A senior executive at the cybersecurity firm CrowdStrike apologized during a congressional hearing on Sept. 24 for a faulty software update that caused a worldwide IT outage in July.
Meyers said that the Austin-based company is “deeply sorry this happened” and that it is “determined to prevent this from happening again.”
July’s global outage occurred because of an undetected error in a software update issued for Windows in a security system called Falcon, which is produced by CrowdStrike, the company has said.
It caused millions of computers running Microsoft Windows to crash, affecting multiple industries around the globe, including banks, health care, media companies, and hotel chains. It also led to flight cancellations worldwide.
“We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company,” Meyers said.
As of July 29, about 99 percent of customers’ systems were back up and running, the CrowdStrike senior exec stated.
Lawmakers during the hearing referred to July’s incident as the largest IT outage in history and said it demonstrates how global networks are increasingly interconnected.
“A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie,” Rep. Mark Green (R-Tenn.), who chairs the House Homeland Security Committee, said. “It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor.”
Meyers said the incident was caused by a CrowdStrike “rapid response content update” and it “was not a cyberattack from foreign threat actors.”
The Tennessee representative said that although “mistakes can happen,” the company “cannot allow a mistake of this magnitude to happen again.”
“In this case, CrowdStrike’s Content Validator used for its Falcon Sensor did not catch a bug in a channel file,” Green said. “It also appears that the update may not have been appropriately tested before being pushed out to the most sensitive part of a computer’s operating system.”
Companies must implement the strongest cybersecurity practices possible, Green said.
“I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future,” Meyers said at the hearing.
That lawsuit also notes that CrowdStrike’s share price fell by 32 percent in the 12 days that followed the outage, wiping out $25 billion of market value.
When the lawsuit was filed, CrowdStrike said the case lacks merit.
Speaking at the time of the outage, CrowdStrike CEO George Kurtz said, “We identified this very quickly and remediated the issue.”
He added that its systems were constantly being updated to ward off “adversaries that are out there.”
Kurtz said the company emerged more resilient in the wake of July’s outage and will continue to aggressively invest in innovation.
