Ellie Reeves – 2024 Statement on CrowdStrike – IT Outage

The statement made by Ellie Reeves, the Minister Without Portfolio, in the House of Commons on 22 July 2024.

On Friday 19 July, we saw a CrowdStrike software update on Microsoft systems result in a major global IT outage. It caused significant impacts around the world. Impacts were seen in the transport sector, with flights grounded in Europe and the US, and delays and cancellations here in the UK. Live train departure boards were impacted during the morning rush hour, and some media outlets lost the ability to provide live coverage. The outage caused substantial inconvenience for passengers hoping to travel for the summer holiday getaway on the busiest travel weekend of the year. Airports and airlines across the UK had measures in place to maintain safe operations, support passenger welfare, extend operating hours and deploy additional staff to support late-running operations and keep people moving where possible. As with all incidents, the sector will review its response and implement any learnings.

More concerningly, large parts of the local UK healthcare system lost access to test results and appointment information, affecting mostly GP services. Tried and tested NHS contingency plans were enacted and services are expected to be operating at full capacity in the next few days. Small businesses without dedicated IT support systems were heavily impacted due to disruption to card-only payment systems and ATMs, with many resorting to operate cash-only while firms worked to fix their systems. Many firms were able to get back online quickly and the remainder are expected to restore operations this week.

Officials from the National Cyber Security Centre quickly established that the outages were not the result of a security incident or malicious cyber-activity. The cause was instead identified to be a flawed CrowdStrike software update that caused Windows machines to crash.

On Friday morning, CrowdStrike issued guidance on how to solve the problem, giving users a manual fix for each affected device or system. I now believe that CrowdStrike is in the process of implementing an automated update, which can be applied remotely and should therefore speed up recovery. However, there are still residual impacts from the failed update, and it is important that we continue to monitor the situation and the longer-term impacts to UK sectors and secondary impacts from international disruption.

Ever since the incident occurred, the Government have worked closely with both Microsoft and CrowdStrike. My Cabinet Office officials have been leading co-ordination of the Government response across all impacted sectors of the economy. That included close monitoring of affected public services to ensure that business continuity plans were enacted and services were supported as they came back online. Two Cobra senior officials meetings were also convened on Friday to co-ordinate the response, and officials from across His Majesty’s Government met over the weekend to continuously monitor the impacts and the recovery process. I am pleased to say that Government services and the online services that the Government provide were and remain largely unaffected. My colleagues including the Chancellor of the Duchy of Lancaster, the Health Secretary and the Transport Secretary attended briefings with officials throughout, and the Prime Minister was kept informed.

The majority of the sectors that were impacted have now mostly recovered. The UK transport system—aviation, rail, road and maritime—is running normally. NHS staff worked hard over the course of Friday and the weekend to quickly apply the fixes required, and my colleagues in the Department for Health and Social Care have confirmed that systems are now back online, including for GPs. Their advice is that patients should continue to attend their appointments unless told not to. There may still be some delays, and GPs will need to rebook appointments that could not be made during the IT outage. The public should continue to contact their GPs in the normal way.

As IT systems are complex, we can expect that minor disruption will continue in some areas while systems continue to recover, but my officials expect those to be resolved in the next couple of days. I would like to thank everyone who has worked so hard to get systems up and running again, and all staff who have worked tirelessly to support individuals impacted by the outage.

Following this incident, the Cabinet Office will work with the National Cyber Security Centre and other partners across Government to review the lessons learned. The Central Digital and Data Office will work with the NCSC to implement any improvements to the existing response plans to cover both technical resilience features as well as cyber. The Cobra unit will work with Departments to support their processes for establishing how the organisations and sectors they represent manage the impacts of the outage and what lessons have been learnt.

As soon as the Government were elected, we took immediate steps to begin legislating to protect public services and the third-party services they use. Our cyber-security and resilience Bill, included in the King’s Speech, will strengthen our defences and ensure that more essential digital services than ever before are protected. For example, it will look at expanding the remit of the existing regulation, putting regulators on a stronger footing and increasing reporting requirements to build a better picture in Government of cyber threats. Technology failures can be as disruptive as cyber-attacks, and the move to create the centre for digital government within the Department for Science, Innovation and Technology is aimed at creating a more resilient digital public sector.

What this incident shows is how dependent the modern world is on complex and interconnected IT systems and how essential preparedness for such events is, including business continuity planning. Notwithstanding the immense frustration and inconvenience that the outage has caused, I am pleased to see that effective contingency plans mitigated the very serious impacts that the outage could have had. I am pleased also that there is to be a comprehensive process to identify the lessons from this episode. I hope that they will lead to improvements that both help prevent similar incidents and further improve our resilience to system outages and the impacts they can have. In that spirit, I commend the statement to the House.