It has been a year since the widespread CrowdStrike outage sent ripples across global IT infrastructure and business operations.
The incident, caused by a faulty update to CrowdStrike’s Falcon 9 product, highlighted critical vulnerabilities in interconnected digital ecosystems and raised questions about resilience, responsibility, and risk management in an increasingly cloud-dependent world.
The outage affected an estimated 8.5 million Windows devices globally, representing approximately 1% of the worldwide Windows estate. The financial impact has been projected to be between $10 billion and $12.5 billion, with airlines, banks, retailers, and government services significantly disrupted.
Delta Airlines alone experienced a five-day impact, leading to the cancellation of 7,000 flights and 1.3 million passengers impacted, who incurred an estimated cost of $550 million.
The immediate propagation of the issue across Microsoft’s Azure public cloud and M365 online productivity platform (and later other cloud environments and self-hosted systems) underscores the profound interconnectedness of modern IT.
Microsoft, despite not being the cause of the initial error, facilitated its rapid global spread due to its US-centric and interconnected platform architecture, which allows for and relies on the rapid global propagation of configuration and identity changes.
The underlying nature of their Windows operating system, to which they provided Ring 0 equivalent kernel access to CrowdStrike making the issue possible in the first instance, was also a contributing factor.
Accountability and limited liability
One of the most striking takeaways from the CrowdStrike incident is the apparent lack of significant financial or reputational repercussions for the cloud providers themselves.
Microsoft’s stock price experienced only a 1% blip on the day of the outage, mirroring the percentage of impacted Windows devices.
CrowdStrike’s share price initially dipped by 11% on the day of the outage, and a total of 36% within two weeks.
However, a year later, its shares are trading 65% higher than on the day of the outage. Their Annual Recurring Revenue (ARR) growth, while slightly lower in the quarter immediately following the incident ($158 million versus $218 million in the prior quarter), still showed a 34% year-on-year increase by the end of the year.
This swift recovery for the providers can be partly attributed to the protective clauses embedded in their terms of service.
CrowdStrike’s terms, for instance, explicitly state that their software should not be used for “high value processing” where a failure could lead to risk to life, safety, environmental damage, or significant financial losses.
Furthermore, the company’s liability for losses is typically capped at the cost of the service purchased in that financial year. These clauses, which are not unique to CrowdStrike and are mirrored in Microsoft’s terms of service, effectively limit the financial recourse for customers experiencing significant losses. This highlights a critical, yet often overlooked, aspect of cloud service adoption: the transfer of operational risk largely falls upon the customer.
Enduring risks and strategic imperatives
A year on, the fundamental risks exposed by the CrowdStrike outage largely persist. The interconnected nature of major cloud platforms means that a single point of failure, even from a third-party vendor, can still trigger widespread disruption. While the “big one”—a catastrophic, total global cloud failure—has not yet materialised, the CrowdStrike incident serves as a stark reminder of the potential for such an event.
Organisations must therefore understand that reliance on public cloud and the internet as a backup for public cloud and internet failures is not a viable strategy. Developing robust, independent disaster recovery (DR) and business continuity planning (BCP) executable even during a major, widespread outage is paramount. This includes having alternative communication channels and data access strategies that do not rely on any part of the compromised cloud environment.
Finally, there is a geopolitical dimension. Nations like Russia and China, which have historically limited their reliance on Western technology and are often cited as primary malicious actors in cyber warfare, reported zero impact from the CrowdStrike outage.
Such events serve as valuable intelligence for these actors, enabling them to identify vulnerabilities and refine their own protective postures and, potentially, future attack strategies on global cloud infrastructure. We may not easily learn the lessons of such outages, but we can be sure that they most certainly do.
The CrowdStrike outage was a significant event that should have prompted a collective re-evaluation of digital resilience. While the immediate crisis passed, the underlying vulnerabilities and the implications for risk management remain critical considerations for every organisation operating in the cloud.
Have businesses genuinely learned these lessons, and are they actively taking the necessary measures to prevent similar, or even more severe, disruptions in the future? The evidence suggests not.