Members of the House Homeland Security Committee pressed a senior CrowdStrike executive on Sept. 24 to explain how and why the company released a software update that caused blue screens of death on millions of machines.
CrowdStrike SVP of Counter Adversary Operations Adam Meyers appeared before the House Subcommittee on Cybersecurity and Infrastructure Protection to express contrition for the infamous, defective July 2024 update to its Falcon platform that caused Windows machines the world over to crash. Meyers reiterated the outage—which cyber insurer Parametrix estimated cost Fortune 500 companies alone $5.4 billion—was not the result of a breach.
“On behalf of everyone at CrowdStrike, I want to apologize,” Meyers told the committee. “We’re deeply sorry, and we are determined to prevent this from ever happening again.”
“I want to underscore that this was not a cyberattack. The incident was caused by a CrowdStrike rapid response content update that was focused on addressing new threats,” he added.
“We have undertaken a full review of our systems and are implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company,” he added. “I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future.”
Lawmakers asked Meyers why CrowdStrike security tools required kernel access—while some experts initially believed the outage was due to a buggy kernel driver, CrowdStrike later clarified it was caused by a config file that interacted with the kernel—and to explain how the botched update slipped through its testing processes.
Meyers responded that CrowdStrike products rely on the Windows kernel architecture and kernel visibility is a key part of “every security product that I could think of” due to its necessity in detecting tampering. He also stated that before the July outage, CrowdStrike had not used phased deployment for configuration updates, nor did it subject them to the same level of quality assurance as code updates. The company has made changes on both fronts, Meyers said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We release 10 to 12 of these content updates, every single day, and so that was part of our standard operating procedure,” Meyers added. “The updates were distributed to all customers in one session…That is no longer the case.”
The co-founder and CEO of competing firm SentinelOne, Tomer Weingarten, told CRN in July that cybersecurity products should not rely on constant updates and should instead focus on a “more resilient system embedded on the device.”
Representative Andrew Garbarino, who chairs the subcommittee, referenced that line of thought—telling Meyers “other cybersecurity providers” have said “how many updates you’re pushing out daily goes against industry standards and is not safe.”
Meyers said he wasn’t aware of any industry standards on update frequency, adding CrowdStrike would “continue to update our product with threat information as frequently as we need to in order to stay ahead of the threats that we’re facing.”
Representative William Timmons repeatedly asked Meyers about possible restitution or compensation for disrupted customers.
“So, in addition to getting people back up and running when their systems were down, you all have insurance policies,” Timmons said. “There’s a wide variety of legal mechanisms that will create accountability. Are you able to speak to any of that, or is that something your lawyers would probably tell you to not talk about?”
Meyers again apologized, adding, “Trust takes years to make and seconds to break, and we understand we broke that trust and that we need to work to earn it back.”