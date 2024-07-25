U.S. lawmakers want CrowdStrike CEO George Kurtz to explain how a software update led to thousands of canceled flights, hospital disruptions and emergency call center outages. If Kurtz testifies, he will face hard questions probing CrowdStrike's competency.

It's one thing to explain how a flawed software update caused an outage affecting 8.5 million devices running Windows OS, according to Microsoft. But to truly understand what happened, we must look beyond the level of code.

Did management issues, inadequate oversight, employee turnover, training, processes, communications, resource allocation and tool investment contribute to this outage? These are critical questions, especially as we adopt AI systems with opaque algorithms that will automate some decision-making and have the potential to do even more damage to our national security and economy.

We are not off to a good start in addressing these issues.

On Wednesday, CrowdStrike released a preliminary post-incident review, which included a list of steps in its rapid response to prevent future occurrences of such global outages. However, it was partly a list of basic software quality practices, such as "local developer testing," where programmers first run tests on their machines.

Local developer testing is merely basic unit testing, which is testing software on a single, isolated machine or environment, said Jim Johnson, who recently retired as the longtime chair of the Standish Group, a research organization that studies software failures.

"I do not see anything in their response that would prevent future issues," Johnson said after looking at CrowdStrike's "software resiliency and testing" prevention plans.

Johnson criticized CrowdStrike for presenting what he sees as standard industry practices as its solution, rather than introducing more rigorous or innovative measures to prevent future outages in its critical security infrastructure.

The businesses disrupted by the CrowdStrike flaw also have a lot of explaining to do.