Global IT outage: BSI takes Crowdstrike and Microsoft to task
Following the massive problems caused by a faulty Crowdstrike update, the BSI now wants to see action - including from Microsoft.
(Image: Superstar/Shutterstock.com)
The massive problems resulting from the faulty update of Crowdstrike's Falcon Sensor software have led to repercussions for the providers with Germany's cyber security authority. The incident resulted in massive outages worldwide; according to Microsoft, 8.5 million Windows computers were affected and de facto unable to work.
The German Federal Office for Information Security (BSI), which has been in contact with both Crowdstrike and the operating system provider Microsoft since the incidents began, now wants to make both companies more accountable in order to prevent a recurrence.
Critical infrastructure affected
More than 50 operators of critical infrastructure contacted the BSI in Bonn following the outages, the BSI announced on request. According to the report, almost every critical sector was affected - health, finance, energy, food, transportation and IT, for example. Even companies that were not previously required to report have informed the BSI that they are affected.
The BSI wants to carry out an initial technical analysis with both companies this week and discuss the next steps. A BSI spokesperson explained to heise security that this is not just about making fundamental improvements to the products. For example, the BSI is demanding that Crowdstrike only deploy updates in stages in order to minimize the potential for damage.
In addition, the company should take "medium-term measures" that affect the overall architecture of the provider's product landscape. Overall, the BSI sees a need to further harden the Crowdstrike products - and to ensure that they can be used on different operating systems. Meanwhile, Crowdstrike announced initial measures in this direction on Wednesday.
Microsoft has a responsibility
The BSI spokesperson said that it was also a matter of "automatically creating operating system and application states that can be used again immediately in critical error situations". The Federal Office also wants to hold the operating system manufacturers responsible here.
The findings from the incidents of recent weeks will play a role in the implementation of the Cyber Resilience Act in particular - the supervisory authority for this in Germany is the BSI. The European Cyber Resilience Act regulates, among other things, the obligations for security updates by hardware and software providers and will gradually come into force by 2027.
(dahe)