Explore our Topics:

Congress to CrowdStrike: Nice apology, but who is paying for this mess?

Lawmakers dig into CrowdStrike’s IT blunder and response, raising alarms and pondering how to apply the lessons learned to safeguard America.
By admin
Sep 27, 2024, 4:17 PM

CrowdStrike may not be out of the Congressional woods for the global IT outage its faulty update caused, disrupting critical services across various sectors including airlines, hospitals, emergency services, and government agencies. While appreciative of the apologetic and transparent responses from the firm’s counter adversary expert, legislators appeared less than fully convinced the cybersecurity firm went far enough with the technical changes made to prevent another “perfect storm,” and the absence of the company’s CEO in the hearing meant questions about “making it whole” for those whose lives and businesses were disrupted went unanswered.

 

IT outage cause and response under scrutiny

The House Homeland Security’s Cybersecurity and Infrastructure Protection subcommittee held a hearing on Sept. 24 to understand the root cause of the incident, CrowdStrike’s response efforts, and measures taken to prevent future occurrences.

The hearing’s only witness, Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, struck a welcomed apologetic tone throughout the hearing and confirmed the fault was entirely a CrowdStrike issue — the outage was marked by the dreaded Microsoft Blue Screen of Death, but the outage was caused solely by an update designed for a CrowdStrike Falcon sensor running on Microsoft Windows devices.

The heart of the hearing was Meyers’ detailing the technical changes the firm has made to how it issues such threat updates, which are information or content, not code. He said going forward such content updates will be treated as code, meaning they will be subject to internal testing (aka “dogfooding”) before release. A new phased approach will offer CrowdStrike customers more control over when they receive the updates.

“Customers can select to be part of the early adopter program, where they can choose to receive content updates as quickly as we can make them available,” Meyers said, adding customers can also choose to wait until the “general availability” phase or some customized waiting period … or not accept the update at all.

The lawmakers lauded this improvement, but several probed deeper into CrowdStrike’s access to and use of the kernel, a central operating system component where an error will crash the entire system and result in the Blue Screen of Death.

“Some competitors of yours have claimed that this kind of kernel access is dangerous and that a better practice is to deploy such updates directly to the user mode where the impacts would only affect an application,” said Rep. Eric Swalwell (D-CA), ranking member of the subcommittee.

CrowdStrike, like many vendors, uses the Windows kernel architecture, Meyers noted, which allows the operating system to support a wide range of hardware. He explained the kernel provides performance visibility, threat prevention, and anti-tampering protections, which are critical for detecting and stopping attackers from disabling security tools. “To secure the operating system without kernel access would be very difficult,” he stated.

The other main point of contention during the otherwise cordial and constructive hearing was over what CrowdStrike plans to do for people and businesses who suffered various losses and inconveniences because of the outage.

Reports have valued the losses at more than $5 billion, with banking and healthcare expected to bear the brunt financially. However, airline passengers have led pursuit of financial relief, with class actions against CrowdStrike and Delta; the airline threatened to sue CrowdStrike and Microsoft over its $550 million in losses and expenses from the outage.

Seemingly ill-equipped or unauthorized to address this line of questioning, Meyers responded by acknowledging his firm lost its customers’ trust and recounted all it has done in the aftermath to regain that trust, but said nothing about goodwill or support for all the individuals significantly impacted by the outage.

This might have been a good question for CrowdStrike CEO George Kurtz, who did not appear at the hearing, to the disappointment of Homeland Security Committee Chairman Mark E Green (R-TN), who asked Kurtz to appear in a July letter cosigned by subcommittee Chairman Andrew R Garbarino (R-NY).

“I’d hoped to hear from CrowdStrike’s CEO directly,” Green said, in his opening remarks.

 

Key healthcare takeaways from the CrowdStrike hearing

  • Healthcare IT leaders must prioritize incident response planning. The outage disrupted critical healthcare services such as hospital networks, medical procedures, and emergency response systems, highlighting the need for healthcare organizations to have comprehensive incident response plans in place to mitigate the impact of such events.
  • Cybersecurity vulnerabilities are not limited to attacks: Even routine software updates can cause significant disruptions, as shown by the CrowdStrike incident. This highlights the importance of stringent quality assurance practices in healthcare IT environments, where patient safety and data security are paramount.
  • Even cybersecurity vendors can make mistakes with catastrophic consequences. The CrowdStrike incident underscores the importance of robust quality assurance practices, even for companies specializing in cybersecurity.
  • Transparency and collaboration are critical: During the hearing, both Congress and CrowdStrike emphasized the importance of public-private partnerships and ongoing collaboration to enhance cybersecurity practices across sectors​. Healthcare IT leaders should look to collaborative information-sharing networks to stay ahead of emerging threats.
  • The incident highlights the interconnectedness of our digital ecosystem. A single software update can have far-reaching consequences, impacting critical infrastructure and services across the globe. Healthcare IT leaders must be aware of these interdependencies and take steps to ensure the resilience of their systems.

Action Items for Healthcare IT Leaders

  • Review and strengthen quality assurance processes for all software updates, including those from trusted vendors.
  • Develop and test comprehensive incident response plans to address potential disruptions to critical systems and services.
  • Engage in open communication and collaboration with vendors to ensure transparency and accountability in addressing cybersecurity incidents.
  • Prioritize cybersecurity investments and training to enhance the resilience of healthcare IT infrastructure and protect against evolving threats.

 

To check out the entire proceedings, including the full video and CrowdStrike’s written testimony, check out the subcommittee’s page for the hearing, “An Outage Strikes: Assessing the Global Impact of CrowdStrike’s Faulty Software Update.”


Show Your Support

Subscribe

Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.