CrowdStrike’s mea culpa: 5 takeaways from the Capitol Hill testimony

A “perfect storm of issues” and internal validation errors resulted in CrowdStrike’s defective software update that caused a global IT network outage in July, an executive said during testimony Tuesday in a congressional hearing.

Adam Meyers, SVP of counter adversary operations at CrowdStrike, accepted complete responsibility and apologized on behalf of the company for causing one of the largest IT outages in history, in testimony before members of the House Subcommittee on Cybersecurity and Infrastructure Protection.

“Trust takes years to make and seconds to break, and we understand that we broke trust and that we need to work to earn it back,” Meyers said.

Members of the subcommittee were largely empathetic to the cybersecurity industry’s technical challenges, though in a few confrontational moments lawmakers criticized CrowdStrike’s processes that allowed the error to slip through testing.

“It seems like a very large miss. You guys touch a lot of things. You touch a lot of infrastructure in the United States, something that we count on you for, which you’ve been doing a great job until this one,” said Rep. Morgan Luttrell.

“You mention North Korea, China and Iran, our outside actors are trying to get us every day. We shot ourselves in the foot on the inside of the house.”

While the fault lies with CrowdStrike in this incident, the broad impact of its error on Windows users called into question cybersecurity vendors’ practices, specifically their tools’ reliance on deep control and access to the Windows kernel.

Microsoft’s involvement is significant and its response is being closely watched as it continues to overhaul its cybersecurity strategy. Last week, Microsoft outlined some internal testing and systems changes it’s working on to prevent another widespread outage via third-party vendors.

Here are five takeaways from Meyers’ testimony:

To read the complete article, visit Cybersecurity Dive.