Far beyond downtime, CrowdStrike’s customers are being badly mistreated

You likely noticed the faulty CrowdStrike Falcon Sensor patch in mid-July, whether or not your business is a customer of theirs. My bank’s online banking site didn’t download reliably on July 19^th and 20^th. Many other financial institutions were impacted. Thousands upon thousands of airline flights were cancelled.

Many industrial sectors and government agencies were in technological chaos for a while. As of this writing on July 24^th, there are still IT people around the world who are working overtime to bring their production systems fully back online. 

What we know for a fact is this: 

On July 18^th and 19^th, CrowdStrike sent a faulty patch to their Falcon Sensor for Windows enterprise customers around the world. (Mac and Linux were sparred.) Its defective code got as deep as the kernel level, which is especially alarming. Should threat intel based vulnerability scanning solutions have kernel access to machines?

CrowdStrike’s co-founder, President, and CEO is George Kurtz. In 2010, he was the CTO of McAfee. That year, McAfee deployed a patch to its enterprise antimalware software that caused computer systems worldwide to crash and reboot repeatedly.

The faulty patch that CrowdStrike released to Falcon Sensor for Windows in July 2024 brought down production networks in various industries and sectors around the world. Much of the downtime that was most apparent to the general public were through the financial and air travel sectors. George Kurtz was also in a leadership role for this incident, this time as co-founder, President, and CEO.

There is no way to accurately estimate the collective economic expense of the CrowdStrike patch due to lost business transactions, legal liability, and extra IT staff labour expenditures as of this writing. But it’s most definitely at least in the billions.

Leonard J. French is an intellectual property attorney based in Pennsylvania. On YouTube, he analyzed CrowdStrike’s Terms of Service contract with their enterprise customers. The contract’s Limitation of Liability section states: “To the maximum extent permitted by applicable law, CrowdStrike shall not be held liable to to software user for lost profits, revenue, or savings, lost business opportunities, lost data, or special, incidental, or punitive damages.”

French believes that CrowdStrike’s contract to evade liability may not withstand legal scrutiny due to the legal concept of gross negligence making a party liable regardless of contracts. Depending on the jurisdiction of the court, a judge might rule that CrowdStrike’s Terms of Service is null and void if they are deemed to be guilty of gross negligence toward their customers.

So those are the facts. Now here’s some of the speculation that I’ve found. Do keep in mind that these are rumours and they haven’t been verified. I’m putting it out there because I think these theories are worthy of investigation: 

At least some of the defective code in the faulty CrowdStrike Falcon Sensor patch may have been produced by generative AI. Here’s a quote from a CrowdStrike press release dated March 18^th, 2024: “Advance Cybersecurity with Generative AI... ‘Since our founding, CrowdStrike has pioneered the use of AI in cybersecurity. Our customers from all verticals, segments, and geographies are increasing adoption of AI/ML across their businesses, looking to generative AI for efficiency, speed, and innovation,’ said George Kurtz, co-founder and CEO at CrowdStrike.

‘Our collaboration with NVIDIA combines the power of two innovative industry leaders to not only help customers meet and exceed necessary security requirements, but also increase adoption of AI technologies for business acceleration and value creation.’

‘Cybersecurity is inherently a data problem — the more data that enterprises can process, the more events they can detect and address,’ said Jensen Huang, founder and CEO of NVIDIA. ‘Pairing NVIDIA accelerated computing and generative AI with CrowdStrike cybersecurity can give enterprises unprecedented visibility into threats to help them better protect their businesses.’”

TechCrunch’s Lorenzo Franceschi-Bicchierai reported on July 24^th, 2024 that CrowdStrike customers may have been offered a $10 Uber Eats gift card apology. That sounds pretty cheap. The rumoured cheap compensation offer is made worse by anecdotes that the $10 gift card wasn’t even redeemable. “On Tuesday, a source told TechCrunch that they received an email from CrowdStrike offering them the gift card because the company recognizes ‘the additional work that the July 19 incident has caused’...

On Wednesday, some of the people who posted about the gift card said that when they went to redeem the offer, they got an error message saying the voucher had been canceled. When TechCrunch checked the voucher, the Uber Eats page provided an error message that said the gift card ‘has been cancelled by the issuing party and is no longer valid.’ CrowdStrike did not immediately respond to a request for comment.”

If we just consider the verifiable facts of the CrowdStrike incident, they don’t make the cybersecurity vendor look very good. CrowdStrike’s patch disrupted billions of dollars or more worth of business globally. Kurtz founded and leads CrowdStrike, and he was CTO of McAfee during their similarly problematic software patch. And the CrowdStrike Terms of Service seems to be designed to evade liability for anything bad happening to their customers. 

If the rumours are true-- that CrowdStrike’s patch code is at least partly made by generative AI and CrowdStrike offered a possibly unredeemable $10 gift card as an apology for individual customers possibly losing millions of dollars, matters look even worse. 

Maybe the world would be a better place if Mr. Kurtz chose to retire. 

About Kim Crawley: Kim is a prolific writer and researcher specializing in cybersecurity. With experience writing for major tech companies like AT&T, BlackBerry, and NGINX, Kim has made significant contributions to the field.

Her impressive portfolio includes books such as "The Pentester Blueprint" and "8 Steps to Better Security." Kim's expertise and insights will enhance our content, providing valuable perspectives on cybersecurity trends and best practices.

Stay Safe, Stay Secure.

The CybersecurityHQ Team