines for US big tech companies, so it’s fitting that Microsoft is now blaming European regulators for its 8.5 million device failure. Ben Thompson provided excellent background to Microsoft’s explanation:

Two of the companies seizing this opportunity in the 2000s were Symantec and McAfee; both reacted with outrage in 2005 and 2006 when Microsoft, in the run-up to the release of Windows Vista, introduced PatchGuard. PatchGuard was aptly named: it guarded the kernel from being patched by 3rd-parties, with the goal of increasing security…

Symantec, meanwhile, went straight to E.U. regulators, making the case that Microsoft, already in trouble over its inclusion of Internet Explorer in the 90s, and Windows Media Player in the early 2000s, was unfairly limiting competition for security offerings. The E.U. agreed and Microsoft soon backed down.

Basically, Microsoft wanted to lock third-party security software providers out of its kernel, two of said software providers cried “anti-competitive!” EU regulators agreed, and Microsoft dropped its efforts to block kernel access. Eighteen years later, a security software provider with kernel access pushed an update that shutdown millions of computers, which wouldn’t have happened if that software provider didn’t have kernel access. The EU, for what it's worth, denied responsibility for the computer failure.

Considering that 72% of global desktop computers run on Microsoft operating systems, it will be interesting to see if the tech giant can leverage the Crowdstrike bug to reverse the EU’s open-OS stance on Windows.