This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.
Jeremy Owens: Hello and welcome to On Watch by MarketWatch. I’m Jeremy Owens. I took last Friday off for a trip to the mountains, and when I returned on Monday, I saw something that has frightened me for most of my life. The blue screen of death. You probably already know this, but it wasn’t just me, airports, banks, and hospitals were among the businesses that lost access to their computer systems on Friday, causing chaos and confusion for their customers. Even the internet jukebox that my local bar went down and all because of a company, lots of people had never heard of, Crowdstrike.
Dave DeWalt: You had a perfect storm, and ultimately we witnessed a real catastrophe and outage all weekend.
Jeremy Owens: That’s Dave DeWalt, a longtime cybersecurity executive involved in the Crowdstrike recovery efforts over the weekend. We’ll hear from him in this episode. So what happened? Well, Crowdstrike, a cybersecurity company sent out a tiny file as part of an update to ward off threats. But an error in that file slipped through testing procedures undetected and caused customers Microsoft operating systems to crash. Ultimately, it affected 8.5 million Windows computers worldwide, millions of dollars if not billions was lost. So what does this mean for Crowdstrike and should investors in all software companies be scared of a similar event and how likely is it that something like this will happen again? Those are the questions we’ll dive into on today’s episode, plus we’ll take a quick look at the news stories we’re watching right now and how they’ll affect your wallet.
Dave DeWalt is one of the most storied cybersecurity executives in the United States. He served as CEO at McAfee maker of the antivirus software many of us installed on our personal computers back in the early 2000s, as well as FireEye, a groundbreaking enterprise security company. He went on to become the vice chair of the U.S. Department of Homeland Security’s Cybersecurity Advisory committee. His status in the cybersecurity world was one reason why Dave’s phone rang late Thursday night. Another reason, he’d been through this before. He suffered through a very similar incident when he was CEO at McAfee and his right-hand man at that time, Crowdstrike founder and CEO George Kurtz. Here’s Dave to talk more about it.
Dave DeWalt: I was asleep. I was on the West Coast, I was in San Francisco. I fell asleep around 9:00 PM and I was woken up by a whole series of calls in a row and my phone just started lighting up and I realized that there was a problem. And of course, quickly spoke to George Kurtz, the founder and CEO of Crowdstrike to get an assessment of what was occurring. Crowdstrike was very quickly working on patches and remediations once we eliminated the fact that it was not an attacker and in the end, it was a Crowdstrike error that occurred. Crowdstrike has done a magnificent job in protecting computers around the world and has really made the world a safer place, but at the same time, wow, this was apocalyptic.
Jeremy Owens: And Dave, you’ve been a cybersecurity executive many years, and I love talking to you about this kind of stuff because kind of mirrored the change in cybersecurity with your career. You were CEO of McAfee, which produced antivirus software that the consumer had to put on their own computer when we were the ones being attacked. But that changed and attackers started targeting large companies where they could get millions of us. How has that change shown up in this particular incident and what does it say about where we are right now?
Dave DeWalt: Yeah, Jeremy, I call it the perfect cyber storm. That perfect cyber storm is made up of a number of events that are occurring, one of which is a expanding technology footprint. We now have trillions of devices on the internet and now everything’s connected as we witness with the Crowdstrike environment. But along with this, we’re also seeing and expanding vulnerability and all those vulnerabilities is really a root cause of one of the problems, which is security is often an afterthought for a lot of companies because capitalism is important and companies see selling their product versus securing their product is more important.
And so then you add geopolitical tensions, you create the anonymity on the internet, you now have thousands of attackers and you have this almost perfect storm in the cyber landscape that has given rise to this multi-hundred billion cyber market that we’re witnessing today. You take a look at the market caps today of large companies, Palo Alto and networks reaching over a hundred billion market cap. Crowdstrike was approaching that mark as well. So the importance of this market is significant and the way in which we update files, the way in which we interact with computing has changed as well. While a perfect storm has occurred, we’ve created a perfect risk as well from the security vendors who can also get breached, which we’ve witnessed quite a bit, but also make mistakes and accidents, which we just witnessed again.
Jeremy Owens: Dave, that environment isn’t just about cyber criminals hacking and that’s actually not what happened in this case. And I wonder about how big tech companies are getting and how much that puts us at risk for a similar incident. I think back to 2021, when AWS East, Amazon’s large cloud computing data center on the east coast went down and the whole internet basically didn’t work for many Americans for an entire day. This is the kind of thing we saw with Crowdstrike. And as these companies grow bigger and more dominant, aren’t we in more danger of seeing incidents like this?
