CrowdStrike's Legal Pressures Mount, Could Blaze Path to Liability

The CrowdStrike update that hobbled businesses, disrupted consumer travel plans, and took French and British broadcasters offline has predictably led to a host of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.

Yet the incident could lead to another destination: software liability.

The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as "the Channel File 291 Incident." However, the fact that affected businesses and consumers have little recourse to recover damages will likely lend momentum to legislation and state regulations to hold firms responsible for such chaos, says Chinmayi Sharma, associate professor of law at Fordham University.

"This is an extremely interesting and important example of why the call for greater software liability is urgent, from the standpoint of protecting critical infrastructure and protecting the consumer," she says. "There are these massive barriers in existing doctrine that prevent users, licensees, purchasers of software, and third parties from bringing successful lawsuits against software manufacturers, and so I think that this will be an exemplary case of why reform is necessary to address those big barriers."

On July 19, CrowdStrike pushed an update to its sensors to detect additional attacks that use a particular Windows features known as "named pipes." According to the firm's Aug. 6 root-cause analysis, the update — a Channel File numbered 291 — "defined 21 input parameters, but the integration code ... supplied only 20 input values to match against." The difference caused an out-of-bounds memory read, leading the Windows systems that received and applied the update to crash with the blue screen of death.

The bad update affected 8.5 million computers, caused at least $5.4 billion in damages to the Fortune 500, and caused widespread operational disruption, particularly among airlines and healthcare firms.

In a statement filed with the SEC on August 8, Delta — the worst-hit airline — estimated a $380 million direct revenue impact due to its refunding of customers for canceled flights and $170 million in recovery costs. The company canceled 7,000 flights over five days, angering its customers but also leading to a scant savings of $50 million in fuel due to the cancellations.

"An operational disruption of this length and magnitude is unacceptable, and our customers and employees deserve better," said Ed Bastian, CEO of Delta, in the filing. "We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million."

Lawsuits Already on Tap

Delta is far from the only lawsuit. CrowdStrike is facing class-action lawsuits from investors after its stock price plummeted more than 36%, from $343 on July 18 — the day before the bad update — to less than $218 on Aug. 2.

The incident has resulted in numerous shareholder lawsuits, and not just against CrowdStrike, but against Delta as well. A sampling of current lawsuits:

The incident has led to an investigation by the US House Committee on Homeland Security.

While investor lawsuits and government investigations will have different goals, customer lawsuits — such as Delta's and the potential small-business lawsuit — will have an uphill battle. As CrowdStrike's attorneys pointed out in a letter to Delta, business customers would need to explain why liability limits in established contracts should be considered moot, detail every action taken or not taken to recover from the outage, and explain the ways their infrastructure was designed to be resilient.

"Delta’s public threat of litigation distracts from [our recovery] work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta's IT decisions and response to the outage," the company's attorney stated in the letter. "Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — swiftly, transparently, and constructively — while Delta did not."

As for the burgeoning shareholder lawsuits?

"We believe the cases lacks merit and we will vigorously defend the company," a CrowdStrike spokesperson told Dark Reading.

Software Liability's Long Road

Yet the outage and its legal fallout might only fuel the effort to hold software companies more liable for their products. Currently, the bar is so high for bringing a successful case against a software maker that most attorneys are disincentivized to even try, says Fordham's Sharma.

"How these cases go will give us a lot of insight into how high are these barriers, what needs to be reformed," she says. "We don't have a lot of case law on this ... so this will be very exemplary in shedding light on exactly what the contours of those barriers are."

The software liability landscape is currently pretty craggy. While simple on its surface — "software makers must be held responsible for insecure software" — even the question of who is responsible can quickly become complex, as the interplay between Delta Airlines, CrowdStrike, and Microsoft shows.

Software liability legislation and regulations would have to solve this issue and many others, the Atlantic Council's Cyber Statecraft Initiative stated in a 32-page analysis published earlier this year.

"Software security is a problem of 'shared responsibility': users of software, in addition to its developers, have significant control over cybersecurity outcomes through their own security practices," the report stated. "Torts already have conceptions of 'comparative negligence' when the behavior of the harmed party contributed significantly to the harmful outcome — policymakers might want to map this concept explicitly to the software context to balance certain policy goals.

Even if software-liability regulations were established, however, CrowdStrike would likely exceed those requirements, says Brian Fox, CTO of Sonatype, a software integrity company. He pointed out that "a series of relatively minor mistakes led to an eventual collision when a final factor was dropped into place." While some have said that the company did not test its updates, it's more likely that the company just did not account for all possible scenarios — a common failure, Fox notes.

"We badly need reform to rebalance corporate risk-taking on behalf of their customers, [but] the specifics of how this issue unfolded likely make it only a part of the case study for reform," he says. "This is unfortunately very typical in software and highlights why we aren't ready for perfect strict liability standards."