Cloud outage: Microsoft points finger at EU

Multi-billion losses, a complete and utter standstill and human lives in danger: that is what came out of last year’s CrowdStrike incident, when millions of Windows systems across the world crashed due to a faulty update of security software Falcon. A great number of businesses, including hospitals and airports, were hit. Yet instead of reflecting on its own shortcomings in order to work out how the Windows outage came about, Microsoft has alleged that the EU was partly to blame – a particularly brazen move.

According to a spokesperson as reported by the Wall Street Journal, Microsoft’s inadequate safeguarding of its operating system was down to an agreement they had with the European Commission. What he is alluding to is a 2009 agreement signed between the software giant and the European Commission after the latter sued the former for coupling Internet Explorer with Windows, thereby violating anti-trust regulations. At the time, the behemoth agreed to grant third-party providers the same access to Windows as Microsoft. They then alleged last year that this access to the innermost core of Windows (known as the ‘kernel’) is what caused the CrowdStrike outage. What Microsoft has conveniently glossed over, however, is that they did not automatically have to grant access to the kernel. According to experts, the company could have instead created a simple interface, an API, to Windows, as Apple has done with MacOS.

A strategic move to muddy the waters
Microsoft’s posing as a victim of European law doesn’t come as a surprise: it is a strategic move at a time when it is facing yet another antitrust case, this time for coupling Teams and M365. On 25 June 2024, the Commission explained in its preliminary findings that Microsoft had a dominant position on the professional SaaS productivity applications market and was therefore curbing competition. In keeping with the old adage that attack is the best form of defence, Microsoft has decided to take aim at the EU to try and influence its impending decision. It is also an opportunity for the software giant to deflect attention from its own mistakes in the face of multiple criticisms on many fronts for its data protection and security practices.

Cloud outage wasn’t an isolated incident
It is rather noteworthy that just days after the CrowdStrike incident, Azure customers had to put up with more issues with their cloud services. This time, the culprit was a DDoS attack, which hit even harder due to a configuration error in Microsoft’s DDoS defences. In the aftermath of this incident, the US Cyber Safety Review Board (CSRB) found that there had been serious operative and strategic security flaws on the part of Microsoft. In a report issued last year, the Board even concluded that last year’s major security snafu, i.e. the theft of an Azure Master signing key, could have been averted by the company. Another recurring hot topic is Microsoft’s data protection failings. The European Data Protection Supervisor (EDPS) recently found that the European Commission has been breaching the GDPR by using Microsoft 365. Andreas E. Thyen, Chairman of the Board at LizenzDirekt and trained economist, has issued a stark warning: ‘I am convinced that a breach of data protection and security can be extremely expensive for customers and have absolutely disastrous reputational consequences.’ 

The cloud mania and data collection frenzy continue
Despite the criticism, the failures and outages, Microsoft remains unfazed. The software giant plods on, pulling its customers deeper into the cloud mania. For example, it replaced its popular on-premise Action Pack software package with cloud products in late January. As a consequence, customers are being forced to switch to a subscription-based model. What’s more, in the era of AI, the behemoth is becoming ever bolder in its data collection frenzy, even deciding to access user’s computer desktops. A new Windows 11 feature, Recall, even regularly takes screenshots of their screens and saves them. In the meantime, rumour had it that the feature could be deactivated, something Microsoft denied, explaining that the uninstall option was the result of a bug that would be sorted. This goes to show how little the cloud provider cares about our European fundamental rights and how ruthless they are in pursuing their own agenda. Do we really want to entrust such a provider with our data?

What lessons can be learnt from the cloud outage
The CrowdStrike cloud outage has shed light on how dangerous it can be to rely on one major player for our online software. This is why many businesses and public bodies are now rethinking their IT strategy. Rather than letting ourselves be drawn even further into a technology that undermines our resilience and independence, it is crucial to claw back more control. Getting all your software from the cloud of a single provider like Microsoft means taking unforeseeable risks, all the more so in the era of AI. By choosing a well thought out, hybrid approach combining on-premise licenses and cloud services from various providers, businesses can hedge their risks and be less dependent while also mitigating data protection and security risks.

Greater leeway thanks to in-house IT skills
In order to develop the strategy that’s best for them, decision-makers must take into account more than IT considerations, carry out a risk assessment and consider solutions that don’t make them reliant on one single company. But there is one prerequisite to this: regaining in-house IT skills and asking advice from impartial professionals. Andreas E. Thyen’s position is clear: ‘European legislation should never be a mere afterthought, it’s a question of core beliefs. By nurturing key IT skills, we may be able to raise awareness of what our concept of freedom stands for – not just on national holidays but every single day, there must be a strong will on the part of political decision-makers and society at large. By doing so, we will be able to regain our independence bit by bit and find the courage to develop more solutions of our own.’