Dave DeWalt: 100% Jeremy, and I remember the AWS East outage well. I was on the board of several companies that were affected. Some very large scale companies were affected by that outage causing hundreds of millions if not billions of dollars of damage and outage again. And this is emblematic of what we’ve been seeing. This is an AWS and Microsoft problem. This is a Crowdstrike problem. This is an industry problem. They have world-class quality controls, but it’s not good enough. We can’t have outages like this that affect the world. So this is a wake-up call without a doubt yet again, and this is the biggest incident we’ve ever seen globally in the history of compute. And this has got to be a wake-up call for government and private sector to come together. No excuse going forward, we have to fix this.
Jeremy Owens: But how much of a game a whack-a-mole is this, Dave? If we put in better testing environments to keep something like this from happening again, won’t there just be another way that some big company has a problem and it cascades through all these other companies? Is there any way to completely protect ourselves? I just don’t see it.
Dave DeWalt: No, I don’t believe so either, Jeremy. There’s always going to be corner cases, but deploying 30,000 customers to the biggest enterprises in the world in 60 seconds or less without any testing, does anyone think there’s a problem there? And so we have to do better testing here to catch these, rollouts have to be different. And now with AI and quantum computing, this problem only gets bigger.
Jeremy Owens: It’s funny, Dave, I’m used to tech executives saying AI is going to make everything better. You’re saying that it’s actually going to make this problem bigger. Could you walk me through that?
Dave DeWalt: Yeah, we’ve introduced a whole new variable, and this variable is exponentially higher risk than the prior. We’re already seeing massive hallucinations around large language models. We’re seeing the poisoning of the data, we’re seeing the disruption to that data. So you’ve just introduced a massive, massive new set of technology risk to an already massive risk scenario, and that’s the scary side. But to your point, Jeremy, AI creates a powerful opportunity to respond faster to automate humans in a better way. So we’ve created just a powerful weapon that if used properly can be very well done for good, but could also have similar, if not even bigger ramifications going forward.
Jeremy Owens: And Dave, you’ve experienced something like this before. In fact, in 2010, McAfee saw something like this happen. Can you walk us through that and what happened there?
Dave DeWalt: I really took the same strategy that I recommended to George, which was be honest about what happened, quickly take responsibility for it and work together with the community to heal the community. And I did that on April 21st, 2010. It affected 1,672 companies in 16 minutes. Now back then we did 30-minute rollouts by time zone, so we didn’t affect hundreds of thousands of customers that we could have and hundreds of millions of computers. But here we are 14 years later with a different deployment model. But back then, the threat environment in 2010 while being severe through the eyes of 2010 is nothing like it is today where these threats and the speed of these threats is incredible and the ramification of the threats are incredible. So the need to deploy the updates faster, wider, with more sophistication is what we’ve witnessed. And Crowdstrike learned from McAfee for sure. Their quality controls are incredible, but when you kind of marry together that threat environment with that release environment, it’s a fine balance.
Jeremy Owens: Yeah. And that’s from the security vendor side, from the customer side, a lot of what I’ve heard from chief security officers in the past is they’re annoyed by how many vendors they have to have, but this shows the other side of it. If we consolidate under one vendor, then that’s the single point of failure that could bring down the entire economy.
Dave DeWalt: Yeah, boy, another trade-off Jeremy that you’re alluding to, which is a topic that has been in the press in the media of late platformization, right? Nikesh Arora from Palo Alto brought it to light. Do we trust bigger vendors with all their features and all their products because it simplifies and creates efficiency and perhaps cost savings and then you run this risk? Or do we rely on a village of security vendors that all are best of breed in each of their areas to create a better together strategy? We need a village of vendors, and that’s just a fact. But we have to create standards, Jeremy. There’s no common language for which vendors can work together. There’s competition. It’s not like we have standards that enable us to all build by design with the same release processes, a standardization of that. So this is the call. I think that we all have to have this wake up call to create standards in cyber so we can have more vendors working together.
Jeremy Owens: Yeah. And from what I’m hearing, we can do a lot of things to improve and protect, but there’s no way to keep something like this from happening. There will always be the next thing on the horizon that could make this happen again.
Dave DeWalt: I believe so. I really do. And I am an incredibly optimistic person for those who know me. I look at the world through a very optimistic light and I see the power of our technology, but at the same time, it’s hard to not see this perfect storm of risk that’s occurring. We’ve created environments of risk that really is going to be a part of our society for a long time, unfortunately.
Jeremy Owens: Well, it’s really hard to be optimistic here in that Dave, but I appreciate you taking the time to tell us. Thanks so much for joining us.
Dave DeWalt: Jeremy. Thank you for having me. Appreciate you and all the work you do.
