CrowdStrike apologises before US Congress for global IT outage
Cybersecurity firm CrowdStrike faced significant scrutiny on 24th September as it appeared before Congress to address its role in the global IT outage that occurred in July.
The outage, caused by a faulty software update, led to widespread disruptions across various sectors, affecting millions of people worldwide.
Adam Meyers, a senior executive from CrowdStrike, testified before a US congressional committee, fielding questions about the software glitch that crippled millions of PCs on 19th July. The incident brought payment systems to a standstill, grounded flights, and forced hospitals to cancel appointments and delay surgeries.
Expressing remorse, Mr Meyers apologised for the disruption, stating the company was "deeply sorry" for the impact and "determined to ensure it does not happen again". CrowdStrike later described the incident as a result of a “perfect storm” of unfortunate events.
Lawmakers on the House of Representatives’ cybersecurity subcommittee pressed Meyers for details on how the situation unfolded. In his opening remarks, Mark Green, Chairman of the House Homeland Security Committee, compared the scale of the incident to a scenario typically seen in fiction. Green remarked that such widespread consequences would typically be attributed to a "malicious and sophisticated nation-state actor" rather than an internal error.
Mr Meyers assured the committee that CrowdStrike would continue to implement lessons learned from the event and take steps to prevent future occurrences. During the 90-minute hearing, the executive responded to both technical inquiries, including questions about the software’s access to core components of operating systems, and more general discussions on artificial intelligence (AI) and its future role in cybersecurity.
Congressman Carlos Gimenez raised concerns about the potential for AI to generate harmful code. Meyers acknowledged that, while AI technology is rapidly advancing, it has not yet reached a point where it poses such risks, though its capabilities improve daily.
In response to concerns regarding AI, Meyers reiterated that the erroneous update, which led to the mass outage, was not the result of AI but a human mistake. He further explained that CrowdStrike typically releases between 10 and 12 configuration updates each day.
The hearing also touched on national security concerns, with lawmakers expressing apprehension about how large-scale cyber incidents could be exploited by malicious actors during moments of confusion or panic. However, Meyers did not face the intense level of questioning often directed at senior executives during such hearings.
Congressman Eric Swalwell noted that the committee had not convened to "malign" the company, while Chairman Green acknowledged Meyers' "impressive" display of humility throughout the session. There was a consensus on the importance of collaboration between the company and government to avoid future incidents.
Despite the testimony, CrowdStrike still faces numerous lawsuits from those impacted by the outage. The company is also being sued by shareholders and Delta Airlines, which claimed that the outage forced the cancellation of thousands of flights. Delta reported losses of $500m (£374m) due to what it described as CrowdStrike’s "negligence.”
Commenting on the events, Steve Ponting, Director at Software AG said: “The CrowdStrike hearing yesterday shone a very important light on the importance of process intelligence and how organisations can make that insight available to those who need it.
"Process Intelligence is required to master the operational chaos businesses find themselves in today. In an environment where sometimes it is ‘too fast to think’, businesses should have full oversight of people, technology systems and processes, ensuring these are flexible enough to provide digital resilience and operational excellence, but also robust enough to comply with auditors and regulators alike.
"Having this intelligence helps IT and business leaders understand user behaviours or common practices that elevate risk. In this case, behaviours that increase the risk of future widespread IT failures – for example where employees deviate from standardised processes.”