Where Does Liability Reside After the CrowdStrike Outage?

The finger-pointing over the operational losses from the CrowdStrike outage took a legal turn with at least one class action lawsuit filed by shareholders against the cybersecurity company and the potential for more litigation, this time from Delta Air Lines, possibly waiting in the wings.

The operational and financial damage from the massive IT outage that brought down 8.5 million Microsoft Windows machines in mid-July is being measured in the billions of dollars. Rather than an intrusion by a bad actor, a bad update from CrowdStrike got the blame. Numerous companies affected by the outage found ways to recover swiftly, but Delta Air Lines saw disruptions to its operations for some five days, forcing flights to be delayed and canceled.

Hard to Ignore the Costs

The troubles Delta faced got the attention of the Department of Transportation, which opened an investigation into the airline’s handling of the outage and affected customers.

Delta CEO Ed Bastian told CNBC the disruption cost his airline $500 million. Delta Air Lines reportedly retained attorney David Boies, chair and founding partner of law firm Boies Schiller Flexner, to potentially seek damages from CrowdStrike and Microsoft for the outage.

When contacted by InformationWeek, Delta said it “has no information to add” regarding the possibility of pursuing damages from the tech providers.

Related:CrowdStrike Facing Lawsuits After Global IT Outage

In his time on CNBC’s Squawk Box, Bastian noted that Microsoft and CrowdStrike are top competitors with each other in cybersecurity. “They don’t necessarily partner at the same level that we need them to,” he said during the interview, then brought up an industry notion about Big Tech being called to be responsible.

The Role of Policy in Tech

As litigation ensues, the courts may have to decide who is responsible for outages or security breaches in the tangled relationship between technology vendors and the companies that use them. There is also the potential specter of regulators taking a role in this space.

“There’s a big focus coming out of DHS-CISA at the moment on what’s now called SBOM, or the Software Bill of Materials,” says Nicholas Carroll, cyber incident response manager with Nightwing, in an interview with InformationWeek. An SBOM is a list of the “ingredients” that make up software, which is potentially crucial to software security and software supply chain risk management, according to the Cybersecurity & Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security (DHS).

Carroll says there may be a drive for that kind of awareness and information about software given the way vendors tend to incorporate different open-source projects and pull different libraries off of GitHub into their technology. “They’re putting all of this stuff together into whatever becomes their final package that they put out,” he says. “When that happens, sometimes … a lot of the stuff that’s being built is being built on stuff that’s a couple of revisions behind.”

Related:CrowdStrike Outage Drained $5.4 Billion From Fortune 500: Report

This can lead to situations where a customer company might not know if the product under the hood is up to date or what is inside of it before it goes on the network. “There’s nothing telling me what is potentially vulnerable in it or what’s in there,” Carroll says.

CrowdStrike's outage was attributed to a faulty update that required some hands-on fixes to correct.

Knowing what is under the hood could help companies better defend against exploits or prepare for updates, Carroll says. “I think that we’re going to see a lot more push for that kind of action soon and potentially even seeing that being something that comes down is more of a regulatory requirement.”

Organizations such as CISA are encouraging such measures rather than issue mandates, Carroll says, to help companies better understand the technologies they incorporate into their networks. “It’s more of a catch-flies with-honey kind of thing right now,” he says.

Related:Cloud Strategy in the Wake of the CrowdStrike Outage

Should Regulations Ramp Up

Scrutiny on major technology vendors is understandably high given the trust given to them and their widespread use across networks. Carroll notes, and CrowdStrike showed, that an issue with one vendor can quickly affect thousands of customer companies. Efforts to issue regulations or compliance frameworks for oversight on this front can take time, he says. “You have to get the lawmakers to agree. You have to put everybody in the right rooms at the right times, so it takes a lot of time to make those changes happen and bring them to fruition,” Carroll says.

Time can also play a role in litigation. In the current policy landscape, says ImmuniWeb CEO Ilia Kolochenko, if an IT support vendor or another service provider, such as an accountant, suffers a data breach due to a third-party incident, there might not be a quick remedy. “It will be a long journey to get compensation from them in the court of law,” he says.

Kolochenko is also an attorney and an adjunct professor of cybersecurity practice and cyber law at Capitol Technology University. He believes third-party suppliers such as CrowdStrike tend to opt to settle amicably, when possible, with their clients. “Obviously nobody wants negative publicity,” Kolochenko says.

Even if there is a quiet resolution on the legal side, the impact of the outage may bring about other changes. “I think a collateral effect of the CrowdStrike debacle will see that most organizations will start performing even more third-party risk management exercises,” he says. However, he also questions the value of such efforts. “It is highly likely they will simply raise the bar even higher,” Kolochenko says.

For example, a company might make demands for its IT and security services that turn away some vendors, he says, that cannot afford to offer the newer, heightened levels of service and protection being asked for. “In the short term, we’ll see significant costs increase of doing business for many companies that will unlikely bring any additional security to the economy in general,” Kolochenko says. “I can only hope that lawmakers will consider adding third-party risk limitation strategies to be incorporated into existing or newly enacted laws.”

He notes that the European Union’s Digital Operational Resilience Act (DORA) goes into effect in January 2025 and includes comprehensive and detailed requirements for third-party risk management, at least for certain technologies. “It’s mostly about cyber security,” Kolochenko says.