CrowdStrike Executive Testifies Before Congress on Global Tech Outage

CrowdStrike executive questioned by lawmakers over global tech outage

The July incident underscored how dependent modern commerce and communications have become on just a handful of large technology companies. Travelers were stranded as airlines canceled flights. Emergency services were disrupted as 911 operators found that their systems had failed. Hospitals paused some of their services.Lawmakers on Tuesday grilled an executive from cybersecurity firm CrowdStrike about a widespread technology outage this summer that crippled global travel, hobbled government agencies and sent major companies scrambling to get their operations back online. The outage was caused by a faulty update sent to CrowdStrike software running on Microsoft's Windows operating system. Devices went spiraling, unable to properly restart unless someone removed the flawed file from their systems. Adam Meyers, CrowdStrike's senior vice president of counter adversary operations, told members of a House Homeland Security subcommittee that the company had instituted new safeguards to ensure that such a failure couldn't happen again. Lawmakers pushed Meyers to explain why the error had happened in the first place and how the company planned to answer for the outage's harm to consumers. "I want to make sure that you all know what happened, can explain it, and then how you're making sure it's not going to happen again," said Rep. Andrew Garbarino, R-N.Y. The July incident underscored how dependent modern commerce and communications have become on just a handful of large technology companies. Travelers were stranded as airlines canceled flights. Emergency services were disrupted as 911 operators found that their systems had failed. Hospitals paused some of their services. Tuesday's hearing pointed to the persistent questions that governments have about the power and influence of tech companies that dominate the modern internet era. Lawmakers around the world have created recent laws to regulate how companies such as Microsoft, Amazon, Apple, Google and Meta, the owner of Facebook and Instagram, do business. They have accused the companies of entrenching themselves by shutting out smaller competitors, and have set new rules for how social media platforms handle content. "This heavy dependence on the tech sector is new, and it does increase the vulnerability to large shocks," said Jonathan Welburn, a senior researcher at the RAND Corp. who studies and models the supplier connections and dependencies among companies, in a recent interview. The July outage swept across the globe as computers received the faulty update. Its immediate impact was largely confined to computers used by businesses, rather than individual consumers, because CrowdStrike works with big corporate clients. The infamous Windows "blue screen of death" appeared on disabled machines. Inside CrowdStrike, engineers were told to focus on fixing the problem rather than on tracing its cause. The company eventually posted instructions to tell its customers how to fix the problem and issued a software patch designed to stop devices from rebooting continuously. George Kurtz, the company's CEO, was absent from the hearing even though the committee had initially demanded his testimony. In his place was Meyers, who said in his opening statement that CrowdStrike had "let our customers down." "We are deeply sorry and are determined to prevent this from ever happening again," he said. Many lawmakers praised CrowdStrike's overall response. But they pushed Meyers to account for how a routine update -- the kind the company sends 10 to 12 times a day -- could have gone so wrong. He said the company's process for screening updates had failed to catch the issue. "It tested as clean or good, and that's why it was allowed to roll out," he said. The company has since updated its internal processes to incorporate more rigorous testing to protect against a similar situation, Meyers said. CrowdStrike customers can now opt to wait to receive updates, too. While CrowdStrike has made clear that a cyberattack did not cause the outage, lawmakers signaled that they were still concerned about the way the public had suffered. Rep. William R. Timmons IV, R-S.C., asked Meyers how the company planned to hold itself accountable. Timmons said his "constituents that missed flights and were stuck in airports for weeks" probably didn't care about the company's distinction between a security breach and the flawed update. On the company's most recent earnings call, CrowdStrike executives said it was dedicating $60 million to "customer commitment packages," paid out in the form of credits to clients that were affected. That is a much smaller figure than the $500 million that Delta Air Lines says it lost to the outage. The airline said in an August securities filing that it was "pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage." CrowdStrike executives previously said insurance would limit the company's losses. Rep. Mark E. Green, R-Tenn., asked Meyers whether artificial intelligence had been involved in sending out the faulty update. "AI was not responsible for making any decision in that process," Meyers said. Garbarino suggested that he was worried that if this failure was a "perfect storm," it could happen again without changes from CrowdStrike. "Because a lot of perfect storms or hundred-year floods are happening now every other year," he said.

