In what has become an annual ritual between Silicon Valley and the Beltway, a House subcommittee pressed a tech company over a glitch. And the company promised to do better.
During a hearing Tuesday, federal lawmakers reacted with measured outrage at CrowdStrike Inc.’s software outage that wreaked havoc with key sectors of the global digital economy this summer. A faulty software update inadvertently led to worldwide flight cancellations and impacted banks, health care, media companies and hotels chains worldwide. The July 19 incident disrupted internet services, affecting 8.5 million Microsoft Windows devices.
“The sheer scale of this error was alarming,” Rep. Andrew Garbarino, R-N.Y., co-chairman of the House Homeland Security Cybersecurity and Infrastructure Protection subcommittee, said in opening remarks Tuesday. “Imagine what a skilled nation-state or actor could do?”
An apologetic CrowdStrike executive, echoing a contrite company line, outlined what is being done to avoid a repeat of the massive breach.
“We are deeply sorry this happened and are determined to prevent it from happening again,” Adam Meyers, senior vice president for counter adversary operations at CrowdStrike, told the House subcommittee on Tuesday. He said CrowdStrike released a content configuration update for its Falcon Sensor security software that malfunctioned “until the problematic configurations were replaced.”
“We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company,” Meyers said.
The company has since crafted a layered software update option for users, from early adoption (for testing purposes) to general availability. CrowdStrike also met with Microsoft last week to plan future improvements and resiliency, Meyers added.
Rep. Eric Swalwell, D-Calif., the subcommittee’s other chairman, noted this was not the first time Congress has asked a tech company to explain a snafu, but he praised the company and its chief executive, George Kurtz, for its transparency and earnestness.
Sometimes, the questions veered from the pragmatic to the mystifying.
“Who made the decision to launch the update? Did AI do that, or did an individual?” Rep. Mark Green, R-Tenn. asked.
No, Meyers answered, it was part of a standard process of 10 to 12 daily configuration updates.
“This was not a breach but we remain concerned about potential threats from North Korea, Iran, Russia and China,” Meyers said.
Still, the scope and severity of the July 19 outage has damaged the company financially and legally. Last month, CrowdStrike shaved its revenue and profit forecasts following the outage, and Delta Air Lines Inc. has threatened legal action after it said the outage cost it $500 million because of 7,000 flight cancellations affecting 1.3 million passengers over five days. CrowdStrike disputes Delta’s charges.
“CrowdStrike should know that a built-in, simple, staging environment would have stopped this, but this issue goes beyond CrowdStrike,” Guy Moskowitz, CEO and co-founder of Coro, said in an email. “Many other cybersecurity companies do not provide their customers with this safeguard. Security vendors must treat the trust given to them by millions of business owners as sacred, and I hope to see this committee hearing recommend and even demand that every security vendor immediately implement staging environment safeguards.”
