While catching up with the online world after a two-week holiday, I wondered about the CrowdStrike event that hit the internet so hard while I was away. I was surprised because CrowdStrike is not a name one would associate with cyber attacks, but rather, the name of a software supplier in the cybersecurity space.
I learned that they made a big mistake by shipping software that is deployed automatically on customers' systems, causing Windows machines to go into a crash loop. In my opinion, it would take just a little common sense to have a tested and staged roll-out of the "Rapid Response Content."
I question if executable code is necessary in the "Rapid Response Content." It appears common sense was overruled by the requirement to roll these updates out, as soon as possible.
Another highlight is that CrowdStrike is ISO 27001 certified and lists 27 "compliance certifications" on its web page. https://hubs.ly/Q02KbW4y0
Even with all those compliance certificates, they still caused a global outage of Windows servers that insurance companies estimate will cost US Fortune 500 companies $5.4 billion. https://hubs.ly/Q02Kc5H30
However, these regulations, like ISO 27001, ISO 27015, and all the others, are probably precisely what CrowdStrike and its competitors use to sell their services and solutions. CrowdStrike offers a simple answer to the "cyber threat" for its customers. Ironically, the "protection" turned back on those customers and morphed into the ultimate strike.
Who should take responsibility for the damage? Countless canceled flights, delayed surgeries, and an endless list of damage and annoyance. The world sees the guilty entity. CrowdStrike has protected itself with "general business terms" protecting it from liabilities and publishes, following the language of the regulations, a "Post Incident Review," saying as little as possible.
Well, the law is above contracts and overrules "general business terms." I am not a lawyer and do not understand the details. Still, I am eager to see if airlines and others will receive reimbursement for damages caused by CrowdStrike if these lawsuits find different judgments in different Countries. Remember, Lufthansa tried to get its damage paid from the Last Generation activists that caused some canceled flights recently. https://hubs.ly/Q02Kc6fk0
I am underwhelmed by this behavior and see no excuse for such an epic failure. Others manage to create much larger software projects and have the necessary processes, CI test loops, automatic static analyzer runs, and so forth in place to avoid such failures. With enough effort, one can squeeze a reasonable process into a 60-minute release cycle. I believe this was negligent behavior on CrowdStrike's part.