A group of House lawmakers Tuesday grilled an executive with cybersecurity firm CrowdStrike, who said the company is “deeply sorry” for causing the global technology outage that grounded thousands of flights and impacted various industries last July.
“On behalf of everyone at CrowdStrike, I want to apologize. We are deeply sorry this happened and are determined to prevent it from happening again,” CrowdStrike Senior Vice President Adam Meyers said during opening remarks.
Meyers’s appearance before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure marked the only hearing so far scheduled to discuss CrowdStrike’s botched July 19 update, which crashed computers running Windows software and prompted a global outage.
Hundreds of flights were canceled or delayed due to the outage, while hospitals, emergency services and some government offices were also impacted. The incident sparked scrutiny of the cybersecurity firm and how foreign adversaries could take advantage of these sorts of vulnerabilities.
“The sheer scale of this error was alarming. A routine update could cause this level of disruption – just imagine what a skilled and determined nation-state actor could do,” subcommittee chair Rep. Andrew Garbarino (R-N.Y.) said in opening remarks.
“We cannot lose sight of how this incident factors into the broader threat environment. Without question, our adversaries have assessed our response, recovery and true level of resilience.
“It is clear that this outage created an advantageous environment ripe for exploitation by malicious cyber actors,” he added.
Subcommittee ranking member Rep. Eric Swalwell (D-Calif.) noted Tuesday’s hearing was not intended to “malign” CrowdStrike, but rather to understand the circumstances behind the outage.
Meyers emphasized the July outage was not a cyberattack from foreign threat actors.
“This incident was caused by a CrowdStrike rapid response content update that was focused on addressing new threats,” he said, adding the company is focused on increasing transparency and “learning” from the failed update.
“We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company,” he said. “I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future.”
Changes to the platform include a new option for customers to opt in and choose when they receive content updates, Meyers said. Extensive internal training programs and conferences are also provided to CrowdStrike staff, Meyers told Rep. Mike Ezell (R-Miss.).
Rep. Morgan Luttrell (R-Texas) put Meyers on the spot for CrowdStrike’s failure to collectively test content updates on the internal side before it is pushed out.
“That’s where we are now, the new methodology is to test all of the content updates internally before they’re released to the early adopters,” Meyers rebuked.
“I’m still trying to figure out how this thing got launched, with it not being absolute,” Luttrel said at one point, prompting Meyers to go into greater detail about where the process failed.
Homeland Security Committee Chair Rep. Mark Green (R-Tenn.) brought up the hot-button issue of artificial intelligence (AI), asking the executive who made the decision to launch the update and if AI played a role.
Meyers confirmed AI was not responsible for any decisions in the process, noting the update was part of a group of 10 to 12 updates released every day by the firm. He said the firm is no longer fielding updates simultaneously to all customers in the same session to avoid a similar situation.
When pressed by Rep. Troy Carter (D-La.) if CrowdStrike has a way to allow for greater cooperation between the firm, Microsoft and other “good actors,” Meyers said the firm began “working closely” with Microsoft the weekend of July 19 and a sit down between the two companies was later held to discuss future improvements.
Meyers said “awareness is a key factor” in incidents like the global outage, for both the customers on their platform and the general public.
He later said the company would “fully cooperate” with an investigation into the incident by the Cyber Safety Review Board and other reviews “to ensure that we have provided transparency and visibility” into the firm.