Jeremy Owens: We’re going to take a quick break. Coming up, what investors need to know, stay with us.
Welcome back to On Watch by MarketWatch. Before the break, we talked with Dave DeWalt about the Crowdstrike catastrophe. Now we welcome Wedbush analyst and former engineer Taz Koujalgi to talk about how investors should be digesting the events of the past week.
Well, first Taz, I feel like a lot of people out there just heard the name Crowdstrike for the first time as this happened, and they were many billions of dollars lost at this point because of this. Crowdstrike stock in the first three sessions after this happened went down about 25%, that wiped away more than 20 billion in market capitalization. Is this something they can come back from? What are we looking for for this stock and how hard is it going to get hit? Is there a chance for rebound or is this something that’s going to really take money from them for a long time?
Taz Koujalgi: That’s a good question. At this point, nobody has a really good answer. Everything is in a freeze or a hold mode, right? So this is their last two weeks of the quarter. Crowdstrike has a July fiscal quarter end, so this could not have come at a worst time for them. And when I ask channel partners what is happening in the field? Are deals getting done? Are renewals happening? The answer is nothing is happening.
Jeremy Owens: There is no signing on the dotted line right now.
Taz Koujalgi: Yeah. So this is the last two weeks of the quarter when almost a quarter of the business gets done, roughly a quarter, maybe 20%. So given that everything is being stalled or paused, I think it’s free to assume a near-term impact in numbers this quarter or next quarter, maybe even the following quarter.
Jeremy Owens: And obviously most of their people are worried about getting the company back up and running more so than maybe signing those deals right now.
Taz Koujalgi: Exactly, exactly. I mean, imagine a salesman from CrowdStrike going to Delta and saying, “Hey guys, we had this deal in the pipeline, you ready to renew?”
Jeremy Owens: Yeah, I don’t think that’s going to happen.
Taz Koujalgi: Right.
Jeremy Owens: And the broader question I think there is, is every software company, security or not, one bad update from the same type of thing happening.
Taz Koujalgi: I think it’s a concern broadly because this could have happened to anyone, right? The fact that this happened to Crowdstrike obviously is bad, but what happened with them could have happened to anyone. It’s happened to other companies before.
Jeremy Owens: Should this be something that investors are worried about that are in software companies or just in tech stocks in general?
Taz Koujalgi: Yeah, I think the risk of being breached, the risk of being compromised or… An intern sending out a bad update is a risk for every software company. So I think the concern for investors would be not just the near-term impact to deal volume and deal closing, but longer term, what kind of liability is this company exposed to if Crowdstrike is on the hook to pay our damages? That is going to have an impact on the cash flow, and that obviously impacts how you value the company. So I think that’s something that would be relevant. And I don’t think anyone has given me a concrete answer on whether Crowdstrike is protected because of the way they have backed their agreements or whether Crowdstrike is a hook for a lot of damage payouts.
Jeremy Owens: And I’m sure we’ll see that, these companies have to report that kind of thing, what their liabilities might be. We might see that in an 8-K coming up here after the end of the quarter. We may see it in their earnings coming up in a month or so. And Taz, I talked to Dave DeWalt about a similar event that happened at McAfee back in 2010. That company sold about a year later to Intel. Could the same thing happen for Crowdstrike? Would even Microsoft be interested?
Taz Koujalgi: Yeah, I was asked if given the pullback that Crowdstrike has seen in the last two, three days, does it make them attractive target for M&A? I would be very skeptical for that to happen because in spite of the pullback, Crowdstrike is still a $65 billion market cap company. That’s a very, very big number. That’s still a huge number. I mean, at that size, at that scale, I don’t see Crowdstrike getting acquired.
Jeremy Owens: The following knife metaphor is very popular at this point where you’ve got a stock just plunging because of a current issue and people wondering if they can get this at a discount. Is that a thought in your mind as well?
Taz Koujalgi: I think so. I think the stock is pricing in the near term disruption. I mean, what is the right price? I think I don’t have a good answer. Nobody has a good answer because we have so many other things that will drive that answer, right? What is the liability that Crowdstrike is on the hook for? Are they required to pay damages? How much discounts are they offering to the customers? How many of the deals are getting frozen? It’s very hard to come up with a right price answer right now because there’s so many variables involved and nobody knows what those variables are.
But the bigger picture question is what happens in the longer run? Do you think this is a permanent damage, a structural issue for Crowdstrike, or can they recover? Our view at Wedbush is I think longer term Crowdstrike should be fine. This is not the first time the companies have had this kind of issue. This is not the last time. I think Crowdstrike has reacted very openly and transparently. So we’ll see a hit to the numbers this quarter and next quarter, no doubt about it. We have Okta as an example.
