The Falcon with no Appetite for China

Author: Benelux Chamber Shanghai

Global banks, airlines, hospitals, general businesses and government offices and more: all out of service. 

What happened? During a standard procedure to its security software CrowdStrike Falcon, the US cybersecurity firm pushed an update worldwide. But because of a single faulty software update, this had a nefarious effect on companies around the world, especially more relevant for businesses that are mainly using Windows operating systems and Azure cloud systems provided by Microsoft. 

A lot of people blamed Microsoft for the disaster, because it’s the most recognizable brand and a lot of users saw the infamous BSOD (blue screen of death) on their devices, thus it was easier to connect the effect with Microsoft rather than with CrowdStrike.

But the reality is a bit more complex. 

First of all, here’s the official announcement from Microsoft itself with their own analysis, the solutions and workarounds shared on their websites. Here is their overview about Azure machines.  You can see that they also were affected by the update from their cybersecurity vendor. 

Second, the main culprit of this worldwide disaster is CrowdStrike. On July 20th they published their own analysis and what really happened (“…CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.”)

While here you can find their overall summary with their: 

  1. Remediation plan 

  2. Video with the outline to self-remedial Windows laptops

  3. And general overview of their actions, them assuming their responsibilities and admitting to their wrong process in delivering this update.

But there was a nice surprise for people living in China: how come China was not affected as much as the rest of the world?

Simply put, CrowdStrike is not much used in China. 

There were some MNCs affected and some big Chinese companies affected by this issue (our WeChat moments and tech dedicated forums for IT practitioners in China were inundated by experience sharing, rants about this issue and sharing of solutions), but overall the country went through unscathed. No SOE seems to have been affected and big local private businesses were also safe. 

Why is this solution not so much used in China? Three reasons mostly. 

  1. CrowdStrike has been very vocal about the cyber-security threat posed by Beijing and it has shut down its official presence (note: CrowdStrike and SentinelOne, the other biggest player in the cybersecurity market, are basically banned from selling directly in China and they don’t support the Chinese market). 

  2. Microsoft Azure is a dominant force in the global cloud market, but not in China. First, it’s operated through a local JV partner (21Vianet). Second, its market share is almost irrelevant and it doesn’t even crack the top 3 (AliCloud, Huawei and Tencent are the biggest three cloud players in China). Because of this, Microsoft doesn’t have the same exact processes in China as it has worldwide and it’s not fully managing, deploying and running the cybersecurity posture

  3. Local cybersecurity players have developed and sold their own solutions that fit better the local market, especially to local SOEs, hospitals, airports and transportation services. As a result, the big meltdowns in public services seen around the world were not seen in China. 

Could this have been updated? Probably. 

Whenever there are important updates to any relevant software, the best practice is to create and use sandboxed solutions first, move to limited teams in production and then go with a staggered full deployment. 

What are the effects of this in China?

Some global and local IT companies used this chance to sell their own tech stacks, but it was very unfortunate to see because:

  1. No one would have been able to predict or prevent this from happening. 

  2. It could have been any cybersecurity vendor with a big reach deploying a faulty software and affecting millions of devices (Microsoft estimates 8 million Windows machines were affected)

  3. CrowdStrike is the best player worldwide for medium and big companies (it’s not a cheap solution) and this was a misstep from their side, but saying their solution is not good is out of this world and just a cheap way to sell any solutions. 

Full disclosure: we don’t use CrowdStrike in our tech stack and none of our customers in China do. But this doesn’t stop us from saying they’re the top two worldwide with SentinelOne. 

Prediction for China: the localization of software (and hardware) solutions will keep going the same direction it was going before for Chinese customers. 

Why? The company doesn’t operate and support the Chinese market, the local vendors cannot sell it legally, and the local players have developed decent cybersecurity solutions that fit the local market. 

But global companies with operations in China will keep centralizing and standardizing their local environments. They may not use CrowdStrike specifically, but will keep proceeding a mix of global and local solutions. 

CrowdStrike will get the brunt of this and learn to update their deployment processes moving forward. 

Hopefully, others will learn from this and work on it. 

To close on a lighter note, a few Chinese users posted on Weibo: “Thank you Microsoft for an early vacation” and enjoyed a longer weekend due to the BSOD (blue screen of death). 

There’s always a positive way to spin things. 

 

About the Author