PARLIAMENTARY DEBATE
CrowdStrike: IT Outage - 22 July 2024 (Commons/Commons Chamber)

On Friday 19 July, we saw a CrowdStrike software update on Microsoft systems result in a major global IT outage. It caused significant impacts around the world. Impacts were seen in the transport sector, with flights grounded in Europe and the US, and delays and cancellations here in the UK. Live train departure boards were impacted during the morning rush hour, and some media outlets lost the ability to provide live coverage. The outage caused substantial inconvenience for passengers hoping to travel for the summer holiday getaway on the busiest travel weekend of the year. Airports and airlines across the UK had measures in place to maintain safe operations, support passenger welfare, extend operating hours and deploy additional staff to support late-running operations and keep people moving where possible. As with all incidents, the sector will review its response and implement any learnings.

More concerningly, large parts of the local UK healthcare system lost access to test results and appointment information, affecting mostly GP services. Tried and tested NHS contingency plans were enacted and services are expected to be operating at full capacity in the next few days. Small businesses without dedicated IT support systems were heavily impacted due to disruption to card-only payment systems and ATMs, with many resorting to operate cash-only while firms worked to fix their systems. Many firms were able to get back online quickly and the remainder are expected to restore operations this week.

Officials from the National Cyber Security Centre quickly established that the outages were not the result of a security incident or malicious cyber-activity. The cause was instead identified to be a flawed CrowdStrike software update that caused Windows machines to crash.

On Friday morning, CrowdStrike issued guidance on how to solve the problem, giving users a manual fix for each affected device or system. I now believe that CrowdStrike is in the process of implementing an automated update, which can be applied remotely and should therefore speed up recovery. However, there are still residual impacts from the failed update, and it is important that we continue to monitor the situation and the longer-term impacts to UK sectors and secondary impacts from international disruption.

Ever since the incident occurred, the Government have worked closely with both Microsoft and CrowdStrike. My Cabinet Office officials have been leading co-ordination of the Government response across all impacted sectors of the economy. That included close monitoring of affected public services to ensure that business continuity plans were enacted and services were supported as they came back online. Two Cobra senior officials meetings were also convened on Friday to co-ordinate the response, and officials from across His Majesty’s Government met over the weekend to continuously monitor the impacts and the recovery process. I am pleased to say that Government services and the online services that the Government provide were and remain largely unaffected. My colleagues including the Chancellor of the Duchy of Lancaster, the Health Secretary and the Transport Secretary attended briefings with officials throughout, and the Prime Minister was kept informed.

The majority of the sectors that were impacted have now mostly recovered. The UK transport system—aviation, rail, road and maritime—is running normally. NHS staff worked hard over the course of Friday and the weekend to quickly apply the fixes required, and my colleagues in the Department for Health and Social Care have confirmed that systems are now back online, including for GPs. Their advice is that patients should continue to attend their appointments unless told not to. There may still be some delays, and GPs will need to rebook appointments that could not be made during the IT outage. The public should continue to contact their GPs in the normal way.

As IT systems are complex, we can expect that minor disruption will continue in some areas while systems continue to recover, but my officials expect those to be resolved in the next couple of days. I would like to thank everyone who has worked so hard to get systems up and running again, and all staff who have worked tirelessly to support individuals impacted by the outage.

Following this incident, the Cabinet Office will work with the National Cyber Security Centre and other partners across Government to review the lessons learned. The Central Digital and Data Office will work with the NCSC to implement any improvements to the existing response plans to cover both technical resilience features as well as cyber. The Cobra unit will work with Departments to support their processes for establishing how the organisations and sectors they represent manage the impacts of the outage and what lessons have been learnt.

As soon as the Government were elected, we took immediate steps to begin legislating to protect public services and the third-party services they use. Our cyber-security and resilience Bill, included in the King’s Speech, will strengthen our defences and ensure that more essential digital services than ever before are protected. For example, it will look at expanding the remit of the existing regulation, putting regulators on a stronger footing and increasing reporting requirements to build a better picture in Government of cyber threats. Technology failures can be as disruptive as cyber-attacks, and the move to create the centre for digital government within the Department for Science, Innovation and Technology is aimed at creating a more resilient digital public sector.

What this incident shows is how dependent the modern world is on complex and interconnected IT systems and how essential preparedness for such events is, including business continuity planning. Notwithstanding the immense frustration and inconvenience that the outage has caused, I am pleased to see that effective contingency plans mitigated the very serious impacts that the outage could have had. I am pleased also that there is to be a comprehensive process to identify the lessons from this episode. I hope that they will lead to improvements that both help prevent similar incidents and further improve our resilience to system outages and the impacts they can have. In that spirit, I commend the statement to the House.

May I begin by welcoming the hon. Lady to her role and thanking her for advance sight of the statement? In that role I know she will be supported by a dedicated team of civil servants, who represent the very best of public service. I have no doubt that they will serve her as well as they did me.

