Did the CrowdStrike outage delay your flight or brick your laptop?
If you’re looking for someone to blame, start with the unelected European bureaucrats that set the stage for the CrowdStrike outage more than a decade ago. The CrowdStrike episode is the latest reminder that allowing government bureaucrats to dictate product design spells disaster for consumers.
CrowdStrike is a software company that offers cybersecurity services for businesses, including 60 percent of Fortune 500 companies and over half of Fortune 1,000 companies. On July 19, CrowdStrike deployed a faulty software update for its Falcon threat monitoring service that triggered a “blue screen of death” for impacted devices.
The outage’s impact was worldwide. Microsoft estimates that 8.5 million total devices were affected. Airlines were forced to cancel or delay over 5,000 flights. Hospitals rescheduled surgeries and doctors handed out handwritten prescriptions. Bank of America, Capital One, Wells Fargo, and other banks also experienced outages. The total cost of the CrowdStrike outage is projected to surpass $1 billion.
The outage was so far-reaching because CrowdStrike has access to Microsoft’s “kernel,” the core of the Windows operating system. When the Falcon software crashed, it took the entire Windows operating system out with it.
Enter the European Commission, the European Union’s executive branch. In January 2009, the EC sent Microsoft a “Statement of Objections” accusing the company of harming competition by integrating its products. To address the EC’s “concerns,” Microsoft and the EC entered into an agreement that forced Microsoft to give kernel access to third-party security software developers. If Microsoft fails to comply with the forced agreement, the EC can confiscate a staggering 10 percent of its global revenue.
Because European bureaucrats required Microsoft to design its products in a way that granted kernel-level access to developers, a third-party vendor was allowed to deploy a faulty update that nuked the entire operating system. Microsoft engineers are not stupid or evil – they are hamstrung by arrogant regulators who think they can engineer competition through government mandates.
There are two themes here. First, the EU cannot innovate because unelected bureaucrats have strangled European industries with red tape. Only a small handful of the EU’s top 100 companies were founded in the past 40 years, and the EU’s share of world gross domestic product has halved since 1980. Since European companies cannot catch up through innovation, bureaucrats have to weaken American companies through regulation. European bureaucrats then confiscate tens of billions of dollars in revenue from American companies, using the proceeds to prop up the EU’s bloated welfare state.
Second, government-mandated “openness” done in the name of consumers can harm consumers. The EC thought Microsoft’s integration of Internet Explorer into the Windows operating system harmed consumers and competition, so it mandated that Microsoft give third-party developers access to the guts of its operating system. The CrowdStrike outage is just the latest example of government regulation that harms those it is intended to help.
Instead of taking ownership of the CrowdStrike outage, the EU wants to double down on its failed regulatory crusade. The outage did not affect Macintosh users because Apple has not authorized kernel-level access for developers since 2020. Apple’s “walled garden” ecosystem emphasizes user security and seamless interoperability between Apple devices. Apple’s main selling point is that Apple devices “just work” out of the box, and all work together as part of a coherent ecosystem. Apple was able to wall off kernel access because it is not under the same agreement with the EU that binds Microsoft.
A new European law, the “Digital Markets Act,” accuses American companies like Apple and Microsoft of being “gatekeepers” that abuse their dominance to harm smaller competitors. The solution? You guessed it: more forced “openness.” The EU has already accused Apple of violating the DMA for charging developers for access to its intellectual property, the App Store. The DMA includes similar interoperability provisions that led to the CrowdStrike outage. If the EC finds that Apple has violated the DMA, Eurocrats could confiscate up to 20 percent of Apple’s global revenue, a staggering $76 billion based on Apples 2023 revenue.
Reality check for regulators: there is no inherent virtue in an “open” or “closed” system. Each approach is a business decision that has benefits and drawbacks. Companies design their systems as they see fit to attract as many customers as possible. Product design decisions should rest with companies and their engineers, not unelected bureaucrats.
Of course, this truth won’t stop Federal Trade Commission Chair Lina Khan and others from exploiting the CrowdStrike outage to make the case for further government control over the economy. Being a bureaucrat means never having to say you’re sorry.