House lawmakers press CrowdStrike exec on global outage

A group of House lawmakers Tuesday grilled an executive with cybersecurity firm CrowdStrike, who said the company is "deeply sorry" for causing the global technology outage that grounded thousands of flights and impacted various industries last July. "On behalf of everyone at CrowdStrike, I want to apologize. We are deeply sorry this happened and are determined to prevent it from happening again," CrowdStrike Senior Vice President Adam Meyers said during opening remarks. Meyers's appearance before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure marked the only hearing so far scheduled to discuss CrowdStrike's botched July 19 update, which crashed computers running Windows software and prompted a global outage. Hundreds of flights were canceled or delayed due to the outage, while hospitals, emergency services and some government offices were also impacted. The incident sparked scrutiny of the cybersecurity firm and how foreign adversaries could take advantage of these sorts of vulnerabilities. "The sheer scale of this error was alarming. A routine update could cause this level of disruption - just imagine what a skilled and determined nation-state actor could do," subcommittee chair Rep. Andrew Garbarino (R-N.Y.) said in opening remarks. "We cannot lose sight of how this incident factors into the broader threat environment. Without question, our adversaries have assessed our response, recovery and true level of resilience. "It is clear that this outage created an advantageous environment ripe for exploitation by malicious cyber actors," he added. Subcommittee ranking member Rep. Eric Swalwell (D-Calif.) noted Tuesday's hearing was not intended to "malign" CrowdStrike, but rather to understand the circumstances behind the outage. Meyers emphasized the July outage was not a cyberattack from foreign threat actors. "This incident was caused by a CrowdStrike rapid response content update that was focused on addressing new threats," he said, adding the company is focused on increasing transparency and "learning" from the failed update. "We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company," he said. "I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future." Changes to the platform include a new option for customers to opt in and choose when they receive content updates, Meyers said. Extensive internal training programs and conferences are also provided to CrowdStrike staff, Meyers told Rep. Mike Ezell (R-Miss.). Rep. Morgan Luttrell (R-Texas) put Meyers on the spot for CrowdStrike's failure to collectively test content updates on the internal side before it is pushed out. "That's where we are now, the new methodology is to test all of the content updates internally before they're released to the early adopters," Meyers rebuked. "I'm still trying to figure out how this thing got launched, with it not being absolute," Luttrel said at one point, prompting Meyers to go into greater detail about where the process failed. Homeland Security Committee Chair Rep. Mark Green (R-Tenn.) brought up the hot-button issue of artificial intelligence (AI), asking the executive who made the decision to launch the update and if AI played a role. Meyers confirmed AI was not responsible for any decisions in the process, noting the update was part of a group of 10 to 12 updates released every day by the firm. He said the firm is no longer fielding updates simultaneously to all customers in the same session to avoid a similar situation. When pressed by Rep. Troy Carter (D-La.) if CrowdStrike has a way to allow for greater cooperation between the firm, Microsoft and other "good actors," Meyers said the firm began "working closely" with Microsoft the weekend of July 19 and a sit down between the two companies was later held to discuss future improvements. Meyers said "awareness is a key factor" in incidents like the global outage, for both the customers on their platform and the general public. He later said the company would "fully cooperate" with an investigation into the incident by the Cyber Safety Review Board and other reviews "to ensure that we have provided transparency and visibility" into the firm.

CrowdStrike boss apologises before US Congress for global IT outage

Mr Meyers said the firm was "deeply sorry" for the outage that affected millions of people and is "determined to prevent it from happening again". CrowdStrike described the outage as the result of a "perfect storm". Lawmakers on the House of Representatives cybersecurity subcommittee pressed Mr Meyers on how it occurred in the first place. "A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie," said Mark Green, chairman of the House Homeland Security Committee, in his opening remarks. The Tennessee representative likened the widespread impact of CrowdStrike's faulty content update to an attack "we would expect to be carefully executed by a malicious and sophisticated nation-state actor". Instead "the largest IT outage in history was due to a mistake", he said. Mr Meyers said the company would continue to act on and share "lessons learned" from the incident to make sure it would not happen again. Among the questions directed at Mr Meyers during the 90-minute hearing were technical queries about whether the company's software should have access to core parts of device operating systems. But there were also more general questions about artificial intelligence (AI) and its potential impact on cybersecurity. Congressman Carlos Gimenez asked about the threat of AI writing malicious code. Mr Meyers said he thought the tech was "not there yet" but added that every day it "gets better". In response to one representative's line of questioning, Mr Meyers reiterated that AI - which the company leverages to detect threats to systems - was not responsible for pushing the erroneous update that crashed computers around the world. He said CrowdStrike releases between 10 and 12 configuration updates each day. Lawmakers on the committee raised concerns about the impact of large-scale cyber events on national security, adding they could also be exploited by bad actors looking to capitalise on confusion or panic. But all in all, Mr Meyers did not face quite the level of scrutiny that other high-level technology executives have when called to testify in Congress over apparent failings. Congressman Eric Swalwell said the committee had not gathered to "malign" the firm, while Mr Green said Mr Meyers showed an "impressive" degree of humility. Instead there was an emphasis on working together with the committee and government to prevent the possibility of any such further incidents in future. The company still faces a number of lawsuits from people and businesses that were caught up in July's mass outage. Some of the people affected told BBC News it "totally ruined" their holidays, or caused them to lose out on business. The firm has been sued by its own shareholders, as well as by Delta Airlines passengers left stranded by thousands of flight cancellations.