Jeremy Owens: And Okta is a single sign on company in which you sign on to all your work apps through Okta and they’ve been targeted because if you get an Okta credential for somebody, you can get into every aspect of a company’s network.
Taz Koujalgi: Yeah. Okta has had much more severe issues than Crowdstrike ever had. So we saw the near-term impact, but then it took them four to five quarters to get the customer confidence back. So I mean, given how Crowdstrike has reacted in the last three, four days, we expect something similar to come from them to try to reassure the customers and regain the confidence. But I think this will be behind them by this time next year.
Jeremy Owens: How worried should consumers be that this is something that could just happen, that one vendor gets so large that it could take down several websites, several businesses. Is this something we should kind of expect going forward could happen any day?
Taz Koujalgi: Yeah, I mean that’s kind of the main concern going forward, right? One of the lessons learned is how prevalent and how widely used Crowdstrike is, right? That it can bring down almost half the economy across multiple sectors. I don’t know if there’s an immediate solution here because it’s hard to switch vendors. And when I ask customers and partners, what do you think people are going to do with the renewals? The answer I’m getting is in the near term, you might have some knee-jerk reaction where customers pause their renewals or they ask for discounts. But remember longer term, it’s very hard to displace software or security.
We’ve seen this issue with Okta, which has had multiple security issues over the last four to eight quarters. But you still hear customers renew with Okta and saying, you know what? It’s hard to displace Okta. We’ve spent so much money and time installing this, deploying this, training our customers. So we’ll have near term pauses and near term deals getting pushed out. Longer term, what is the solution? I think one thing that we all have to consider is, is it fair to have some dependency on one vendor, right? It’s a single point of failure. Yes, it makes our life easier in one way, but on the other hand, it makes our life a lot tougher when something like this happens.
Jeremy Owens: Should we be worried about Microsoft at all, Taz? I mean, I know it’s a Crowdstrike problem, but most of the people experienced it on their Microsoft Windows machines.
Taz Koujalgi: I think Microsoft’s liability here is very limited. This is not a Microsoft issue. I’m sure there’ll be some digging on whether Microsoft has some responsibility here because at the end of the day, it’s their software that went down, so they should have had some safeguards in place. But I think it’s a little bit complicated on how much control they had and how much control they had to give up because of this agreement they had with EU due to (inaudible) issues. So I don’t think Microsoft is on the hook here.
Jeremy Owens: Well, we’ll have Microsoft earnings coming up and hear what they have to say about it, and we’ll check back in with you, Taz. Thanks so much for joining us.
Taz Koujalgi: Thanks for having me.
Jeremy Owens: Before we go, it’s time for what we are watching, a look at the news you need to know for the rest of the week and beyond. On Sunday, President Joe Biden announced he was stepping away from his re-election bid and endorsed his Vice President Kamala Harris. That’s put Harris in the spotlight, including her investments, which are largely in passive index funds, exactly the type of investment we talk about a lot on this program. For more on Harris’s economic thoughts and expected policy ideas, check out our coverage on marketwatch.com. Tesla reported Tuesday, that profit fell by nearly 45% in the second quarter and confirmed that an event expected to show off prototype robotaxis had been delayed until October.
Chief Executive Elon Musk said on a conference call that anyone who doesn’t believe Tesla will solve autonomy should sell the stock. Many investors took him up on that, sending shares down more than 10% Wednesday. There is a company currently solving autonomy through robotaxis however. Google parent Alphabet executives said Tuesday that the company’s Waymo (inaudible) is completing more than 50,000 robotaxi rides a week in Phoenix and San Francisco. Alphabet’s leaders plan to pump another $5 billion into Waymo to support further growth. Alphabet’s earnings and sales grew healthily in the second quarter and beat expectations, but shares still dipped the next day as investors fretted about the cost of its artificial intelligence push and (inaudible) revenue growth for YouTube.
And that’s it for this episode. Thanks to Dave DeWalt and Taz Koujalgi for joining us to keep following the latest on Crowdstrike and all things cybersecurity, head to marketwatch.com. You can subscribe to the show wherever you get your podcasts, and please do. If you like what you heard, please leave us a rating or review, it really helps others discover the show. And let us know what you want to hear from us. You can reach us at onwatch@marketwatch.com. The show is hosted by me, Jeremy Owens, and produced by Alexis Moore and Jackson Cantrell. Isaac Gaines mixed this episode, Melissa Haggerty is the executive producer. We’ll be back next week with a new episode. And until then we’ll be watching.
