Reason.com - Free Minds and Free Markets
Reason logo Reason logo
  • Latest
  • Magazine
    • Current Issue
    • Archives
    • Subscribe
    • Crossword
  • Video
  • Podcasts
    • All Shows
    • The Reason Roundtable
    • The Reason Interview With Nick Gillespie
    • The Soho Forum Debates
    • Just Asking Questions
    • The Best of Reason Magazine
    • Why We Can't Have Nice Things
  • Volokh
  • Newsletters
  • Donate
    • Donate Online
    • Donate Crypto
    • Ways To Give To Reason Foundation
    • Torchbearer Society
    • Planned Giving
  • Subscribe
    • Reason Plus Subscription
    • Print Subscription
    • Gift Subscriptions

Login Form

Create new account
Forgot password

Regulation

E.U. Regulations Made the CrowdStrike Fiasco Much Worse

The Brussels Effect makes meddlesome European regulations a global problem.

J.D. Tuccille | 8.9.2024 7:00 AM

Share on FacebookShare on XShare on RedditShare by emailPrint friendly versionCopy page URL
Media Contact & Reprint Requests
An emoticon frowny face against a blue computer background, with white text saying "Your PC ran into a problem and needs to restart"—the dreaded "Blue Screen of Death" for Microsoft users | Wutianzeri | Dreamstime.com
(Wutianzeri | Dreamstime.com)

The recent chaos caused by a faulty software update from cybersecurity firm CrowdStrike was a warning that the world's technological infrastructure may be a tad more fragile then we'd been led to believe. Business was disrupted, people were inconvenienced, and billions of dollars in damages were suffered because of the screw-up. Delta Airlines, Microsoft, and CrowdStrike are only a few of the companies pointing fingers at each other and getting ready for courtroom battles. But it appears that, yet again, government regulation made a bad situation even worse.

The Rattler Article Inline Signup

You are reading The Rattler from J.D. Tuccille and Reason. Get more of J.D.'s commentary on government overreach and threats to everyday liberty.

This field is for validation purposes and should be left unchanged.

It Started With an E.U.-Imposed Settlement

Early stories about the worldwide outage revealed a glimpse of the problem.

"CrowdStrike's bug was so devastating because its security software, called Falcon, runs at the most central level of Windows, the kernel, so when an update to Falcon caused it to crash, it also took out the brains of the operating system," The Wall Street Journal's Tom Dotan and Robert McMillan reported July 21. "A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets."

That agreement resulted from European Union (E.U.) concerns that Microsoft was stifling rivals by limiting the interoperability of its software with systems produced by other companies. The E.U. imposed a hefty €497 million fine in 2004 and then continued its pressure on the company to ease access to its systems.

"On the basis of market test results, we have serious doubts that Microsoft is complying with the interoperability remedy," then–E.U. competition spokesman Jonathan Todd told the Irish Times in 2005.

After continued wrangling, Microsoft reached an interoperability agreement with the E.U. in 2009. Among other provisions, Microsoft guaranteed that "third-party security software products" would have the same access to its operating system as its own security products. That's handy for competing companies, but potentially dangerous. "Any error at the kernel level could potentially disable any operating system, that's why Apple locked macOS and stopped giving developers access to its kernels," Jowi Morales emphasized for Tom's Hardware.

In fact, notes TechRadar's Craig Hale, "Apple has been restricting developers from kernel-level access to its OSs since 2020. Google is also not bound by similar regulations."

For its part, an E.U. spokesman countered, "Microsoft is free to decide on its business model. It is for Microsoft to adapt its security infrastructure to respond to threats in line with EU competition law."

Yes, well, "in line with EU competition law" may be the issue if it compromises security. But that was an agreement with the European Union. Why would it cause global problems?

The Brussels Effect Regulates the World

An agreement with the European Union affected the entire world because of something called "the Brussels Effect." It's a result of a large jurisdiction with economic clout and a tendency to meddle imposing rules that become defaults for everybody because it's just easier to abide by the most restrictive standard than to craft different products and services for less-regulated markets.