CrowdStrike boss apologises for 'mistake' that caused global IT outage

The global IT failure led to worldwide flight cancellations and impacted industries around the globe including banks, health care, media companies and hotel chains. A senior executive at CrowdStrike has apologised for a faulty software update that caused a global IT outage in July. The incident led to worldwide flight cancellations and impacted industries around the globe including banks, health care, media companies and hotel chains. The outage disrupted internet services, affecting 8.5 million Microsoft Windows devices. Adam Meyers, senior vice president for counter adversary operations at CrowdStrike, said the company released a content configuration update for its Falcon Sensor security software that resulted in system crashes worldwide. "We are deeply sorry this happened and we are determined to prevent this from happening again," Mr Meyers said. "We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company." The committee members pressed Mr Meyers on how the incident occurred in the first place, with legislators likening its impact to that of a well-planned, sophisticated cyber attack, rather than because of a "mistake" inside CrowdStrike's software. He said the issue was not the result of a cyberattack or prompted by AI. Giving evidence to US legislators, Mr Meyers said: "We appreciate the incredible round-the-clock efforts that our customers and partners who, working alongside our teams, mobilised immediately to restore systems. "We were able to bring many customers back online within hours. I can assure that we continue to approach this with a great sense of urgency." CrowdStrike said an "undetected error" in a software update sparked the problem. A bug in the firm's content validation system meant "problematic content data" was not spotted and then allowed to roll out to Microsoft Windows customers, causing the crash. Mr Meyers said the cybersecurity firm would continue to share "lessons learned" from the incident to ensure it did not happen again. CrowdStrike faces numerous lawsuits Some people said CrowdStrike didn't face such an intense grilling by the committee as other tech executives have been subjected to in recent years. Instead, emphasis was placed on firms working with committees and government to prevent future incidents of a similar nature. Read more from Sky News: UK and allies issue alert over huge China-backed botnet Cards Against Humanity sues SpaceX for $15m AI taught how to spot buildings and settlements However, CrowdStrike still faces lawsuits from people and businesses impacted by the outage - it has been sued by its own shareholders as well as by US aviation giant Delta Airlines after it cancelled thousands of flights because of the system shutdown. In the UK, the CrowdStrike outage left GPs unable to access systems that manage appointments or allow them to view patient records or send prescriptions to pharmacies - which were also widely impacted - forcing doctors to return to using pen and paper. Meanwhile, flights were cancelled or delayed and passengers left stranded as airline systems were knocked offline or staff were forced to handwrite boarding passes and luggage tags. Many small businesses also reported a substantial impact on their income, with some saying their websites being knocked offline by the incident cost them hundreds or even thousands of pounds in sales.

CrowdStrike exec apologizes before US Congress for software glitch behind July global outage

"We are deeply sorry this happened and we are determined to prevent this from happening again," Meyers said. "We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company." He said the issues was not the result of a cyberattack or prompted by AI. The July 19 incident led to worldwide flight cancellations and impacted industries around the globe including banks, health care, media companies and hotel chains. The outage disrupted internet services, affecting 8.5 million Microsoft Windows devices. "We cannot allow a mistake of this magnitude to happen again," said Representative Mark Green, who chairs the House Homeland Security Committee calling the events "a catastrophe that we would expect to see in a movie." Meyers said that on July 19 new threat detection configurations were validated and sent to sensors running on Microsoft Windows devices but the "configurations were not understood by the Falcon sensor's rules engine, leading affected sensors to malfunction until the problematic configurations were replaced." Delta Air Lines has vowed to take legal action, saying the outage forced it to cancel 7,000 flights, impacting 1.3 million passengers over five days, and cost it $500 million. CrowdStrike rejected Delta's contention that it should be blamed for massive flight disruptions. Last month, CrowdStrike cut its revenue and profit forecasts in the aftermath of the faulty software update, and said the environment would remain challenging for about a year. (Reporting by David Shepardson; Editing by Mark Potter and David Gregorio)

