When your company is responsible for one the largest IT outages in history, the U.S. government is going to want to hear more about it.
And that’s what took place Tuesday (Sept. 24), when the U.S. House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection heard from Adam Meyers, senior vice president, counter adversary operations, at CrowdStrike, during a hearing entitled, “An Outage Strikes: Assessing the Global Impact of CrowdStrike’s Faulty Software Update.”
The July IT outage severely disrupted key functions of the global economy, resulting in cancellations of 3,000 commercial flights, delays of 11,800 other flights, cancellations of surgeries, disruptions to 911 emergency call centers, and a need for companies across nearly all commercial sectors to devote millions of manual labor hours to solving the problem.
While members of the House Homeland Security Committee had originally asked CrowdStrike CEO George Kurtz to appear and give public testimony about the faulty software update, Kurtz instead sent Meyers as his deputy.
“The sheer scale of this error was alarming. … We are here today to understand what went wrong,” subcommittee Chairman Rep. Andrew Garbarino, R-N.Y., said to open the hearing.
“We need CrowdStrike to be effective and successful because its efficacy and success are the effectiveness and success of its customers,” added ranking member Rep. Eric Swalwell, D-Calif., noting that CrowdStrike holds 17.7% of the global cybersecurity market share.
Read more: CrowdStrike Outage Rolls On; Attention Turns to Software Update Quality Control
“Just over two months ago, we let our customers down,” CrowdStrike’s Meyers said to begin his testimony.
CrowdStrike is used by 538 Fortune 1000 companies, 298 Fortune 500 firms, and 43 of 50 U.S. states.
Delta has claimed that the IT outage, which canceled over 5,000 of its flights, will cost it $500 million, and in a report published Thursday (Sept. 19), Germany’s Federal Office for Information Security (BSI) found that 10% of German-based organizations impacted by the July outage are dropping their current security vendors’ products.
As PYMNTS reported at the start of the month, CrowdStrike faces numerous legal challenges from the glitch that caused a global tech outage, while writing about the incident in August, we argued here that the outage underscored the need for companies to have effective disaster recovery plans.
Asked by lawmakers how CrowdStrike is going to make it right “for the victims of the incident by making them whole … and create accountability for the space in the future,” Meyers demurred and saying instead to the fact that 99.9% of systems were up and running soon after the incident.
Regarding what actually happened that day in July, Meyers explained to lawmakers that one of CrowdStrike’s Falcon threat detection configurations — which are sent daily to sensors running on Microsoft Windows devices — contained an extra input for which there was no defined action. This mismatch led the software to follow a configuration without knowing which rules to follow, triggering a malfunction until the problematic configurations were replaced.
Lawmakers from rural districts highlighted what they framed as a widening digital divide when questioning Meyers about CrowdStrike’s recovery response and the delays suffered by organizations in their regions.
Read more: Reducing the Attack Surface: How Data Breaches Imperil Corporate Networks
As noted by Meyers during his testimony, advancements in threat detection, prevention and response capabilities have aided defenders in recent years, but adversaries have responded by increasingly adopting and relying on techniques to evade detection. This includes supply chain attacks, insider threats and identity-based attacks. Threat actors’ speed also continues to accelerate as adversaries compress the time between initial entry, lateral movement, and “actions of objective” (like data exfiltration or attack).
At the same time, Meyers added, the rise of generative artificial intelligence (AI) has the potential to lower the barrier of entry for low-skilled adversaries, making it easier to launch attacks that are more sophisticated and state of the art.
“Good AI equals good cybersecurity,” he said. “There’s a wave of horizon threats that pertain to AI.”
Against this backdrop, Craigslist founder Craig Newmark reportedly made a $100 million cybersecurity pledge last week (Sept. 18), saying that the United States is “under attack,” and at risk for hacking by foreign governments.
And elsewhere, Disney reportedly plans to stop using workplace collaboration platform Slack following a recent data breach that exposed sensitive information.