The hon. Lady will be aware of the enormous challenges facing this Government and those around the world in relation to cyber-security. As I warned when I was the responsible Minister, threats to public services and critical national infrastructure come from a range of challenges, from hostile state actors to human error and design flaws. Last week we saw those challenges vividly brought to life. Following the corrupted antivirus update by CrowdStrike on Friday, 8.5 million Microsoft devices globally were rendered unusable. That left airports disrupted, patient records temporarily lost and GPs unable to access important patient data, creating significant backlogs. That is more than an inconvenience.

I pay tribute to all those working in our public services for the efforts they undertook over the weekend to restore those services, and to the work of dedicated cyber specialists across Government, including in the National Cyber Security Centre. In government we undertook a wide range of measures to enhance the nation’s cyber-security: creating the National Cyber Security Centre, introducing secure by design, setting cyber-resilience targets, launching GovAssure and transforming the oversight of governmental cyber-security.

I note, as the hon. Lady said, that the Government intend to build on that progress by bringing forward a cyber-security and resilience Bill. Will she therefore outline the timetable for the Bill, and will the Government consider mandatory cyber-security targets for the UK public sector? Are the Government considering obligations to ensure that infrastructure is designed to be resilient against common cause problems, such as this one? What steps are being taken to enhance cyber-security in the devolved Administrations and in parts of the public sector such as the NHS, which are operationally independent?

Specifically in relation to this incident, what assessment has been made of the prevalence of CrowdStrike within critical national infrastructure? What further reassurance can the Government give in relation to the timetable for full recovery of key systems and data? In particular, can the Minister assure employees that this month’s payroll will not be adversely affected?

Britain’s cyber industry is world leading. Cyber-security now employs more than 60,000 people and brings in nearly £12 billion-worth of revenue annually. This transformation was in part due to our £5.3 billion investment, which launched the country’s first national cyber-security strategy. I therefore urge the Government—I see the Chancellor in her place—to continue such investment.

Incidents such as that of CrowdStrike should not deter us from the path of progress. We must embrace digitalisation and the huge improvements to public services that it offers. The adoption of artificial intelligence across Government is the closest thing we have to a silver bullet for public sector productivity. However, if we are to command public confidence, people must be assured that technology is safe, secure and reliable. Such incidents demonstrate how reliant the Government and public services are on large technology companies, and how much responsibility they have for the services that have become critical to people’s lives and livelihoods. That is why, in government, I called for us to work more closely with leading technology firms to address these shared challenges. The best solution is partnership. To that end, what further engagement will the Minister undertake with Microsoft, CrowdStrike and the wider sector to ensure that there is no such recurrence?

The task for us all is to build on existing progress that has transformed Britian’s cyber defences, and to enhance protections for British families, businesses and the very heart of Government. In that mission, the Government can rely on the support of the Opposition.

I thank the shadow Minister for his contribution and his questions. In particular, I echo the thanks to all those in Departments across the civil service who were involved in dealing with the outage last Friday and in mitigating its effects. I set out in my statement that our cyber-security and resilience Bill, which was included in the King’s Speech, will strengthen our defences and ensure that more digital services are protected. That is a priority for this Government. The Bill will look at expanding the remit of regulation, putting regulators on a stronger footing and increasing reporting requirements, so that the Government can build a better picture of cyber-threats. We will consider the implications of Friday’s incident as we develop that legislation, but rest assured that we are working across Government to ensure resilience.

As the Chancellor of the Duchy of Lancaster said in his statement on the covid inquiry module 1 report, he will lead a review assessing our national resilience to the full range of risks that the UK faces, including cyber-risks.

It is a great pleasure to see my right hon. Friend the Minister in her place. As she said, the CrowdStrike outage is a reminder not only that technology is so integrated into all our lives, making them better, but also of our dependence on the standard of development, deployment and integration of new technology, which is largely not visible to us. I was reassured to hear about the steps that the Government and businesses have been taking to mitigate the impact, but I fear that small businesses and consumers do not have the same resources. Does she agree that people should not have to be able to reboot from a blue screen in order to enjoy the benefits of technology? Will her Government move to ensure that consumers are better protected?

I thank my hon. Friend for that contribution, and I want to acknowledge all the work that she has done in this area. It has been hugely valuable. She makes really important points about ensuring that consumers and small businesses are protected, as well as Government Departments and bigger businesses. I am sure that will form part of the lessons learned from this incident, and will feed into the Bill that we will introduce.

This is my first opportunity to welcome Ministers to their places. I thank the Minister for advance sight of the statement. I want to focus on the impact on the NHS. My thanks, and I am sure those of the entire House, go to all NHS staff who have been scrambling to deal with urgent inquiries from distressed patients.

I wonder if I might press Ministers for assurances on two patient groups who need time-critical care. First, some patients require blood test results before they can commence urgent treatment or have operations. Are there any assurances on the attention that they will be given by the NHS, both now and in any future scenarios? Secondly, there are patients at great risk of becoming extremely ill from getting covid. Since the previous Government scrapped the covid medicines delivery unit, many vulnerable patients have been struggling to get the anti-virals that they need from their GP in time. That situation is made much worse when this kind of disruption happens. Can the hon. Lady provide assurances about any attention that NHS England has given to those two patient cohorts? If not, is she willing to meet me to discuss what we might do in future?