"The Brussels Effect refers to the EU's unilateral power to regulate global markets," wrote Columbia Law School's Anu Bradford, author of The Brussels Effect: How the European Union Rules the World (2019). "The EU does not need to impose its standards coercively on anyone—market forces alone are often sufficient to convert the EU standard into the global standard as multinational companies voluntarily extend the EU rule to govern their global operations."

In the case of a security weakness turned into a mandatory feature, the E.U., governed from Brussels, effectively imposed its preferences on the entire planet.

"As the issue with CrowdStrike shows, the impact of European regulation is no longer isolated to just Europe," the Cato Institute's Jennifer Huddleston wrote this week. "As with many regulatory compliance requirements, it may not be technologically or economically feasible to simply offer a different product in Europe."

Huddleston points out that the effects of European regulations have already shown up in small ways that are usually little noticed by consumers, such as the redesign of Apple's charging cords to use USB-C ports. That might or might not benefit the public—if they had clamored for it, the company likely would have responded accordingly. But this was a politically driven change.

Of course, if Apple has to redesign charging cords to please European regulators, it might lose its security advantage over Microsoft if forced into a similar interoperability agreement. Then we'd get all the resistance to buggy software updates allowed to both companies "in line with EU competition law."

American Regulators Work Hand-in-Hand With Brussels

Worse, notes Huddleston, "some American regulators like the Federal Trade Commission are actively working with EU bureaucrats to regulate US companies." If the Federal Trade Commission doesn't have the authority to impose certain rules on American businesses, it will ask its E.U. counterparts to do so. Then the regulations will flow back to the U.S. courtesy of the Brussels Effect.

Federal Trade Commission Chair Lina Khan's "foreign collusion came up during a House hearing on Tuesday when she was grilled about recent revelations that her office is helping Europe target U.S. tech companies," The Wall Street Journal editorial board warned last year.

The end result is something approaching a global regulatory regime as dictated by European Union bureaucrats. Europe's rules become the default for the planet not because they make sense, but because they're the most restrictive and so will pass muster everywhere.

None of this gives CrowdStrike a pass on its truly mindboggling software update fumble. There's a good reason why people are lining up to sue the company for the harm its failure caused.

But the fallout from one company's serious error might have been limited if Microsoft hadn't been forced to compromise security by meddling bureaucrats who didn't understand what they were doing. It's fair to assume this won't be the last bad outcome of intrusive regulators and the Brussels Effect.

The Rattler is a weekly newsletter from J.D. Tuccille. If you care about government overreach and tangible threats to everyday liberty, this is for you.

This field is for validation purposes and should be left unchanged.

NEXT: Pit Stop Policing Transforms Traffic Violations Into High-Stakes Drug Hunts

J.D. Tuccille is a contributing editor at Reason.

RegulationMicrosoftEuropean UnionEuropeAntitrustInformation TechnologyTechnologyScience & Technology
Share on FacebookShare on XShare on RedditShare by emailPrint friendly versionCopy page URL
Media Contact & Reprint Requests

Hide Comments (15)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

  1. SQRLSY   8 months ago

    It would be nice if the victims here could sue European over-regulators ass well ass CrowdStrike! Also the Federal Trade Commission for their collusion with said European over-regulators!

    PS, we need a "Section 230" for computer-code-core kernels!!! THERE is your kernel of truth!!!

  2. mad.casual   8 months ago

    [Pops open bottle of aspirin with one hand and bottle of whiskey with the other in anticipation of the headache resulting from the impending Gell-Mann Amnesia inducing lobotomy about to be performed.]

  3. Overt   8 months ago

    It is noteworthy that Crowdstrike has been bricking Linux machines for the past several months as well. As with Windows OS, developers can access the kernel for various flavors of Linux- not due to regulations, but due to their Open Source nature. And I know of people who had some labs running Debian (for testing client software releases) and Crowdstrike updates had them offline for almost a month.

    MSFT went through a lot of trouble to lock down their Kernel- it was a huge couple of months when they ripped out the audio drivers from direct access, and there was a lot of hatred of the company over that. But it was the architecturally right thing to do, since they had data showing that audio crashes were responsible for a vast proportion of their BSODs.

