Smith testified before the US Senate in September that Russia, China, and Iran had stepped up their digital efforts to interfere in global elections this year, including in the US.
However, Microsoft’s own security standards have come under fire in recent months. A damning report by the US Cyber Safety Review Board in March said its security culture was “inadequate,” pointing to a “cascade… of avoidable errors” that last year allowed Chinese hackers to access hundreds of email accounts, including those belonging to senior US government security officials, that were hosted on Microsoft’s cloud systems.
Microsoft chief executive Satya Nadella has said in response that the company would prioritize security “above all else,” including by tying staff remuneration to security.
The company is also making changes to its Windows operating system to help its customers recover more quickly from incidents such as July’s global IT outage caused by CrowdStrike’s botched security update.
Beyond cyber security, Smith said it was “a little early” to determine the precise impact of a second Trump administration on the technology industry. Any anticipated liberalization of M&A regulation in the US would have to be weighed up against continued scrutiny of dealmaking in other parts of the world, he said.
Smith also reiterated his plea for the US government to “help accelerate exports of key American digital technologies,” especially to the Middle East and Africa, after the Biden administration imposed export controls on AI chips, fearing the technology could leak to China.
“We really need now to standardize processes so that American technology can reach these other parts of the world as fast as Chinese technology,” he said.
CrowdStrike and Delta’s legal battle has begun. Will Microsoft be sued next?
Travelers sit with their luggage on the check-in floor of the Delta Air Lines terminal at Los Angeles International Airport (LAX) on July 23, 2024 in Los Angeles, California. Credit: Mario Tama / Staff | Getty Images News
Delta and CrowdStrike have locked legal horns, threatening to drag out the aftermath of the worst IT outage in history for months or possibly years.
Each refuses to be blamed for Delta’s substantial losses following a global IT outage caused by CrowdStrike suddenly pushing a flawed security update despite Delta and many other customers turning off auto-updates.
CrowdStrike has since given customers more control over updates and made other commitments to ensure an outage of that scale will never happen again, but Delta isn’t satisfied. The airline has accused CrowdStrike of willfully causing losses by knowingly deceiving customers by failing to disclose an unauthorized door into their operating systems that enabled the outage.
In a court filing last Friday, Delta alleged that CrowdStrike should be on the hook for the airline’s more than $500 million in losses—partly because CrowdStrike has admitted that it should have done more testing and staggered deployments to catch the bug before a wide-scale rollout that disrupted businesses worldwide.
“As a result of CrowdStrike’s failure to use a staged deployment and without rollback capabilities, the Faulty Update caused widespread and catastrophic damage to millions of computers, including Delta’s systems, crashing Delta’s workstations, servers, and redundancy systems,” Delta’s complaint said.
Delta has further alleged that CrowdStrike postured as a certified best-in-class security provider who “never cuts corners” while secretly designing its software to bypass Microsoft security certifications in order to make changes at the core of Delta’s computing systems without Delta’s knowledge.
“Delta would have never agreed to such a dangerous process had CrowdStrike disclosed it,” Delta’s complaint said.
In testimony to Congress, CrowdStrike executive Adam Meyers suggested that the faulty update did follow standard protocols. He explained that “CrowdStrike’s software code is certified by Microsoft” and that it’s “updated less frequently,” and “new configurations are sent with rapid occurrence to protect against threats as they evolve,” not to bypass security checks, as Delta alleged.
But by misleading customers about these security practices, Delta alleged, CrowdStrike put “profit ahead of protection and software stability.” As Delta sees it, CrowdStrike built in the unauthorized door so that it could claim to resolve security issues more quickly than competitors. And if a court agrees that CrowdStrike’s alleged failure to follow standard industry best practices does constitute, at the very least, “gross negligence,” Delta could win.
“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” CrowdStrike’s spokesperson told Ars. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure. We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft. Any claims of gross negligence and willful misconduct have no basis in fact.”
