CrowdStrike apologises for global IT outage
SVP Adam Meyers assures lawmakers the company will take proactive steps to prevent similar issues in the future
A senior executive from cybersecurity firm CrowdStrike appeared before a US congressional committee on Tuesday and apologised for a faulty software update that caused a widespread global IT outage in July.
Adam Meyers, senior vice president for counter adversary operations, acknowledged the company's responsibility for the incident and expressed deep regret for the disruption it caused.
"We are deeply sorry this happened and we are determined to prevent this from happening again," Meyers said.
"We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company."
The incident, which occurred on 19th July, had a significant impact on businesses and individuals worldwide.
A software update from CrowdStrike wreaked havoc on Windows machines worldwide, causing a wave of Blue Screens of Death (BSODs) that crippled operations in critical sectors like healthcare, finance, media companies and airlines.
The incident impacted an estimated 8.5 million Microsoft Windows devices. In the UK, GPs were unable to access digital systems.
Delta Air Lines said it had to cancel thousands of flights, affecting over 1.3 million passengers and costing the company $500 million.
On Tuesday, lawmakers on the House of Representatives cybersecurity subcommittee pressed Meyers on the technical details of the outage, questioning how such a widespread disruption could have happened due to a simple mistake.
Meyers explained that the outage was a result of a content configuration update for CrowdStrike's Falcon Sensor security software that malfunctioned on Microsoft Windows devices.
He assured lawmakers that the outage was not the result of a cyberattack or prompted by AI.
Representative Mark Green, chairman of the House Homeland Security Committee, likened the impact of the outage to a sophisticated nation-state attack. He said that mistakes of this magnitude must be avoided at all costs.
Meyers acknowledged the company's lessons learned from the incident and assured lawmakers that it would take proactive steps to prevent similar issues in the future.
While the hearing did not see CrowdStrike face the same level of scrutiny as other tech executives in recent years, lawmakers underscored the importance of collaboration between firms and government to prevent future incidents.
Despite the apology and assurances, CrowdStrike continues to face legal challenges from individuals and businesses affected by the outage.
For example, Delta Airlines has sued the company over cancellation of thousands of flights due to the system shutdown.
Last month, CrowdStrike announced that it had cut its revenue forecasts in the aftermath of the outage. The company warned that the environment would remain challenging for the next year as they worked to rebuild customer trust and address technical vulnerabilities exposed by the incident.
Commenting on the issue, Jon Mort, CTO of Adaptavist, said: "The industry as a whole should also take note of CrowdStrike's candour. Although much of the postmortem from the outage has focused on the technical learnings, to minimise the risk of an incident of this magnitude happening again, it is equally important that companies build a culture of psychological safety.
"In creating an environment where people and organisations can be honest when mistakes are made, and crucially share these mistakes openly, the industry can continue to learn and advance. This is something exemplified by the airline industry in its crash investigations, and which the tech sector should look to model.
"For most businesses, discussing mistakes is unlikely to be something they ever do at government level, but this doesn't mean the lessons should be disregarded. For governments, it is also incumbent on them to ensure their lines of questioning encourage candour. Some have observed that Adam Meyers faced less scrutiny than other executives when called to testify, however focusing more on learning and less on blame may yield greater change in the long term."