A 2023 Column Contest grand-prize winner, Laurence Pevsner’s Sorry Not Sorry investigates why we’re sick of everyone apologizing all the time—and how the collapse of the public apology leaves little room for forgiveness and grace in our politics and culture.
Around the world, computers were down. ATMs weren’t letting people get their money. Delta alone canceled more than five thousand flights. Hospitals halted surgeries and called off cancer screenings. Emergency dispatch services were disrupted. Eight and a half million Windows devices were affected. And one single company was responsible for what amounted to the world’s largest outage in the history of information technology: CrowdStrike.
It’s the kind of total failure that calls, obviously and at minimum, for an apology. And as always, your first response when you’ve made a mistake like this is going to be the response people remember. Here was what the CEO of CrowdStrike George Kurtz posted:
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified and isolated, and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.
This statement is worse than bad. It’s inhuman. It is replete with corporate jargon and does not come close to acknowledging all the people whose lives were made worse by CrowdStrike’s failure. And, of course, there’s not even an attempt at an apology. It’s the kind of statement you might send out on the work Slack if you accidentally broke the coffee machine, not if you accidentally broke the world.
CrowdStrike’s statement did make clear that none of this was the fault of malicious hackers. Ironically, it was the fault of the company whose whole job is to prevent exactly this kind of outcome.
To understand how this disastrous outage and apology came to be, we have to go back to the 2000s. Remember McAfee, the ancient antivirus software that kinda sorta acted like it was, itself, a virus on your computer? McAfee’s chief technology officer decided to leave and start his own company after he had an epiphany. Kurtz was sitting in business class on an American Airlines flight when he chatted up his neighbor—and saw it took a full fifteen minutes for the McAfee software to boot up on his companion’s laptop. According to a profile in a Singaporean newspaper, Kurtz “felt sorry for the other man and felt he deserved a better, faster product.”
So Kurtz decided to start CrowdStrike. The big idea was to put the antivirus software in the cloud. That’s great if you want to increase speeds. But as Georgetown’s director of the Center for Digital Ethics, Laura DeNardis, put it: “The much larger issue is that everything is digitally connected.” When you connect everything through the cloud, she explains, “an outage is no longer about an inability to send an email or access files but about the right to receive medical care or travel freely. Everything from our food supply to our energy systems depends upon secure and resilient digital technologies.”
Kurtz was asked about exactly this problem in an interview with the Today Show. To his credit, he opened his spot with a brief apology, having learned his lesson from the vicious response to his initial online statement. But then, in reply to the very first question he received on air, he crumbled. “According to your statement, it was a single content update that has managed to shut down air travel, credit card payment systems, banks, broadcast, streetlights, 9-1-1 emergency around the globe,” said anchor Savannah Guthrie. “Why is there not some kind of redundancy or some sort of backup? How is it that one single software bug can have a profound and immediate impact?”
Kurtz’s response went viral. He started saying, “Well, when you look at the complexity of cybersecurity…” and then sputtered. Something was literally caught in his throat. The hosts assuaged him as he took a sip of water—“I’m sure it’s been a long night”—but he then proceeded to dodge the question, merely stating that he’s staying “one step ahead of the adversaries” and that they’ve done this kind of content update for “many, many years” without disruption. So, not a lick of introspection.
The virality of the clip came from the way Kurtz’s throat closed up, which was likely a coincidence but seemed indicative of his inability to take accountability. Even if his throat had been clear, his answer was not. When you’re facing these kinds of tough questions about a big mistake, you need real empathy for the people you’ve harmed—not just empathy for the guy sitting next to you in business class.
Unsurprisingly, CrowdStrike’s apology failures kept piling up. After CrowdStrike got a slightly more apologetic statement up on their website, TechCrunch broke the news that the cybersecurity firm was offering some team partners ten-dollar Uber Eats gift cards to make up for the botched update and worldwide outage. “To express our gratitude,” the letter said, “your next cup of coffee or late-night snack is on us!”
Imagine you’re the poor Delta agent trying to rebook everyone’s flights. Hundreds of people yelling at you, all day, for a tech problem out of your control. You get an email from CrowdStrike with an Uber Eats gift card. It’s for ten bucks. An insulting pittance compared to what you’ve been through. But what the heck, you go to get a cup of coffee so you can power through the night. At least you’ll have that. And then you get this message, which was what TechCrunch found partners got when they tried to redeem the reparations: “[this gift card] has been canceled by the issuing party and is no longer valid.”
I’ve argued before that we sometimes scrutinize public apologies too harshly—that apologies shouldn’t have to be perfect. But CrowdStrike’s series of sorry snafus offer a powerful example on the other end of the spectrum. When you make a colossal mistake, people want to see that you know what you’ve done and who you’ve hurt just as much as they want to know what you’re doing to fix it.
When social scientists wonder why public trust continues to crater—Gallup’s annual poll found last year that American confidence in intuitions is at a historical low—part of the answer is apologies like these. If you’re a private corporation whose technology undergirds cybersecurity worldwide, then you are, in fact, a public service. Those profits come with a promise. You must be able to demonstrate that you care about and are accountable to the people you serve. A broken ten-dollar gift card won’t cut it.
This article was edited to reflect that eight and a half million Windows devices were affected, not more than that number.