The CrowdStrike outage saga managed to turn even uglier this week, and lawyers may be the only ones who are benefiting. Also, we look at security product effectiveness and cybersecurity’s dirty secret: information asymmetry.
First, the truly petty. CrowdStrike is reportedly trying to take down parodies on Etsy and a parody website. In addition to drawing more attention to the parodies, it’s a bad look for a company that should be more focused on security and availability than anything else right now.
CrowdStrike shares (CRWD) have plunged 38% since the July 19 outage that brought down 8.5 million Windows machines around the globe, erasing $28 billion in market cap as investors reassess the company’s growth trajectory in the wake of what may be the biggest-ever cyber incident. Not surprisingly, shareholder lawsuits have begun to appear.
CrowdStrike seems to be doing the opposite of what it should be doing – showing humility and reassuring customers that the company is a reliable partner.
Delta May Sue CrowdStrike for Outage Damages
Delta Airlines – which struggled to recover from the outage to the point that the U.S. Department of Transportation opened an investigation into the matter – estimates its losses from the outage at $500 million and told CNBC that it plans to seek damages. The company has hired prominent attorney David Boies to pursue the case.
“If you’re going to be having access, priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission critical 24/7 operation and tell us we have a bug,” Bastian told CNBC.
CrowdStrike has attributed the outage to a bug in its validation software that allowed a faulty update to slip through.
However, Delta took far longer than competitors to recover from the outage, raising the possibility that its recovery processes may have been inadequate.
Our prediction: We’ll never know the truth here, because even though software vendors have historically been free from liability for bugs, CrowdStrike and Delta will likely settle the case to avoid publicity and disclosures.
Aug. 5 update: Interestingly, CrowdStrike is responding aggressively to Delta’s claims. The company shared an Aug. 4 letter from CrowdStrike attorney Michael Carlinsky to Boies with The Cyber Express; excerpt below:
Lawyers, Marketers and Shareholders, Oh My!
Part of the problem in general here may be the “shareholder first” mentality that has dominated U.S. companies since the Reagan era – the doctrine that companies exist primarily to reward shareholders. That practice has gone into overdrive with the rise of AI, and there’s a good chance it won’t end well – how well are shareholders going to be rewarded if customers are unhappy?
The ”shareholder first” doctrine means that companies try to get by with minimal investment while pushing employees and productivity as much as possible. That creates fragile systems, and an incident like CrowdStrike-Microsoft-Delta shows just how fragile that chain is, when inadequate testing, a rushed update, a fragile operating system and inadequate recovery processes come together to create a $500 million loss. And that’s just one customer; total outage losses have been estimated at $15 billion by cyber insurer Parametrix, and only 10-20% of that may be covered by cyber insurance.
With the “shareholder first” focus on maximum profitability, marketing gets ahead of the technology and companies overpromise and underdeliver, and lawyers are brought in to make sure the company can retain every advantage.
So you get onerous terms and conditions like CrowdStrike’s, where damages are limited to refunds and you get curious language like the following that seems incongruent with a company that has carefully built a reputation as a supplier to organizations with high security needs (the caps are CrowdStrike’s):
“THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations.”
CrowdStrike is hardly the only security vendor with terms like that, but it sure doesn’t give you confidence in the security of our critical infrastructure.
One top industry official – Alex Stamos, SentinelOne’s new CISO – essentially accused CrowdStrike of negligence in a podcast earlier this week, and competitors like Fortinet and Sophos have been revealing how they handle kernel updates to reassure customers.
But it’s fair to ask: How secure are our security tools? The answer is murky, in part because there are few industries that suffer from greater “information asymmetry” than cybersecurity, where sellers know much more than buyers about how well these products actually work and there are no standards for efficacy.
Information Asymmetry: Cybersecurity’s Big Problem
Endpoint detection and response (EDR) products at the heart of CrowdStrike Falcon are some of the better tested security products – the annual MITRE ATT&CK evaluations are some of the toughest tests the industry faces – but even there, EDR tools are subject to missed detections, bypass attacks, and a general murky uncertainty about how well they work in real-world conditions.
A Picus Security report published this week found that security tools miss an alarming number of attacks. While prevention effectiveness rose from 59% in the 2023 report to 69% in 2024, detection effectiveness – and alert scores in particular – dropped from 16% to 12%. “This means we are better at preventing some attacks, we are still struggling to detect them promptly,” Picus said.
“Real-world data shows that even best-of-breed products that score 100% in controlled settings can exhibit a wide range of prevention and detection effectiveness once deployed,” the report said.
Part of the problem is variations in implementation and environments. Another part is the cat-and-mouse game of cybersecurity, where attackers and defenders must continually respond and adapt, leading to occasional advantages for one side or the other. And even tools based on behavior, machine learning and AI must continually adapt to new information.
Security products aren’t perfect, which is why organizations have been preaching defense-in-depth and resilience: The more obstacles an attacker faces, the more likely they are to give up and move on to an easier target.
But we can still expect – nay, demand – better. Any industry we depend on, be it cybersecurity, airlines, healthcare, food and agriculture, or any other critical sector, must invest adequately in protecting those resources, shareholders notwithstanding. And insisting on adequate protection is a job for lawmakers, regulators, consumers, and sometimes, if the share price falls far enough, shareholders too.
Article published on Aug. 2, 2024 and updated on Aug. 5, 2024 to include CrowdStrike’s response to Delta
