CrowdStrike Goes to Congress: What Will Come of the Hearing?
CrowdStrike is set to testify before a US House of Representatives subcommittee later this month following its role in one of the world’s most extensive IT outages.
"Considering the significant impact CrowdStrike's faulty software update had on Americans and critical sectors of the economy from aviation to medical services, we must restore confidence in the IT that underpins the services Americans depend on daily," says Representative Mark Green, Chair of the Homeland Security Committee.
The testimony, to be delivered by CrowdStrike’s Adam Meyers, Senior Vice President for Counter Adversary Operations, will give lawmakers a chance to hear in depth how the company's faulty software update caused computer systems across the globe to go down.
Equally, it allows Representatives to consider potential legislation to avoid such situations in the future. In fact, it is this method of hearing, then implementing is how many of the world’s cyber laws have come to be.
Cyber incidents in shaping legislation
The CrowdStrike incident and its far-reaching consequences serve as a stark reminder of the vulnerabilities inherent in our increasingly interconnected digital infrastructure.
Yet, it serves as just one facet of potential vulnerabilities that have been coming to light over recent years.
In 2017, credit reporting agency Equifax suffered a massive data breach, which exposed personal information of 147 million Americans.
This unprecedented breach led to the US introducing the Data Breach Prevention and Compensation Act in 2019, which aimed to hold companies more accountable for data breaches.
Then, software company SolarWinds was found to have suffered a sophisticated supply chain attack in 20202. This compromised numerous government agencies and private companies using the related services, and so served as a wake-up call for lawmakers, highlighting the critical importance of supply chain security and the need for rapid incident reporting.
Congress therefore soon passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in 2022, which requires critical infrastructure entities to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Similarly, the Colonial Pipeline ransomware attack in May 2021, which caused fuel shortages across the eastern US, demonstrated the potential for cyber attacks to disrupt essential services and impact daily life.
This incident not only accelerated the passage of CIRCIA but also prompted a re-evaluation of cybersecurity measures in the energy sector, with President Biden’s administration pushing for tough cybersecurity on key infrastructure.
In 2023, the Securities and Exchange Commission (SEC) extended this reporting requirement for all publicly traded companies.
Anticipating a changing landscape
Given this context, the CrowdStrike incident could lead to further legislative changes. Although all details are not yet clear, potential areas of focus might include stricter regulations for software update processes, such as rigorous closed testing of updates before wider releases.
Equally, whether from a regulation or internal company policies, disclosure of potential risks associated with software updates may also be introduced, alongside expanded liability for cybersecurity firms in cases of widespread system failures, and increased oversight and auditing of cybersecurity practices in key industries.
As we look to the future, it's clear that the interplay between cyber incidents and legislative responses will continue to shape the cybersecurity landscape, and the CrowdStrike testimony may well serve as a catalyst for new discussions and about preventing similar incidents in the future.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- Markel Cyber Director on Lessons from the Crowdstrike OutageCyber Security
- Who Stands to Fill Top Cyber Posts in Trump Administration?Cyber Security
- Why the UK’s Financial Authority Has Issued a Cyber DecreeCyber Security
- CrowdStrike & Fortinet Unite to Close Endpoint Security GapCyber Security