New York
CNN
—
The world learned relatively quickly that cybersecurity firm CrowdStrike was behind a crippling global tech outage on Friday. But figuring out who will pay the bill for the damages could take a lot longer.
What one cybersecurity expert said appears to be the “largest IT outage in history” led to the cancellation of more than 5,000 commercial airline flights worldwide and disrupted businesses from retail sales to package deliveries to procedures at hospitals, costing revenue and staff time and productivity.
The problem was caused by a few bits of CrowdStrike’s own bad code in a software “content update.” Unfortunately, fixing the mistake was much more time consuming than causing it, and it could be days before all the systems are back to normal.
While CrowdStrike has apologized, it has not mentioned whether or not it intends to provide compensation to affected customers. And when asked by CNN about whether it plans to provide compensation, its response did not address that question.
Experts say they expect that there will be demands for remuneration and very possibly lawsuits.
“If you’re a lawyer for CrowdStrike, you’re probably not going to enjoy the rest of your summer,” said Dan Ives, a tech analyst for Wedbush Securities.
Experts largely agree it’s too early to get a firm handle on the price tag for Friday’s global internet breakdown. But those costs could easily top $1 billion, said Patrick Anderson, CEO of Anderson Economic Group, a Michigan research firm that specializes in estimating the economic cost of events like strikes and other business disruptions.
His firm estimates that a recent hack of CDK Global, a software firm that serves US car dealerships, reached that $1 billion cost mark. While that outage lasted much longer, about three weeks, it was restricted to one narrow industry.
“This outage is affecting far more consumers and businesses in a way that ranges from inconvenience to serious disruptions and resulted in out of pocket costs they can’t get back easily,” he said. Anderson added that the costs could be particularly significant for airlines, due to lost revenue from canceled flights and excess labor and fuel costs for the planes that did fly but faced significant delays.
Despite CrowdStrike’s dominance in the cybersecurity field, its revenue is just less than $4 billion annually.
But there could be legal protections for CrowdStrike in its customer contracts to shield it from liability, according to one expert.
“I would guess that the contracts protect them,” said James Lewis, researcher at the Center for Strategic and International Studies.
Lewis pointed to case decided Thursday in favor of SolarWinds, another software company. A judge dismissed Securities and Exchange Commission charges against SolarWinds related to a Russian hack of federal government agencies in late 2020. Lewis said in that case SolarWinds was only facing charges for not disclosing its system’s vulnerabilities to an outside hack, not for damage caused by its own actions. But it still won a dismissal of the case.
It’s also not clear how many customers CrowdStrike might lose because of Friday.
Wedbush Securities’ Ives estimates less than 5% of its customers might go elsewhere.
“They’re such an entrenched player, to move away from CrowdStrike would be a gamble,” he said.
It will be difficult, and not without additional costs, for many customers to switch from CrowdStrike to a competitor. But the real hit to CrowdStrike could be reputational damage that will make it difficult to win new customers.
“Today CrowdStrike becomes a household name, but not in a good way, and this will take time to settle down,” Ives said.
CrowdStrike CEO George Kurtz said in an interview Friday morning on CNBC that the firm has been focused on fixing the continuing problems and that so far, he believed most customers had been understanding.
“My goal right now is to make sure every customer is back up and running,” he said. “I think many of the customers understand it’s a complex environment and staying one step ahead of the bad guys requires these content updates.”
But even if customers are understanding, it’s likely that CrowdStrike’s rivals will be seeking to use Friday’s events to try to lure them away.
“It’s a very competitive business. There will be sales people from all the other companies, …(jumping) in and say(ing), ‘This has never happened to us,’” said said Eric O’Neill, a cybersecurity expert and former FBI counterintelligence operative. “They’re an excellent company doing important work. I hope they survive this. If they don’t, the only winner will be the cybercriminals.”