CrowdStrike sues to expose Delta’s IT flaws
In its court filing, however, CrowdStrike said there’s much more to the story than that. It has accused Delta of failing to follow laws, including best practices established by the Transportation Security Administration (TSA).
While many CrowdStrike customers got systems back up and running within a day of the outage, Delta’s issues stretched painfully for five days, disrupting travel for a million customers. According to CrowdStrike, the prolonged delay at Delta was not due to CrowdStrike failing to provide adequate assistance but allegedly to Delta’s own negligence to comply with TSA requirements designed to ensure that no major airline ever experiences prolonged system outages.
“Despite the immediate response from CrowdStrike, it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines,” CrowdStrike’s complaint said.
In March 2023, the TSA added a cybersecurity emergency amendment to its cybersecurity programs. The amendment required airlines like Delta to develop “policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised,” CrowdStrike’s complaint said.
Complying with the amendment ensured that airlines could “timely” respond to any exploitation of their cybersecurity or operating systems, CrowdStrike explained.
CrowdStrike realized that Delta was allegedly non-compliant with the TSA requirement and other laws when its “efforts to help remediate the issues revealed” alleged “technological shortcomings and failures to follow security best practices, including outdated IT systems, issues in Delta’s active directory environment, and thousands of compromised passwords.”
TSA declined Ars’ request to comment on whether it has any checks in place to ensure compliance with the emergency amendment.
While TSA has made no indication so far that it intends to investigate CrowdStrike’s claims, the Department of Transportation (DOT) is currently investigating Delta’s seemingly inferior customer service during the outage. That probe could lead to monetary fines, potentially further expanding Delta’s losses.
In a statement, DOT Secretary Pete Buttigieg said, “We have made clear to Delta that they must take care of their passengers and honor their customer service commitments. This is not just the right thing to do, it’s the law, and our department will leverage the full extent of our investigative and enforcement power to ensure the rights of Delta’s passengers are upheld.”
On X (formerly Twitter), Buttigieg said that the probe was sparked after DOT received hundreds of complaints about Delta’s response. A few days later, Buttigieg confirmed that the probe would “ensure the airline is following the law and taking care of its passengers during continued widespread disruptions.” But DOT declined Ars’ request to comment on whether DOT was investigating Delta’s alleged non-compliance with TSA security requirements, only noting that “TSA is not part of DOT.”
Will Microsoft be sued next?
Delta has been threatening legal action over the CrowdStrike outage since August, when Delta confirmed in an SEC filing that the outage caused “approximately 7,000 flight cancellations over five days.” At that time, Delta CEO Ed Bastian announced, “We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million.”
But Delta’s lawsuit Friday notably does not name Microsoft as a defendant.
Ars could not immediately reach Delta’s lawyer, David Boies, to confirm if another lawsuit may be coming or if that legal threat to Microsoft was dropped.
It could be that Microsoft dissuaded Delta from filing a complaint. Immediately in August, Microsoft bucked Delta’s claims that the tech giant was in any way liable for Delta’s losses, The Register reported. In a letter to Boies, Microsoft lawyer Mark Cheffo wrote that Microsoft “empathizes” with Delta, but Delta’s public comments blaming Microsoft for the outage are “incomplete, false, misleading, and damaging to Microsoft and its reputation.”
“The truth is very different from the false picture you and Delta have sought to paint,” Cheffo wrote, noting that Microsoft did not cause the outage and Delta repeatedly turned down Microsoft’s offers to help restore its systems. That includes one instance where a Delta employee allegedly responded to a Microsoft inquiry three days after the outage by saying that Delta was “all good.” Additionally, a message from Microsoft CEO Satya Nadella to Delta’s Bastian allegedly went unanswered.
Cheffo alleged that Delta was cagey about accepting Microsoft’s help because “the IT system it was most having trouble restoring—its crew-tracking and scheduling system—was being serviced by other technology providers, such as IBM, because it runs on those providers’ systems, and not Microsoft Windows or Azure.”
According to Cheffo, Microsoft was “surprised” when Delta threatened to sue since the issues seemed to be with Delta’s IT infrastructure, not Microsoft’s services.
