VIRGINIA BEACH, Va. (WAVY) — Following a failed overnight software upgrade linked to Microsoft’s CrowdStrike system Friday morning that grounded flights, disrupted businesses, interrupted broadcasts and prevented millions of financial transactions, Sen. Mark Warner expressed concerns about why the company’s patch wasn’t first tested before its rollout.
Warner, an experienced lawmaker when it comes to security and technology — having made his fortune in cell phones — and the chairman of the Senate’s Select Committee on Intelligence, expressed concerns about what he saw unfold.
“What happened today with CrowdStrike, which is a cyber security firm, they were simply sending out what is called a patch where they thought there was a flaw,” Warner said, “[but] the patch was screwed up.”
Warner wants to know why CrowdStrike didn’t first test what they were doing.
“I need to know from CrowdStrike how and why they didn’t test this patch in a real-life experiment before they sent it out to all the system,” Warner said.
Today CrowdStrike’s CEO George Kurtz was making the apology rounds on network news, saying “I want to start with saying we are deeply sorry for the impact we have caused to customers to travelers, and anyone impacted by this including our company.”
But Warner noted the effect it had not just in the U.S., but worldwide.
“And it affected not only America but the whole world,” Warner said. “Airports were shut down, phone systems were shut down, people couldn’t access cash in a bank.”
Kurtz stressed in an interview with NBC that it was not a cyberattack.
Warner, though, said what if it was, and what does it say about national security.
“It says for those of us who have been talking about cybersecurity for years, since you don’t see it, you only think about it, when something like this happened,” Warner said, “and I will get the answers from CrowdStrike, but this has to be higher in our list of national security concerns.”
Kurtz said that “when you look at software, it is a very complicated world, and a lot of interactions staying ahead of the adversary is always a tall task.”
For Warner, however, that task needs to be answered, and in particular, he’s concerned about the impact of such an event on health care.
“If we shut down our health care system, and access to medicines, if machines turn off in hospitals, we have to have minimum standards,” Warner said. “For cyber-healthcare, we must have a minimum standard across the area. Healthcare is one area we are desperately behind.”
Warner said Friday’s outage is a wake-up call that can’t be ignored.
“If this had been a cyber-attack from a China or a Russia, we must realize that we are underprepared in cybersecurity,” Warner said. “We have been saying this for years, but we saw today this was a mistake coming out of CrowdStrike, and they’re supposed to be the good guys.”