CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse
Originally published CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse on by https://federalnewsnetwork.com/commentary/2025/08/crowdstrike-lessons-monoculture-is-bad-and-microsoft-monoculture-is-worse/ at Federal News Network
Just over one year ago, a faulty software update distributed by CrowdStrike nearly brought the world to a halt. The update took 8.5 million Microsoft Windows devices offline and, as a result, upended global air travel, brought healthcare providers’ emergency response systems down, disrupted operations for banks, and resulted in delays across government offices. Despite CrowdStrike identifying and deploying a fix for the issue within hours, the recovery process for organizations was time-consuming and the outage cost Fortune 500 companies (excluding Microsoft) an estimated $5.4 billion.
Now, following the anniversary of one of the largest IT failures in recent memory, the outage should serve as a reminder of the dangers of relying on a single vendor and how this risk is magnified when the vendor in question — Microsoft — has a poor cybersecurity track record and skewed incentives, and keeps on making the same mistakes. If we don’t learn from the CrowdStrike outage, the next time that this happens — which is inevitable — the damage could be far worse.
While the outage was triggered by what should have been a routine software update, it was made possible because of the way Microsoft allowed third-party security software developers like CrowdStrike to access the core component of the Windows operating system, known as the kernel, a dated and known-to-be dangerous software engineering practice. This access allowed CrowdStrike to push out the update to a critical part of the Windows code before the bug was realized. In what then turned into a chain reaction, the outage became so widespread as a consequence of an overreliance on Microsoft’s systems.
Over decades, Microsoft has managed to establish a monoculture across multiple sectors, where organizations’ computer systems run on the same products and services. The company maintains an 85% market share in U.S. government productivity software and 95% of Fortune 500 companies use Azure, Microsoft’s cloud computing platform. These overwhelming market numbers represent a monoculture, which in turn creates a single attack surface and a single point-of-failure. From an engineering perspective, this is an entirely dysfunctional and undesirable state.
Any technology monoculture is bad enough, but it’s even worse when it’s built upon a foundation of insecure software. Microsoft’s products are insecure out-of-the-box and the company routinely tops lists of the most commonly exploited software, including the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities list where it accounts for 25% of the vulnerabilities, 304% more than the next closest culprit. About half of Microsoft’s exploited vulnerabilities are found in Windows and Exchange, two of the company’s most popular and prevalent offerings.
It’s not surprising that Microsoft has been at the center of some of our nation’s most damaging cyberattacks. In the 2020 SolarWinds attack, one of the largest in U.S. history, a Russian state-sponsored group exploited a flaw in a widely-used Microsoft product to steal sensitive data from at least nine government agencies and more than 100 companies and think tanks. A Microsoft engineer had previously discovered the flaw and told the team responsible for handling reports of security weaknesses that it was leaving millions of users exposed to hackers, but his concerns were dismissed.
The same hackers then breached Microsoft’s corporate systems in 2023 using a basic password spray and exfiltrated emails from the company’s top cybersecurity and legal executives, compromising their communications with an undisclosed number of government agencies.
That same year, Chinese hackers accessed the confidential messages of over two dozen government agencies by exploiting a vulnerability in Microsoft email systems. And most recently, Chinese hackers exploited a major security flaw in Microsoft’s SharePoint collaboration software to breach about 400 government agencies, corporations and other groups. Key to each of these incidents was the attackers’ ability to easily bypass Microsoft’s systems to steal extensive amounts of data via a singular vulnerability or exploit.
Competition should root out these costly vulnerabilities, by driving either customers to choose other software vendors or Microsoft to fix the underlying problems. But Microsoft uses anticompetitive licensing practices to lock-in customers. At the same time, the company has built a $20 billion business selling cybersecurity services to solve for its own shortcomings. It has long acted as both the arsonist and the firefighter in a never-ending cycle of waiting for fires and charging customers for putting them out. Microsoft only recently announced plans to allow third parties to start building their solutions to run outside the Windows kernel in what is essentially an admission of this longstanding architectural flaw.
The CrowdStrike outage reveals how overreliance on insecure vendors has made digital systems so fragile that even a routine software update can pose a significant threat. In order to better protect U.S. critical infrastructure moving forward, the public and private sectors need to diversify away from legacy providers like Microsoft that have shown a disregard for security and are consistently susceptible to widespread cyberattacks and outages. Any kind of monoculture presents significant risks for society, but a monoculture centered around a company with a history of putting short term profits ahead of basic security practices and engineering principles will inevitably bring catastrophic impacts if not addressed.
Steve Weber is professor at the UC Berkeley School of Information, partner at Breakwater Strategy, and an academic affiliate at Analysis Group.
Originally published CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse on by https://federalnewsnetwork.com/commentary/2025/08/crowdstrike-lessons-monoculture-is-bad-and-microsoft-monoculture-is-worse/ at Federal News Network
U.S. Customs and Border Protection, Office of Field Operations officers at the Hidalgo International Bridge, intercepted $647,000 worth of alleged cocaine concealed within a vehicle.
Forecasters say Tropical Storm Erin, which formed in the eastern Atlantic Ocean on Monday, is expected to become the Atlantic’s first hurricane of the season by Friday.
About Us
To assist commercially facing small and startup technology companies, and help determine if there is value in engaging with defense, intelligence community.
CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse
Originally published CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse on by https://federalnewsnetwork.com/commentary/2025/08/crowdstrike-lessons-monoculture-is-bad-and-microsoft-monoculture-is-worse/ at Federal News Network
https://federalnewsnetwork.com/wp-content/uploads/2024/05/Indonesia_Microsoft_42891-1024x683.jpgCrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse
If we don’t learn from the CrowdStrike outage, the next time that this happens — which is inevitable — the damage could be far worse.