“Microsoft continues to investigate the circumstances surrounding the CrowdStrike incident to understand why other airlines were able to fully restore business operations so much faster than Delta, including American Airlines and United Airlines,” Cheffo wrote. “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”
At that time, Cheffo told Boies that Microsoft planned to “vigorously defend” against any litigation. Additionally, Microsoft’s lawyer demanded that Delta preserve documents, including ones showing “the extent to which non-Microsoft systems or software, including systems provided and/or designed by IBM, Oracle, Amazon Web Services, Kyndryl or others, and systems using other operating systems, such as Linux, contributed to the interruption of Delta’s business operations between July 19 and July 24.”
It seems possible that Cheffo’s letter spooked Delta out of naming Microsoft as a defendant in the lawsuit over the outage, potentially to avoid a well-resourced opponent or to save public face if Microsoft’s proposed discovery threatened to further expose Delta’s allegedly flawed IT infrastructure.
Microsoft declined Ars’ request to comment.
CrowdStrike says TOS severely limits damages
CrowdStrike appears to be echoing Microsoft’s defense tactics, arguing that Delta struggled to recover due to its own IT failures.
According to CrowdStrike, even if Delta’s breach of contract claims are valid, CrowdStrike’s terms of service severely limit damages. At most, CrowdStrike’s terms stipulate, damages owed to Delta may be “two times the value of the fees paid to service provider for the relevant subscription services subscription term,” which is likely substantially less than $500 million.
And Delta wants much more than lost revenue returned. Beyond the $500 million in losses, the airline has asked a Georgia court to calculate punitive damages and recoup Delta for future revenue losses as its reputation took a hit due to public backlash from Delta’s lackluster response to the outage.
“CrowdStrike must ‘own’ the disaster it created,” Delta’s complaint said, alleging that “CrowdStrike failed to exercise the slight diligence or care of the degree that persons of common sense, however inattentive they may be, would use under the same or similar circumstances.”
CrowdStrike is hoping a US district court jury will agree that Delta was the one that dropped the ball the most as the world scrambled to recover from the outage. The cybersecurity company has asked the jury to declare that any potential damages are limited by CrowdStrike’s subscriber terms and that “CrowdStrike was not grossly negligent and did not commit willful misconduct in any way.”
This story was updated to include CrowdStrike’s statement.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
Enlarge/ A passenger sits on the floor as long queues form at the check-in counters at Ninoy Aquino International Airport, on July 19, 2024 in Manila, Philippines.
Ezra Acayan/Getty Images
Millions of people outside the IT industry are learning what CrowdStrike is today, and that’s a real bad thing. Meanwhile, Microsoft is also catching blame for global network outages, and between the two, it’s unclear as of Friday morning just who caused what.
After cybersecurity firm CrowdStrike shipped an update to its Falcon Sensor software that protects mission-critical systems, blue screens of death (BSODs) started taking down Windows-based systems. The problems started in Australia and followed the dateline from there.
TV networks, 911 call centers, and even the Paris Olympics were affected. Banks and financial systems in India, South Africa, Thailand, and other countries fell as computers suddenly crashed. Some individual workers discovered that their work-issued laptops were booting to blue screens on Friday morning. The outages took down not only Starbucks mobile ordering, but also a single motel in Laramie, Wyoming.
Airlines, never the most agile of networks, were particularly hard-hit, with American Airlines, United, Delta, and Frontier among the US airlines overwhelmed Friday morning.
CrowdStrike CEO “deeply sorry”
Fixes suggested by both CrowdStrike and Microsoft for endlessly crashing Windows systems range from “reboot it up to 15 times” to individual driver deletions within detached virtual OS disks. The presence of BitLocker drive encryption on affected devices further complicates matters.
CrowdStrike CEO George Kurtz posted on X (formerly Twitter) at 5: 45 am Eastern time that the firm was working on “a defect found in a single content update for Windows hosts,” with Mac and Linux hosts unaffected. “This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed,” Kurtz wrote. Kurtz told NBC’s Today Show Friday morning that CrowdStrike is “deeply sorry for the impact that we’ve caused to customers.”