CrowdStrike exec reveals new safety measures in Congressional drilling

CrowdStrike's senior vice-president for counter adversary operations, Adam Meyers, reiterated his company's apology today during a House subcommittee hearing and went on to say that the company has launched a configuration update for its Falcon Sensor software system. Meyers was grilled Tuesday afternoon by lawmakers from the House's Cybersecurity and Infrastructure Protection subcommittee over the company's failure to properly address its faulty software update that led to a global IT outage in mid-July. Following the global outage, companies across the airlines, banking, telecommunications, and healthcare industries were deeply affected for weeks. The outage disrupted internet services, affecting about 8.5 million Microsoft (MSFT) Windows devices, per Reuters. "We are deeply sorry this happened, and we are determined to prevent this from happening again," Meyers said at the hearing. "We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company." During the grilling session, which was led by Republican Rep. Mark Green from Tennessee, Meyers said CrowdStrike (CRWD) takes "full responsibility" for the international system crashes. He also deemed that the issues were not the result of a cyberattack, nor was it induced by artificial intelligence. "The July 19 incident stemmed from a confluence of factors that ultimately resulted in the Falcon sensor attempting to follow a threat detection configuration for which there was no corresponding definition of what to do," Meyers said. After the IT incident, CrowdStrike lost about $60 million in contract sales. The cybersecurity firm said that the incident scared off customers who were looking to close deals during the final weeks of the second quarter. Meyers announced during the hearing that the company had taken several steps to sharpen its system and would prevent another outage from happening at this level again. He stated that CrowdStrike will no longer unveil its software updates internationally to all customers in a single session. The company will also allow customers to select when they receive their updates. They have the option of waiting to be the second or third group of clients who will receive the update after it goes public. "Mistakes can happen," Green said. "However, we cannot allow a mistake of this magnitude to happen again. A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie. It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor."

CrowdStrike Executive Struck By Regret In House Hearing, Says Company Determined To Prevent Instances Like Microsoft Outage From Repeating: 'Deeply Sorry This Happened' - Microsoft (NASDAQ:MSFT), CrowdStrike Holdings (NASDAQ:CRWD)

On Tuesday, an executive from the cybersecurity firm CrowdStrike Holdings Inc. CRWD faced questioning from House lawmakers regarding a global technology outage that occurred in July. What Happened: Adam Meyers, senior vice president of CrowdStrike, expressed his company's regret for the incident that disrupted thousands of flights and various industries. "We are deeply sorry this happened and are determined to prevent it from happening again," Meyers stated during his opening remarks, reported The Hill. The hearing, held by the House Homeland Security Subcommittee on Cybersecurity and Infrastructure, was the first to address the July 19 update mishap by CrowdStrike. The faulty update crashed computers running Microsoft Corporation's MSFT Windows software, leading to a global outage. See Also: Jeff Bezos Had A Habit Of Keeping An Empty Chair For The Most Important Person In The Room At Company Meetings: This Strategy Helped The Amazon Founder Build The E-Commerce Giant We Know Today During the questioning, Meyers stated that the outage was not a result of a cyberattack but was caused by a rapid response content update from CrowdStrike. "I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future," he said. Homeland Security Committee Chair Rep. Mark Green (R-Tenn.) raised the pressing issue of artificial intelligence, questioning the executive responsible for approving the update and whether AI was involved in the decision, the report noted. In response, Meyers said that AI had no role in the decision-making process, explaining that the update was one of 10 to 12 released daily by the company. He added that the firm has stopped deploying updates to all customers simultaneously to prevent a recurrence of the issue. Subscribe to the Benzinga Tech Trends newsletter to get all the latest tech developments delivered to your inbox. Why It Matters: The global IT outage, attributed to a software update from CrowdStrike, was described as the "largest IT outage in history," impacting computer systems running on the Windows operating system and cloud services. The incident affected businesses worldwide, including airlines, banks, media, and even 911 services. Following the outage, Delta Air Lines, Inc. disclosed that it expects the operational disruptions to have a direct revenue impact of $380 million for the September quarter due to flight cancellations and customer compensation. Microsoft pointed the finger at Delta for its extended recovery from the outage, stating that the airline's lack of IT modernization contributed to the prolonged recovery. Delta defended its IT infrastructure, stating it has invested billions in IT capital expenditures since 2016. Check out more of Benzinga's Consumer Tech coverage by following this link. Read Next: Elon Musk Reacts After Mark Cuban Says He Would Buy X 'In A Heartbeat' Disclaimer: This content was partially produced with the help of Benzinga Neuro and was reviewed and published by Benzinga editors. Market News and Data brought to you by Benzinga APIs

