What can we learn from the Microsoft-Crowdstrike outage, and what does it mean for LatAm?

The global IT outage prompted by a software update released by endpoint cybersecurity firm Crowdstrike over Microsoft's Windows systems is a one-of-a-kind event that will be widely debated and analyzed.

The incident is being depicted as an important learning experience regarding corporate relationships with technology suppliers in an increasingly virtualized, digitized world with increasing levels of technological dependence and on outsourced providers.

The primary effects will likely be felt in areas such as data protection, civil liability, damage insurance, single-vendor dependence and incident response systems, according to experts.

“This case is paradigmatic because it exposes the civil liability of software manufacturers. Suits that airlines will receive from consumers, for example, will be passed on. These companies will call on Crowdstrike, and potentially Microsoft, to respond,” Francisco Camargo, VP of the board of Brazilian software company association Abes, told BNamericas.

“In several years in the market, I have never seen anything of this magnitude,” he added.

According to Crowdstrike, the problem was related to an update to its Falcon endpoint software and was limited to Windows.

On Friday afternoon, shares in Microsoft were down by around 1%, while Crowdstrike stock had dipped by nearly 10% on US markets.

In Brazil, there were reports that applications provided by large banks, such as Bradesco and three big digital entities, had been affected. Brazil’s supreme court also reported tech issues.

“The big lesson to be learned from this episode is that more internal testing should be done before releasing an update to the market. Even when the manufacturer authorizes the process,” Marcelo Mendes, member of the Brazilian data security, protection and privacy institute (Ibraspd), told BNamericas.

According to Mendes, there is some diversity in the infrastructure and data platform layers in companies and ultimately, in an ideal world, companies should not put all their eggs in one basket. On the other hand, dealing with multiple systems and multiple vendors creates more complexity for business, he argues.

“It’s a puzzle. The company has a system from one vendor, a cloud solution from another, data infrastructure from another, security orchestration from another. What do they all have in common? The operating system, physical or in the cloud,” said Mendes.

In 2023, approximately 88% of desktop devices in Brazil were operating on Microsoft Windows and most of the remainder were divided between OS X (3.7%) and Linux (2.6%).

CLOUD, OS, DEPENDENCE AND GOVERNANCE

In a broader sense, the episode could potentially shake enterprises’ growing trust in the use of public cloud systems, or possibly the concentration of these systems in specific clouds. 

Geraldo Pires, a cyber specialist and executive director of security company Rox Partner, says that governance processes will be rethought.

"Crowdstrike's responsibility is clear. As the solution provider, it should have validated the update across multiple versions of operating systems and scenarios before releasing it. However, companies are also co-responsible. We cannot delegate all security strategy to a tool, and it is essential that organizations have governance processes for each software update," Pires said in a statement.

Alexander Coelho, partner at Godke Advogados and a lawyer specializing in digital law and data protection, said Microsoft may also be held responsible.

"If the software failure is considered a breach of the terms of service or the contract between Microsoft and user companies, the companies may sue for damages. Additionally, they may allege negligence, arguing that Microsoft did not implement adequate measures to ensure stability and software security," he said in a release.

Umberto Rosti, CEO of Safeway, a company that integrates the Stefanini Cyber platform, noted that Crowdstrike is one of the most commonly used endpoint tools in the business environment.

“As a procedure, we recommend that every update be tested in a controlled environment before making it available in the production environment. The important thing is that corporations have procedures for identifying and resolving problems, that is, measures to recover from and deal with incidents,” the executive told BNamericas.

INCIDENTS IN LATAM 

In Latin America, Crowdstrike is not a particularly widely adopted platform compared with other endpoint market solutions from Cisco, Trend Micro or Sophos, for example. 

However, the company has been investing to expand its presence in the region. 

In June, it announced partnerships with major Latin American technology distributors Ingram Micro, M3Corp and Tecnología Especializada Asociada de México (TEAM México) for its AI-native Falcon cybersecurity platform. 

It was an update on this platform that caused the problems in Windows systems.

In general, Latin America was less exposed to the incident than other geographies, possibly because of Crowdstrike's still limited presence in the region.

However, impacts were still felt. Plus, there is a ripple effect related to the interconnection of economies and systems on a broader basis.

Arturo Merino Benítez airport serving Chilean capital Santiago recommended that passengers checked the status of their flights with airlines before going to terminals, due to the impact that Microsoft's global computer malfunction was causing in passenger registration systems of some airlines.

Although the global failure did not affect the airport's computer services, it did force check-in processes to be carried out manually on 12 flights. Brazilian airports and airlines adopted similar recommendations.

In Brazil, the Downdetector Dashboard platform pointed to failures affecting Microsoft services (Azure, Teams, Xbox Live, Office 365, MS Store), finance and banks (Bradesco, Neon, Next, Itaú, Caixa, Banco do Brasil, Nubank, XP), streaming services (Sky+, Globo), as well as public entities like SEFAZ and the central bank.

In Costa Rica, the Ministry of Science, Innovation, Technology and Telecommunications (Micitt) said it has communicated to its entire network of institutional links about the failure in one of the configuration elements of the Crowdstrike security solution. 

"To address this situation, we have sent a solution to all the Computer Security Incident Response Center (CSIRT-CR) link network and performed an impact analysis of all institutions that have implemented this security solution. At the moment the impact is minimal, and we are constantly monitoring the situation," Micitt said in a statement.

Colombia's cyber emergency response team (ColCERT) said it had assessed possible impacts in different public entities and private companies and that more than 95% of them did not present problems in their technological services.

The ICT ministry and ColCERT said they will continue to monitor the situation in the country, and would be "attentive to react to any eventuality."