The costs of such an outage will take some time to be known, and will be hard to measure. Cloud cost analyst CloudZero estimated mid-morning Friday that the CrowdStrike incident had already cost $24 billion, based on a previous estimate.
Multiple outages, unclear blame
Microsoft services were, in a seemingly terrible coincidence, also down overnight Thursday into Friday. Multiple Azure services went down Thursday evening, with the cause cited as “a backend cluster management workflow [that] deployed a configuration change causing backend access to be blocked between a subset of Azure Storage clusters and compute resources in the Central US region.”
A spokesperson for Microsoft told Ars in a statement Friday that the CrowdStrike update was not related to its July 18 Azure outage. “That issue has fully recovered,” the statement read.
News reporting on these outages has so far blamed either Microsoft, CrowdStrike, or an unclear mixture of the two as the responsible party for various outages. It may be unavoidable, given that the outages are all happening on one platform, Windows. Microsoft itself issued an “Awareness” regarding the CrowdStrike BSOD issue on virtual machines running Windows. The firm was frequently updating it Friday, with a fix that may or may not surprise IT veterans.
“We’ve received feedback from customers that several reboots (as many as 15 have been reported) may be required, but overall feedback is that reboots are an effective troubleshooting step at this stage,” Microsoft wrote in the bulletin. Alternately, Microsoft recommend customers that have a backup from “before 19: 00 UTC on the 18th of July” restore it, or attach the OS disk to a repair VM to then delete the file (Windows/System32/Drivers/CrowdStrike/C00000291*.sys) at the heart of the boot loop.
Security consultant Troy Hunt was quoted as describing the dual failures as “the largest IT outage in history,” saying, “basically what we were all worried about with Y2K, except it’s actually happened this time.”
United Airlines told Ars that it was “resuming some flights, but expect schedule disruptions to continue throughout Friday,” and had issued waivers for customers to change travel plans. American Airlines posted early Friday that it had re-established its operations by 5 am Eastern, but expected delays and cancellations throughout Friday.
Ars has reached out to CrowdStrike for comment and will update this post with response.
This is a developing story and this post will be updated as new information is available.
A software maker serving more than 10,000 courtrooms throughout the world hosted an application update containing a hidden backdoor that maintained persistent communication with a malicious website, researchers reported Thursday, in the latest episode of a supply-chain attack.
The software, known as the JAVS Viewer 8, is a component of the JAVS Suite 8, an application package courtrooms use to record, play back, and manage audio and video from proceedings. Its maker, Louisville, Kentucky-based Justice AV Solutions, says its products are used in more than 10,000 courtrooms throughout the US and 11 other countries. The company has been in business for 35 years.
JAVS Viewer users at high risk
Researchers from security firm Rapid7 reported that a version of the JAVS Viewer 8 available for download on javs.com contained a backdoor that gave an unknown threat actor persistent access to infected devices. The malicious download, planted inside an executable file that installs the JAVS Viewer version 8.3.7, was available no later than April 1, when a post on X (formerly Twitter) reported it. It’s unclear when the backdoored version was removed from the company’s download page. JAVS representatives didn’t immediately respond to questions sent by email.
“Users who have version 8.3.7 of the JAVS Viewer executable installed are at high risk and should take immediate action,” Rapid7 researchers Ipek Solak, Thomas Elkins, Evan McCann, Matthew Smith, Jake McMahon, Tyler McGraw, Ryan Emmons, Stephen Fewer, and John Fenninger wrote. “This version contains a backdoored installer that allows attackers to gain full control of affected systems.”
