After causing what may be the largest IT outage in history, CrowdStrike and its CEO are copping massive backlash on social media for a “passive” response riddled with “legalese” and “doublespeak”.
Last Friday, a botched security update from US cyber security company CrowdStrike caused ‘blue screens of death’ on Microsoft machines – resulting in major disruptions to airlines, banks, healthcare providers and businesses across the planet.
While CrowdStrike was quick to release a remediation for the issue, many of the estimated 8.5 million Windows devices impacted remain unusable as IT professionals work overtime to apply manual fixes.
The ABC’s The Business program was told the financial impact on Australian businesses could surpass $1 billion – while small businesses and regional towns have voiced particular difficulty after having to turn away customers.
The company has issued regular updates regarding the underlying cause and fixes for the outage, but an initial statement from CrowdStrike chief executive George Kurtz has rubbed many social media users the wrong way.
“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts,” read Kurtz’s Friday statement.
“Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed.”
Lulu Meservey, chief executive of public relations company Rostra, posted a scathing critique of the statement on social media platform X earning over 15,000 likes as she lambasted Kurtz for using “weapons-grade corpo speak”.
“Let’s be clear. Legalese doublespeak is designed to dodge and obfuscate rather than inform or communicate,” said Meservey.
“This statement was obviously written by a committee of lawyers and middle managers whose only goal was to avoid legal risk and threats to their own job security.
“If you can’t understand what the statement is even saying, it’s working as intended.”
She criticised Kurtz for adopting a “passive voice” and described the statement as “almost comical in its efforts to dodge assigning responsibility”, before pointing out a lack of an apology.
“The first words should be ‘I’m sorry’,” she said.
“This outage knocked out 911 call centres and hospitals. People literally might have died. And the company’s CEO is out here playing it down as if it’s not a big deal.”
After explaining in long-form why Kurtz was “getting pummelled for his response”, the post grew into a lengthy thread of users voicing similar disappointment and frustration.
User @NoFilterGames noted how it is “IT 101” to avoid pushing mass updates on a Friday, @architect_0 pointed out a lack of empathy and leadership skills, while tech support professional @montef said he’d be removing CrowdStrike from his recommended vendor list after reading the company’s “apathetic crisis comms”.
It was more of the same on discussion site Reddit – where countless techies have congregated while working overtime and user ‘externedguy’ pointed out Kurtz served as chief technology officer at antivirus company McAfee during a similar incident in 2010.
CrowdStrike shares slipped some 13 per cent overnight, leaving the stock more than 30 per cent down from its all-time high earlier this month.
Apology issued separately
Kurtz later followed up with an apology stating, “we understand the gravity of the situation and are deeply sorry for the inconvenience and disruption,” before fleshing this out further in a message to CrowdStrike’s customers and partners.
“I want to sincerely apologise directly to all of you for today’s outage,” said Kurtz.
“All of CrowdStrike understands the gravity and impact of the situation.
The company soon after released a brief technical breakdown that expunged some confusion about a misplaced “null bytes” explanation which had proliferated online, before promising further details from a root cause analysis at a later date.
“Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike,” said Kurtz.
Jason Murrell, independent chair of Cyber Security Certification Australia and co-founder of cyber security organisation MurFin Group, told Information Age that while CrowdStrike’s initial response “hasn’t done them any favours”, the company’s staff were likely trying to “do the right thing”.
“I think it's easy to lay the boots in whenever something like this happens,” said Murrell.
“The thing about tech and cyber is, odds are your company is eventually going to be in the spotlight for an incident of its own.
“The communication could have been better – there are a lot of people still wondering if this update was even tested…
“That being said, we're all trying to do what’s right – a lot of good people work for the company and shouldn't be judged too heavily based on one statement.”
Is it truly not a security incident?
Kurtz meanwhile faced further backlash for failing to describe the global outage as a security incident.
“I am not griping about semantics: when your customer cannot reach the system, or application, or service that you expect to be accessible to them, that is a security incident,” said Nick Selby, executive vice president of crypto insurance company Evertas.
“When professionals carelessly or intentionally use jargon to soothe the public, it does damage.”
As CrowdStrike’s website pointed out up until last week, “62 minutes could bring [a] business down” – threat actors can often move laterally through a network when exploiting a vulnerability from a single device.
“Any significant incident like this, whether they class it as a cyber incident or not, is going to have far-reaching security implications,” Murrell told Information Age.
“More than anything it shows companies are too reliant on certain vendors – we often wind up in these vendor siloes and miss out on having appropriate tech diversity or spread.”
Furthermore, the Australian Signals Directorate’s Australian Cyber Security Centre has warned of scammers releasing “malicious websites and unofficial code” while claiming to help entities recover from the CrowdStrike incident.
CrowdStrike has also issued warnings about scammers impersonating CrowdStrike staff in phone calls, as well as a specific scam where threat actors have been observed leveraging the event to distribute a malicious zip archive named “crowdstrike-hotfix.zip”, while security specialist Viral Maniar claims to have identified nearly 100 new malicious domain registrations related to the outage.
The ACSC urged consumers to source their technical information and updated from official CrowdStrike sources only.