I thank the hon. Member for her question highlighting the issues facing vulnerable patients. I am pleased to report that there was no reported impact on 111 or 999 services, and that patients were able to access emergency care. The majority of the impact on GP services was in accessing patient records, GP appointments and prescriptions. Patients who could not access GP appointments were able to attend urgent care services, and GPs were able to issue paper prescriptions. However, I will pass on the hon. Lady’s concerns to my colleagues in the Department of Health and Social Care, because they are incredibly important issues and we need to ensure that vulnerable patients are protected, going forwards.

May I take this opportunity to welcome you, Madam Deputy Speaker, to your very temporary position, and to welcome my hon. Friend the Minister to her role? Can she give the House any further details of the impact of this outage in Scotland, and what conversations has her Department had with the Scottish Government in recent days?

I welcome my hon. Friend back to the House; it is fantastic to see her, rightly, in her place. I thank her for the points that she raised, which are important and will be taken into account in the review of the lessons learned.

I congratulate the Minister on her appointment. Does she agree that these events demonstrated that we are very far from being in a position to move to a cashless society? Given that the Chancellor is present, will the Minister confirm that her Government will do everything that they can to support the continued use of cash, which is so important to some of the most vulnerable people in society?

Cash remains the second most commonly used form of payment in the UK, and we remain committed to ensuring that individuals and businesses have access to it. We have committed ourselves to providing 350 banking hubs, so that cash remains available to them.

It is a pleasure to welcome the Minister to her position, particularly as she is sitting alongside the Chancellor of the Exchequer. I welcome the points made about resilience in public services, but can she assure me that similar efforts are being made to ensure resilience of IT in a defence context?

As I said in answer to an earlier question, as soon as this Government were elected, we took immediate steps to start legislating to better protect all our public services and the third-party services that they use, and the cyber-security and resilience Bill will come before Parliament.

I welcome the Minister to her position. Congratulations are due to her: I understand that she was in charge of the Labour party’s election campaign, so she can take some credit for its success. It is good to see a reward for endeavours, and for hard work. I say to her: well done.

On airlines, as 171 flights were cancelled, some of my constituents were stuck in London and could not get home to Belfast. When it came to banks, some of my constituents who were out shopping found that their credit cards did not work because the system was down. When it came to the health system, the Department of Health in Northern Ireland said that hospital services and about two thirds of GP surgeries faced problems; there had been, for instance, problems getting patients into operating theatres and with accessing staff rosters. The whole system was in absolute chaos.

Does the Minister not agree that the issue has underlined the necessity of ensuring that we are prepared for cyber-breakdown, whether caused by an intentional attack or caused unintentionally? Can she say something about our preparedness for situations such as this, and about our resilience in moving forward from these technological problems, for the benefit of those in all parts of the United Kingdom of Great Britain and Northern Ireland?

I thank the hon. Member for his kind comments. I am sorry to learn that some of his constituents were unable to secure flights home or GP appointments. In my statement, I spoke about ensuring that we expand our cyber-resilience, put regulators on a stronger footing and obtain a clear picture of cyber-threats and how they can be dealt with, and he raises important points in that regard.

This was an extremely serious incident that I suspect may well be detectable in the next GDP figures that come out of the Office for National Statistics. I have two questions. The hon. Lady said that she was “pleased to say that Government services, and the online services that the Government provide, were and remain largely unaffected.” Could she tell us which services were affected, or is “largely” just a euphemism for “not affected at all”?

Secondly, it is quite difficult for Members to get a handle on the full impact and spread of this contagion. Will she commit to laying before the House some kind of report detailing the sectors that were affected, how seriously they were affected—including Government systems—and whether and how there will be any resolution in the future? Obviously, we need to report to our constituents that these things are less likely to occur in the future.

I set out the impact that the incident had on, for example, GP services, but things like the emergency services remained unaffected, as far as we are aware. We are learning the lessons from the incident, and I am sure that we will report back once that has been completed.

Like so many others, GPs in my constituency were affected on Friday, and I thank them for the work they did. Even though patients were not able to get test results and appointments were missed, GPs managed to make sure that people received the best care possible. What assurances can the Minister give me that the lessons learned from Friday will mean that patients can continue to receive care when they need it?

I welcome the hon. Gentleman to the House, and I place on record my thanks to GP surgeries in Maidenhead, which did what they could to make sure that the disruption for patients was at a minimum. We will undertake the lessons learned exercise from this incident; I hope that offers some reassurance to his constituents, as well as the Bill that will be going through Parliament.

I thank the hon. Member for those suggestions. I am very happy to consider the points that she has raised.

I cannot be the only Member who thinks how proud Mr and Mrs Reeves must be today.