Thought Leadership
After Microsoft initially refrained from publicly commenting on the global IT security debacle on July 19, 2024, the Wall Street Journal published an accusation against the European Commission just a few days later: it was not CrowdStrike, but the EU itself that was primarily responsible for the world’s largest computer outage to date.
The underlying argument is both simple and obvious: because Microsoft had to reach an agreement with the EU in 2009 that forced the company to grant security software providers the same access to the operating system as itself, Microsoft could not adequately protect the core of Windows, the so-called “kernel”, from bugs in third-party software such as CrowdStrike. In one instance, reference was made to Apple, as the company had already denied third-party providers access to the macOS kernel in 2020 – with the result that Apple products would not have led to the IT disaster. However, this is based on a completely different assessment.
What may sound so plausible at first, because it is a supposedly simple explanation for a complex issue, should perhaps also be questioned precisely because the timing of Microsoft’s accusation fits more than well into the current picture: Because less than a month earlier, the EU Commission sent Microsoft a statement of objections due to possible abusive and anti-trust tying practices in the Teams collaboration software.
What Microsoft deliberately omits in its CrowdStrike accusations against the EU is the fact that the 2009 agreement was also merely a consequence of anti-competitive product tying practices by the US company to the detriment of consumers and cyber security, as Microsoft abused its operating system monopoly at the time to establish Internet Explorer as the standard product and force alternative products such as Firefox or Opera out of the market. And what is also being deliberately ignored is the fact that this very problem was a key aspect of the 2009 agreement, which at its core was not just about security software or even specifically about CrowdStrike, but was a general interoperability agreement for Windows, Windows Server, Office, Exchange and SharePoint products, which of course also included cyber security in order to be able to operate such products properly.
Nothing would have prevented interfaces outside the kernel
However, it is now all too easy to invoke a 15-year-old agreement in order to politically avoid urgently needed antitrust investigations wherever possible. This is nothing more than a comparison of apples and oranges, with Microsoft now using cybersecurity as an important economic, governmental and social guarantee responsibility as an argument to push through its own monopolistic interests on the software and cloud market in the EU. But even if you put all this aside and follow Microsoft’s technical argumentation, it quickly becomes clear that the software company is not actually concerned with cybersecurity at all, even if it has recently been selling it as such everywhere.
Of course, unregulated kernel access poses considerable risks to the stability of the operating system, but if you take a detailed look at the agreements reached at the time, it quickly becomes clear that Microsoft is not the victim of an irrelevant European directive, as the company is currently publicly portraying it. Quite the opposite: Microsoft not only expressly welcomed the European agreement, but also literally took up the “leadership role” in the area of technical interoperability – which, of course, also entails a corresponding responsibility. And it is precisely this responsibility that is being called into question in view of the company’s accusations against the EU, not only in this country but also in the United States itself.
The European agreement is so broad that nothing would have prevented Microsoft from creating an interface to external software providers outside the kernel in order to create more technical stability and actively prevent incidents like the one that occurred on July 19, 2024. In fact, most other modern operating systems follow this approach by providing security companies with stable APIs and securing the sensitive kernel in this way. Last but not least, the agreement made in 2009 is not only about the abstract provision of technical interfaces and interoperability, but also about active support, including documentation and support services by Microsoft, which suggests a much greater responsibility for the overall situation than the US company would like to admit.
Even if the CrowdStrike IT outage was not a cyberattack, now, a month later, it is fair to say that the impact was comparable to a serious cyberattack and that reliance on a single vendor such as Microsoft poses a significant risk to IT security. In addition, discussions in the specialist community repeatedly emphasize that the outdated architecture of the Windows operating system was a key factor in the severity of the outage, while other operating systems such as macOS and Linux are technically much better protected against such events thanks to a more secure kernel architecture.
There is still a lack of responsibility for more cyber security
So what do we know now? CrowdStrike is definitely the main culprit behind the IT disaster on July 19. However, Microsoft could have done more in the past to prevent an incident of this magnitude. Instead, the company is now pursuing a high-profile PR policy that not only negates this responsibility of a global monopolist on the software and cloud market, but even reverses it and, in the interests of a positive public image, blames the European antitrust authorities, which have the constitutionally legitimized and public welfare-oriented mandate to break up dangerous global IT monopolies. Against the backdrop of ongoing IT security incidents at Microsoft, this argument seems not only curious, but downright grotesque, and ultimately unfortunately shows that the company is still not living up to its immense responsibility despite paying countless lip services to greater cyber security. This ignorance is not only unfortunate, but also extremely dangerous.
