CrowdStrike exec apologizes to Congress for disruptive outage

The faulty security update upended travel for days, delayed nonurgent surgeries and procedures and disrupted operations across all types of industries.
Travelers at Hartsfield-Jackson International Airport crowd around ticket counters on July 19, as a massive outage triggered by a security update from CrowdStrike affected Microsoft users around the globe, disrupting airlines, railways, banks, stock exchanges and other businesses. (John Spink/AJC 2024)

Credit: John Spink

Credit: John Spink

Travelers at Hartsfield-Jackson International Airport crowd around ticket counters on July 19, as a massive outage triggered by a security update from CrowdStrike affected Microsoft users around the globe, disrupting airlines, railways, banks, stock exchanges and other businesses. (John Spink/AJC 2024)

A senior executive with CrowdStrike apologized before Congress on Tuesday for the faulty security update in July that brought businesses to a halt and caused an estimated $5 billion in damages to its customers in July, and confirmed the company has changed its internal practices to ensure another outage will never happen again.

Before a U.S. House of Representatives subcommittee meeting, Adam Meyers, senior vice president for counter adversary operations at CrowdStrike, testified the global outage was not the result of a cyberattack or artificial intelligence, but rather a convergence of events that resulted in the failure of its flagship security product, Falcon Sensor.

“I am here today because, just over two months ago, on July 19, we let our customers down,” Meyers said.

The CrowdStrike update triggered problems for Microsoft users across the globe. No business suffered as greatly as Atlanta-based Delta Air Lines, which suffered a dayslong meltdown of its operations that left passengers stranded at airports across the world. Delta, which has said it suffered a loss of more than $500 million from the incident, has hired outside attorneys and has threatened to seek legal claims.

CrowdStrike, meanwhile, has apologized to Delta but has said it “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.”

The company also alleged Delta has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage.

Texas-based CrowdStrike is a network security provider that protects major companies from cyberattacks and security breaches. It produces the type of software that continuously runs on every workstation within a company and detects abnormal behavior, according to Stanford computer science expert Zakir Durumeric.

The company represents 18.1% of the global modern endpoint security market, preceded only by Microsoft, according to market intelligence company International Data Corp.

Here’s what happened in July: a security update pushed by CrowdStrike resulted in global outages of Microsoft products. The operating systems of about 8.5 million Windows users crashed, displaying Microsoft’s so-called “blue screen of death.”

The July update caused an IT meltdown across all types of industries, with aviation, financial services and health care among the most significantly impacted. Thousands of flights were canceled worldwide, with Delta the hardest hit airline, leaving passengers stranded in airports and cities for days.

Nonurgent surgeries and procedures were delayed across major health care systems.

Delta was hardest hit among airlines because they’re “by far the heaviest in the industry” in using both CrowdStrike and Microsoft, airline CEO Ed Bastian has said.

At the time of the outage, CrowdStrike rolled out 10-12 sensor configuration updates per day. Meyers likened what went wrong with the faulty update to a chessboard.

“Moving a chess piece where there’s no square, that’s what happened inside the sensor,” Meyers said. “When it tried to process the rule, it was not able to do what the rule asked it to do.”

In the hours following the incident, CrowdStrike isolated the issue and deployed a fix, but impact of the outage still lingered for days. The cybersecurity company’s stock plunged around 12% that same day.

During the committee meeting, Meyers explained the company has implemented a new mechanism to allow customers to select when they will receive the content updates, instead of issuing updates to all customers at once. It will also internally test all content updates before releasing them to customers.

Lawmakers expressed concerns over the implications the outage could have on global security.

“It is clear that this outage created an advantageous environment ripe for exploitation by malicious cyber actors,” said U.S. Rep. Andrew Garbarino, the chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.

The outage offered an example of what could happen if threat actors got hold of mechanisms to cause disruption to critical infrastructure, a key concern as the U.S. heads toward Election Day.

“We are deeply sorry and we are determined to prevent this from ever happening again,” Meyers said.