    Complicating this is another regulatory burden. Companies like my bank are essentially required to install software like Crowdstrike. Regulators with no real technical expertise just make wild-ass pronouncements like, "You need to have a complete copy of all your data in a totally separate 'cyber vault' in case of a cyber attack". And we have to do it- no matter if such a thing has never been done EVER before at a company processing trillions of dollars of transactions each month. And likewise, it is because of these regulators that my laptop sounds like a wind tunnel from the moment I turn it on in the morning as it struggles to run countless endpoint lockdown software packages.

    It is only because I was vacationing for a week (when my work laptop is permanently powered down) that I was spared the frustration of three days of remote breakfixing on my device, but many in my team were not. The regulatory burden is real, and if you think that the Brussels effect is bad, just wait until you see the Beijing effect.

    1. Stupid Government Tricks   8 months ago

      It's another example of third parties with no skin in the game. Most people refuse to recognize several major aspects of governments:

      * They are nothing but bureaucracies. They produce nothing. Their only contributions to building roads, for instance, are stealing taxes to pay for the, stealing land to build them, and building them where the politicians want them, not the people who use them. Bureaucrats can only measure success by counting employees, dollars in budgets, and pages of regulation; so that is what they are incentivized to increase. Efficiency and solving problems which would reduce their size is the last thing they want.

      * They are immortal monopolies, and thus, while their bureaucracies are no worse then private bureaucracies, they have no market to keep them in check by losing customers and going bankrupt. Yes, governments can be overthrown and conquered, but that is akin to suicide and murder.

      * They are always third parties, whose interest lies in preserving their jobs and their pensions, and increasing the three measures of their success.

    2. Rick James   8 months ago

      Regulators with no real technical expertise just make wild-ass pronouncements like, “You need to have a complete copy of all your data in a totally separate ‘cyber vault’ in case of a cyber attack”.

      Many of those regulators are informed by technical people who act as consultants. Doesn't make it any less retarded...

      The regulatory burden is real, and if you think that the Brussels effect is bad, just wait until you see the Beijing effect.

      Something something free trade and fungible social constructs are great.

      1. Stupid Government Tricks   8 months ago

        Many of those regulators hire the consultants who will give them the answer they want.

  4. James K. Polk   8 months ago

    Nonsense, Microsoft should not have complied with the EU. American tech companies should band together and resist the authoritarian demands from other countries, including the EU. They won't, however, because of several bad reasons including that they're run by soy-boy cucks like Jack Dorsey who personally love authoritarianism. Microsoft's spinelessness is to blame here, and CrowdStrike's shit release management. I'm not defending the EU, but to quote the late great philosopher Dennis Green, "they are who we thought they were."

    1. Overt   8 months ago

      That's all well and good up until the point where the Federal Government forces you to comply. If we don't operate in Europe, our licenses get pulled by the Fed, and in order to operate in Europe (and Asia, and Africa, and...) we have to comply with their regulators.

      If our government were still a bastion of freedom that protected its citizens, your plan might work. But increasingly, the phone calls are all coming from inside the house.

      1. Chipper Chunked Chile Con Congress (ex NCW)   8 months ago

        It would be interesting to see who blinked first, though, if Microsoft said "OK, we'll stop selling and supporting Windows in the EU."

        I'm guessing the EU government themselves have a lot of Windows systems.

        But on the other hand, I also don't even slightly care who loses there, or even if it's "both". 😀

  5. Stupid Government Tricks   8 months ago

    A friend was a great conspiracy theorist, in that they were just plausible enough that you couldn't rule them out just on their face, like claiming the pyramids were build by space aliens. And he was so straight-faced about them that you never quite knew if he believed them himself or was just funnin' with ya.

    Two things happened in the late 1990s which lead to my favorite of his theories: Y2K hysteria and the government's anti-trust trial against Microsoft. The key to his theory was how much everyone in that trial lied, and in particular a video of a computer screen which Bill Gates described during sworn testimony as being recorded in a single take, rebutting some prosecution claim. Yet during the video, icons jumped around, the clock jumped back and forth, and it had obviously been edited and spliced together from pieces.