Lawmakers Press CrowdStrike on July Failure, AI Dangers During House Hearing | PYMNTS.com

And that's what took place Tuesday (Sept. 24), when the U.S. House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection heard from Adam Meyers, senior vice president, counter adversary operations, at CrowdStrike, during a hearing entitled, "An Outage Strikes: Assessing the Global Impact of CrowdStrike's Faulty Software Update." The July IT outage severely disrupted key functions of the global economy, resulting in cancellations of 3,000 commercial flights, delays of 11,800 other flights, cancellations of surgeries, disruptions to 911 emergency call centers, and a need for companies across nearly all commercial sectors to devote millions of manual labor hours to solving the problem. While members of the House Homeland Security Committee had originally asked CrowdStrike CEO George Kurtz to appear and give public testimony about the faulty software update, Kurtz instead sent Meyers as his deputy. "The sheer scale of this error was alarming. ... We are here today to understand what went wrong," subcommittee Chairman Rep. Andrew Garbarino, R-N.Y., said to open the hearing. "We need CrowdStrike to be effective and successful because its efficacy and success are the effectiveness and success of its customers," added ranking member Rep. Eric Swalwell, D-Calif., noting that CrowdStrike holds 17.7% of the global cybersecurity market share. Read more: CrowdStrike Outage Rolls On; Attention Turns to Software Update Quality Control "Just over two months ago, we let our customers down," CrowdStrike's Meyers said to begin his testimony. CrowdStrike is used by 538 Fortune 1000 companies, 298 Fortune 500 firms, and 43 of 50 U.S. states. Delta has claimed that the IT outage, which canceled over 5,000 of its flights, will cost it $500 million, and in a report published Thursday (Sept. 19), Germany's Federal Office for Information Security (BSI) found that 10% of German-based organizations impacted by the July outage are dropping their current security vendors' products. As PYMNTS reported at the start of the month, CrowdStrike faces numerous legal challenges from the glitch that caused a global tech outage, while writing about the incident in August, we argued here that the outage underscored the need for companies to have effective disaster recovery plans. Asked by lawmakers how CrowdStrike is going to make it right "for the victims of the incident by making them whole ... and create accountability for the space in the future," Meyers demurred and saying instead to the fact that 99.9% of systems were up and running soon after the incident. Regarding what actually happened that day in July, Meyers explained to lawmakers that one of CrowdStrike's Falcon threat detection configurations -- which are sent daily to sensors running on Microsoft Windows devices -- contained an extra input for which there was no defined action. This mismatch led the software to follow a configuration without knowing which rules to follow, triggering a malfunction until the problematic configurations were replaced. Lawmakers from rural districts highlighted what they framed as a widening digital divide when questioning Meyers about CrowdStrike's recovery response and the delays suffered by organizations in their regions. Read more: Reducing the Attack Surface: How Data Breaches Imperil Corporate Networks As noted by Meyers during his testimony, advancements in threat detection, prevention and response capabilities have aided defenders in recent years, but adversaries have responded by increasingly adopting and relying on techniques to evade detection. This includes supply chain attacks, insider threats and identity-based attacks. Threat actors' speed also continues to accelerate as adversaries compress the time between initial entry, lateral movement, and "actions of objective" (like data exfiltration or attack). At the same time, Meyers added, the rise of generative artificial intelligence (AI) has the potential to lower the barrier of entry for low-skilled adversaries, making it easier to launch attacks that are more sophisticated and state of the art. "Good AI equals good cybersecurity," he said. "There's a wave of horizon threats that pertain to AI."