A senior executive from American cyber security company CrowdStrike has apologised for the major IT outage which affected millions of Windows computers in July, while appearing before a US House of Representatives subcommittee on Wednesday.
Adam Meyers, senior vice president of CrowdStrike’s counter adversary operations, told the House Homeland Security Cybersecurity and Infrastructure Protection subcommittee that the company was “determined” to prevent a similar issue from happening again.
The outage, which caused an estimated 8 million devices running Microsoft’s Windows operating system to crash, was caused by an issue in a software update released for CrowdStrike’s Falcon Sensor security system, Meyers said.
“On behalf of everyone at CrowdStrike, I want to apologise,” Meyers said.
“We are deeply sorry, and we are determined to prevent this from ever happening again.
“… I can assure you that we continue to approach this with a great sense of urgency.”
The incident caused some airlines to ground their planes while some payment services, websites, and media broadcasters were also knocked offline or left experiencing major technical issues.
Mark Green, chairman of the House Homeland Security Committee, said in his opening remarks: “Everywhere Americans turned, basic societal functions were unavailable.
“As Americans looked across our borders they saw other countries — including our allies Australia and the UK — were affected too.”
Meyers reiterated that the outage was not the result of a cyber attack or rogue artificial intelligence, and said CrowdStrike had undertaken a full review of its systems.
“I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future,” he said.
‘The largest IT outage in history was due to a mistake’
Representative Green said the outage caused by CrowdStrike’s update was “a catastrophe that we would expect to see in a movie”, and which some expected may have been caused by a nation-state actor.
“To add insult to injury, the largest IT outage in history was due to a mistake,” he said.
While he responded to questions from politicians in the subcommittee for around 90 minutes, Meyers said CrowdStrike no longer rolled out updates globally in the first instance, but released them with a more staggered approach — a tactic it decided on not long after the incident.
CrowdStrike had also strengthened its relationships with major partners such as Microsoft, Meyers said.
Microsoft has flagged that it will change security vendors’ access to its Windows kernel — a core part of the operating system which has a high level of access to a computer's hardware — in wake of the CrowdStrike incident.
Asked about kernel access during the subcommittee hearing, Meyers said it was “very difficult” to secure operating systems without such access.
“With the current kernel architecture, this is the most effective way to get the visibility and to prevent an adversary from tampering with security tools,” he said.
Aside from apparent changes to Microsoft’s Windows kernel access, CrowdStrike is also facing multiple lawsuits following the outage caused by its Falcon system.
CrowdStrike CEO George Kurtz had also previously been called on to testify before US Congress about the incident.
Last month, the company said it would give affected customers at least $88 million ($US60 million) in credits and had cut its revenue and profit forecasts.