    His theory was that Bill Gates was scared to death of Y2K and fully expected Microsoft software to botch the turnover, so he was trying to throw the game, so to speak, forcing the judge to rule against Microsoft, forcing the government to break Microsoft up into separate OS and app companies ... so when Y2K hit and Microsoft software went bananas, he could blame the government.

  6. TrickyVic (old school)   8 months ago

    Crowdstrike?

    I hear the FBI will just take their word for it.

  7. Rick James   8 months ago

    The Brussels Effect Regulates the World

    I'm not sure what to make of this complaint. It's like we're complaining that the outsized power and influence of one social construct can influence the internal workings of another social construct.

    1. Chipper Chunked Chile Con Congress (ex NCW)   8 months ago

      It does seem somewhat tin-eared coming from an American.

    2. mad.casual   8 months ago

      It’s like we’re complaining that the outsized power and influence of one social construct can influence the internal workings of another social construct.

      [pops aspirin] A-yup. [slugs whiskey]

      I tell you what, we really ought to adopt their cabotage rules!

      [insert clip from 'Edge of Tomorrow' with the Tom Cruise saying "You aren't mentally equipped to fight this thing... and you never will be."

  8. tb11   8 months ago

    Sorry, JD, but you got this one wrong. Blaming the EU for not allowing Microsoft to confer upon itself the exclusive privilege of unrestricted kernel mode access for its own products, while locking 3rd party software developers out, suggests that Microsoft had no alternative course of action for preserving the security and stability of systems running Windows. This is not the case.

    If Microsoft were as concerned about platform stability and security as their current damage control / PR would now have us believe, they could have locked the Windows kernel down the same way Apple did with the MacOS kernel, limiting kernel interaction to APIs invoked from user space. But they didn't.

    Yes, Crowdstrike is responsible for breaking its users' machines. This time. But even if Crowdstrike were to achieve the completely illusory goal of 100% perfect QA testing that would in no way prevent other vendors with kernel access, including Microsoft's own product teams, from causing future bluescreens & outages themselves.

    Incidentally, the EU's approach isn't that different from the US Justice Department charging Microsoft in the 1990s with giving itself an unfair advantage over 3rd party office products by allowing its own Microsoft Office team exclusive access to and use of undocumented Windows APIs, which allowed MS Office to achieve levels of integration and ease of use that competitors could not. Memories are short, I guess, but Microsoft was required to disclose hundreds of APIs publicly as part of that settlement.

Please log in to post comments

Mute this user?

  • Mute User
  • Cancel

Ban this user?

  • Ban User
  • Cancel

Un-ban this user?

  • Un-ban User
  • Cancel

Nuke this user?

  • Nuke User
  • Cancel

Un-nuke this user?

  • Un-nuke User
  • Cancel

Flag this comment?

  • Flag Comment
  • Cancel

Un-flag this comment?

  • Un-flag Comment
  • Cancel

Latest

Will Trump's Tariffs on Venezuelan Oil Matter?

Jeff Luse | 3.25.2025 4:01 PM

Uncertain Tariffs Make Beauty a Lot Uglier

Autumn Billings | 3.25.2025 2:35 PM

Sleepwalking Into a Cashless Society

Jared Dillian | 3.25.2025 1:30 PM

Labor Strife Looms Over MLB Opening Day

Jason Russell | 3.25.2025 12:35 PM

Trump's Attack on the Courts Channels the Worst of Theodore Roosevelt

Damon Root | 3.25.2025 12:20 PM

  • About
  • Browse Topics
  • Events
  • Staff
  • Jobs
  • Donate
  • Advertise
  • Subscribe
  • Contact
  • Media
  • Shop
  • Amazon
Reason Facebook@reason on XReason InstagramReason TikTokReason YoutubeApple PodcastsReason on FlipboardReason RSS

© 2024 Reason Foundation | Accessibility | Privacy Policy | Terms Of Use

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

r

Do you care about free minds and free markets? Sign up to get the biggest stories from Reason in your inbox every afternoon.

This field is for validation purposes and should be left unchanged.

This modal will close in 10

Reason Plus

Special Offer!

  • Full digital edition access
  • No ads
  • Commenting privileges

Just $25 per year

Join Today!