The installer file was titled JAVS Viewer Setup 8.3.7.250-1.exe. When executed, it copied the binary file fffmpeg.exe to the file path C:Program Files (x86)JAVSViewer 8. To bypass security warnings, the installer was digitally signed, but with a signature issued to an entity called “Vanguard Tech Limited” rather than to “Justice AV Solutions Inc.,” the signing entity used to authenticate legitimate JAVS software.
fffmpeg.exe, in turn, used Windows Sockets and WinHTTP to establish communications with a command-and-control server. Once successfully connected, fffmpeg.exe sent the server passwords harvested from browsers and data about the compromised host, including hostname, operating system details, processor architecture, program working directory, and the user name.
The researchers said fffmpeg.exe also downloaded the file chrome_installer.exe from the IP address 45.120.177.178. chrome_installer.exe went on to execute a binary and several Python scripts that were responsible for stealing the passwords saved in browsers. fffmpeg.exe is associated with a known malware family called GateDoor/Rustdoor. The exe file was already flagged by 30 endpoint protection engines.
Enlarge/ A screenshot from VirusTotal showing detections from 30 endpoint protection engines.
The researchers warned that the process of disinfecting infected devices will require care. They wrote:
To remediate this issue, affected users should:
Reimage any endpoints where JAVS Viewer 8.3.7 was installed. Simply uninstalling the software is insufficient, as attackers may have implanted additional backdoors or malware. Re-imaging provides a clean slate.
Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.
Reset credentials used in web browsers on affected endpoints. Browser sessions may have been hijacked to steal cookies, stored passwords, or other sensitive information.
Install the latest version of JAVS Viewer (8.3.8 or higher) after re-imaging affected systems. The new version does not contain the backdoor present in 8.3.7.
Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise.
The Rapid7 post included a statement from JAVS that confirmed that the installer for version 8.3.7 of the JAVS viewer was malicious.
“We pulled all versions of Viewer 8.3.7 from the JAVS website, reset all passwords, and conducted a full internal audit of all JAVS systems,” the statement read. “We confirmed all currently available files on the JAVS.com website are genuine and malware-free. We further verified that no JAVS Source code, certificates, systems, or other software releases were compromised in this incident.”
The statement didn’t explain how the installer became available for download on its site. It also didn’t say if the company retained an outside firm to investigate.
The incident is the latest example of a supply-chain attack, a technique that tampers with a legitimate service or piece of software with the aim of infecting all downstream users. These sorts of attacks are usually carried out by first hacking the provider of the service or software. There’s no sure way to prevent falling victim to supply-chain attacks, but one potentially useful measure is to vet a file using VirusTotal before executing it. That advice would have served JAVS users well.
On Tuesday, ChatGPT developer OpenAI revealed that it is collaborating with the United States Defense Department on cybersecurity projects and exploring ways to prevent veteran suicide, reports Bloomberg. OpenAI revealed the collaboration during an interview with the news outlet at the World Economic Forum in Davos. The AI company recently modified its policies, allowing for certain military applications of its technology, while maintaining prohibitions against using it to develop weapons.
According to Anna Makanju, OpenAI’s vice president of global affairs, “many people thought that [a previous blanket prohibition on military applications] would prohibit many of these use cases, which people think are very much aligned with what we want to see in the world.” OpenAI removed terms from its service agreement that previously blocked AI use in “military and warfare” situations, but the company still upholds a ban on its technology being used to develop weapons or to cause harm or property damage.
Under the “Universal Policies” section of OpenAI’s Usage Policies document, section 2 says, “Don’t use our service to harm yourself or others.” The prohibition includes using its AI products to “develop or use weapons.” Changes to the terms that removed the “military and warfare” prohibitions appear to have been made by OpenAI on January 10.
The shift in policy appears to align OpenAI more closely with the needs of various governmental departments, including the possibility of preventing veteran suicides. “We’ve been doing work with the Department of Defense on cybersecurity tools for open-source software that secures critical infrastructure,” Makanju said in the interview. “We’ve been exploring whether it can assist with (prevention of) veteran suicide.”
The efforts mark a significant change from OpenAI’s original stance on military partnerships, Bloomberg says. Meanwhile, Microsoft Corp., a large investor in OpenAI, already has an established relationship with the US military through various software contracts.