August 13, 2025 4:45 pm
4 min read
Just over one year ago, a faulty software update distributed by CrowdStrike nearly brought the world to a halt. The update took 8.5 million Microsoft Windows devices offline and, as a result, upended global air travel, brought healthcare providers’ emergency response systems down, disrupted operations for banks, and resulted in delays across government offices. Despite CrowdStrike identifying and deploying a fix for the issue within hours, the recovery process for organizations was time-consuming and the outage cost Fortune 500 companies (excluding Microsoft) an estimated $5.4 billion.
Now, following the anniversary of one of the largest IT failures in recent memory, the outage should serve as a reminder of the dangers of relying on a single vendor and how this risk is magnified when the vendor in question — Microsoft — has a poor cybersecurity track record and skewed incentives, and keeps on making the same mistakes. If we don’t learn from the CrowdStrike outage, the next time that this happens — which is inevitable — the damage could be far worse.
While the outage was triggered by what should have been a routine software update, it was made possible because of the way Microsoft allowed third-party security software developers like CrowdStrike to access the core component of the Windows operating system, known as the kernel, a dated and known-to-be dangerous software engineering practice. This access allowed CrowdStrike to push out the update to a critical part of the Windows code before the bug was realized. In what then turned into a chain reaction, the outage became so widespread as a consequence of an overreliance on Microsoft’s systems.
Over decades, Microsoft has managed to establish a monoculture across multiple sectors, where organizations’ computer systems run on the same products and services. The company maintains an 85% market share in U.S. government productivity software and 95% of Fortune 500 companies use Azure, Microsoft’s cloud computing platform. These overwhelming market numbers represent a monoculture, which in turn creates a single attack surface and a single point-of-failure. From an engineering perspective, this is an entirely dysfunctional and undesirable state.
Any technology monoculture is bad enough, but it’s even worse when it’s built upon a foundation of insecure software. Microsoft’s products are insecure out-of-the-box and the company routinely tops lists of the most commonly exploited software, including the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities list where it accounts for 25% of the vulnerabilities, 304% more than the next closest culprit. About half of Microsoft’s exploited vulnerabilities are found in Windows and Exchange, two of the company’s most popular and prevalent offerings.
It’s not surprising that Microsoft has been at the center of some of our nation’s most damaging cyberattacks. In the 2020 SolarWinds attack, one of the largest in U.S. history, a Russian state-sponsored group exploited a flaw in a widely-used Microsoft product to steal sensitive data from at least nine government agencies and more than 100 companies and think tanks. A Microsoft engineer had previously discovered the flaw and told the team responsible for handling reports of security weaknesses that it was leaving millions of users exposed to hackers, but his concerns were dismissed.
The same hackers then breached Microsoft’s corporate systems in 2023 using a basic password spray and exfiltrated emails from the company’s top cybersecurity and legal executives, compromising their communications with an undisclosed number of government agencies.
That same year, Chinese hackers accessed the confidential messages of over two dozen government agencies by exploiting a vulnerability in Microsoft email systems. And most recently, Chinese hackers exploited a major security flaw in Microsoft’s SharePoint collaboration software to breach about 400 government agencies, corporations and other groups. Key to each of these incidents was the attackers’ ability to easily bypass Microsoft’s systems to steal extensive amounts of data via a singular vulnerability or exploit.
Competition should root out these costly vulnerabilities, by driving either customers to choose other software vendors or Microsoft to fix the underlying problems. But Microsoft uses anticompetitive licensing practices to lock-in customers. At the same time, the company has built a $20 billion business selling cybersecurity services to solve for its own shortcomings. It has long acted as both the arsonist and the firefighter in a never-ending cycle of waiting for fires and charging customers for putting them out. Microsoft only recently announced plans to allow third parties to start building their solutions to run outside the Windows kernel in what is essentially an admission of this longstanding architectural flaw.
The CrowdStrike outage reveals how overreliance on insecure vendors has made digital systems so fragile that even a routine software update can pose a significant threat. In order to better protect U.S. critical infrastructure moving forward, the public and private sectors need to diversify away from legacy providers like Microsoft that have shown a disregard for security and are consistently susceptible to widespread cyberattacks and outages. Any kind of monoculture presents significant risks for society, but a monoculture centered around a company with a history of putting short term profits ahead of basic security practices and engineering principles will inevitably bring catastrophic impacts if not addressed.
Steve Weber is professor at the UC Berkeley School of Information, partner at Breakwater Strategy, and an academic affiliate at Analysis Group.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Originally published CrowdStrike lessons: Monoculture is bad, and Microsoft monoculture is worse on by https://federalnewsnetwork.com/commentary/2025/08/crowdstrike-lessons-monoculture-is-bad-and-microsoft-monoculture-is-worse/ at Federal News Network
Originally published Federal News Network
Related Posts
Support Global Security Review
Originally published Support Global Security Review on August 14, 2025 15:46 by https://globalsecurityreview.com/support-global-security-review/
CBP Officers Seize More Than $600K in Cocaine at Hidalgo International Bridge
U.S. Customs and Border Protection, Office of Field Operations officers at the Hidalgo International Bridge, intercepted $647,000 worth of alleged cocaine concealed within a vehicle.
Tropical Storm Erin Likely to Become Atlantic Season’s First Hurricane by Friday
Forecasters say Tropical Storm Erin, which formed in the eastern Atlantic Ocean on Monday, is expected to become the Atlantic’s first hurricane of the season by Friday.
About Us
To assist commercially facing small and startup technology companies, and help determine if there is value in engaging with defense, intelligence community.
Let’s Socialize
Support Global Security Review
CBP Officers Seize More Than $600K in Cocaine at Hidalgo International Bridge