House lawmakers question CrowdStrike exec over July IT outage

House lawmakers questioned a top CrowdStrike executive on Tuesday about a major global IT outage that occurred in July and whether the company’s cybersecurity solution needed to be tethered to the core of customer operating systems.

Adam Meyers, senior vice president of CrowdStrike’s counter adversary operations, testified before the House Homeland Security Committee’s cybersecurity subcommittee Tuesday in a high profile hearing that scrutinized the company’s deployment of a faulty update that crippled some 8.5 million Windows machines over the summer.

The July 19 outage was linked to a February overhaul of an internal system used by the cybersecurity firm to classify suspicious activity passing through customers’ devices. The logic error resulted in a faulty update that affected multiple federal agencies, as well as banks, airlines and other essential services worldwide, serving them with the dreaded “blue screen of death.”

“On behalf of everyone at CrowdStrike, I want to apologize. We are deeply sorry this happened and are determined to prevent it from happening again,” Meyers said in prepared testimony before the panel. Nearly 100% of the affected Windows sensors were back online as of late July, he added.

CrowdStrike helped pioneer endpoint detection and response technologies that stop hackers from infiltrating systems by shielding “endpoint” devices like laptop computers or phones that often provide hackers an entryway into targets’ networks. The company’s flagship Falcon platform is designed to deter hackers from accessing a client’s systems at all levels of a device or across devices connected to their network. 

To do this, Falcon tethers onto computers at a root layer, or kernel level, where their operating systems sit. Once installed, it has full access to the crown jewels of client devices, where it can stop threats moving about at all points. But the faulty update slipped through the cracks of a testing structure used by the company to check product code before being deployed.

“If you think about a chessboard trying to move a chess piece to someplace where there’s no square, that’s effectively what happened inside the sensor,” he said in testimony, explaining the root cause of the bad push.

A major area still up for debate following the hearing was whether it’s entirely necessary to issue updates directly to the kernel level of client systems. The update wasn’t AI-driven and followed standard procedure, Meyers said, but he emphasized that the setup used during the failed update still remains the best deployment method, calling the summer incident a “perfect storm” of events.

“While things can be conducted in user mode, from a security perspective, kernel visibility is certainly critical to ensuring that a threat actor does not insert themselves into the kernel … and disable or remove the security products and features,” he said when asked by Rep. Laurel Lee, R-Fl., about whether alternatives were possible.

Microsoft recently convened tech industry participants and government officials, declaring that it will begin implementing standards that permit security vendors to operate without being tied to the Windows system root.

Rep. Eric Swalwell, D-Calif., ranking member on the panel, was curious about the timeline for that goal, he told reporters on the sidelines of the hearing.

“I also am mindful that you’re always trading one set of risks for another, and that’s why you have to balance that,” he added. “I was traveling that day and was delayed. But at the end of the day, we need them to succeed; they're one of the major vendors with vast reach. And so it’s in everyone’s interest for us to make sure we understand what happened, hold them accountable, but learn … what can we do to make sure that they succeed.” 

The CrowdStrike incident opened up multiple opportunities for hackers, inadvertently mapping groundwork for customers and critical infrastructure that do business with the cybersecurity company, experts previously told Nextgov/FCW.