- The Washington Times - Wednesday, September 25, 2024

A version of this story appeared in the daily Threat Status newsletter from The Washington Times. Click here to receive Threat Status delivered directly to your inbox each weekday.

Cybersecurity firm CrowdStrike apologized for helping spark a global internet outage in July and pledged to Congress that it had a new process to prevent such problems from recurring.

Flights were grounded, medical procedures canceled, 911 emergency calls did not go through and businesses lost more than $5 billion because of CrowdStrike’s failure, according to House Homeland Security Committee lawmakers.

Adam Meyers, CrowdStrike’s senior vice president, apologized for the damage his company caused to Americans during a committee hearing on Tuesday.

“On behalf of everyone at CrowdStrike, I want to apologize,” Mr. Meyers told lawmakers. “We are deeply sorry and we are determined to prevent this from ever happening again.”

Mr. Meyers oversees counteradversary operations at the cybersecurity company, but he was quick to emphasize that his company’s failure was not attributable to sophisticated attackers but his organization’s own incompetence. The company released a flawed update to its widely used security software on July 19 that caused millions of millions of Windows-using computers worldwide to seize up.

The reason the head of counteradversary operations was testifying before Congress was because CrowdStrike CEO George Kurtz would not, according to House Homeland Security Chairman Mark Green, Tennessee Republican.

Mr. Green said the hearing was long overdue, given the scope of the breakdown and the disruptions it caused.

“It’s overdue because we’d hoped to give Americans the answers they deserve much sooner, given the extent of this outage,” Mr. Green said. “Although I’d hoped to hear from CrowdStrike’s CEO directly, I’m grateful for Mr. Meyers’ presence. I’m confident he will deliver the answers we need.”

Mr. Meyers told the lawmakers that CrowdStrike adopted a new approach to pushing software updates to prevent another outage from spreading widely quite as quickly. Major changes to the system will no longer be introduced en masse, he said.

“What we’ve implemented is a system of concentric rings, think of it, the initial internal release process will be the first step in releasing new content updates,” Mr. Meyers said. “From there, customers can select to be part of the early adopter program, where they can choose to receive content updates as quickly as we can make them available.”

Mr. Meyers said customers can alternatively choose “general availability,” to wait longer, or to decline the updates altogether.

As for victims of CrowdStrike’s July outage, Mr. Meyers did not have full answers on whether or how the company may provide restitution.

Rep. William Timmons, South Carolina Republican, pressed Mr. Meyers to explain whether CrowdStrike had any plan to help the people victimized by its errors.

“You all have insurance policies, there’s a wide variety of legal mechanisms that will create accountability. Are you able to speak to any of that or is that something that your lawyers will probably tell you to not talk about?” Mr. Timmons said. 

“Congressman, I know people who are impacted by this as well and as I said earlier, we’re deeply sorry for what happened,” Mr. Meyers said.

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.

Copyright © 2024 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.