Services globally are slowly recovering from a crippling software update failure deployed on Friday night (NZ time) which took out computer systems belonging to airlines, healthcare providers, retailers, news outlets, broadcasters, financial outlets, infrastructure and transport networks and more.
CrowdStrike, the cyber security firm that issued the faulty software update, says the bug is fixed – but it could be some time before all systems are back up and running.
CrowdStrike chief executive George Kurtz said the firm was sorry for the disruption caused by the fault, which affected systems running the world’s most popular operating system, Microsoft Windows.
Seymour told RNZ on Saturday morning the latest prognosis for New Zealand was “good news”.
“The software fix is in, it’s been installed, government departments have not lost any critical services at any time. I’ve been in touch with the New Zealand Banking Association – they say it’s likely that they’re going to be at business as usual with banking today, although they haven’t confirmed that with me absolutely.
“So it looks like, by and large, New Zealand has got off luckier than some other countries around the world. We will continue to face delays in flights that have originated at foreign airports, but that is something that will work itself through as it does, occasionally, when there are weather events and so on.”
He said the National Emergency Management Agency was called in on Friday night in case the damage to IT systems here was worse.
“Earlier in the evening, it wasn’t clear if this would be over in a few hours – as thankfully it has been from a software point of view – or whether it was a disruption that might continue for several days.
“So their job is to check that various government services are able to continue and that people are going to be able to get the necessities of life.
“It appears that no critical services that people rely on are in any danger, and the overwhelming expectation is that we will be back to business as usual today.”
Whether the timing of the outage, late on a Friday, helped New Zealand avoid the worst of it will become clear in time.
“I think there’s got to be a lot more analysis. It probably depends on the businesses and organisations and the combinations of software that they were using. It certainly appears that broadcasters overseas as close as Australia have gone off the air. Bear in mind, the Australians are in a very similar time zone to us and had a very similar effect to what we experienced, and yet the impact was so much greater on their systems, so they’ve had to respond a lot more forcefully at a government level than we had,” Seymour said.
“Clearly, Aotearoa New Zealand has been affected less than other countries, at least on the face of it, but there’s obviously going to be a lot of post-mortem and analysis. And I’m sure the government agencies will also be assessing how we responded to this, what else could have gone wrong, what else we might have done, as is responsible when any event like this occurs.”
He said the big question was how a single private company’s mistake was able to take down much of the global internet and the economy it relies on.
“As someone who takes an interest in technology and software in the way that it’s developing, I was quite surprised this one company could have such a large effect. And I’m sure that there will be questions around the level of redundancy that’s built into systems … I’m sure there’ll be questions about how a software update is rolled out simultaneously right around the world.
“I have to say that most of those questions, at a technical level, are well above my pay grade. But I’m sure that the Government will be asking those questions in the days and weeks to come.”
And that includes potentially looking at what financial liability CrowdStrike has for the error.
“I’m sure that there’s going to be a lot of lawyers involved in terms of liability, and a lot of fine print contracts that people have signed. At this point, I don’t think the New Zealand Government has got to the state of trying to take liability, or at least claim liability from CrowdStrike.
“That’s something that we might well do, but I’m sure that in this initial 24-hour period, most people have been focused on metaphorically getting the lights back on.”
Seymour said cyber security companies are in a race against hackers, “pushing their limits all the time”.
“I think it’s important to recognise that this has occurred in the context of an unending contest between basically private security of the internet and the hackers out there, including state-backed actors, who would like to do us harm.
“So I don’t know if it’s better or worse that it’s a glitch, but it is, in a way, connected. We would not have had this event if we did not have to rely on effectively private online security companies to fight the hackers, including many government-backed hackers that would try to interrupt our way of life.”
In a statement posted to the CrowdStrike website, Kurtz said the outage was “caused by a defect found in a Falcon content update for Windows hosts”, and there was no impact on customers’ security.
“I want to sincerely apologise directly to all of you for today’s outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.
“We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.
“Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.”