NEWPORT BEACH — CrowdStrike Holdings’ faulty software upgrade rattled much of the computer-connected world in recent weeks, and OC cybersecurity expert Stuart McClure says it will take a while to pinpoint the cause.
McClure says it could have just been a failure to test sufficiently “or was there something more to it, like an insider threat or maybe an adversary that got into their systems and their supply chain?”
“It will take weeks before we really get even half of what is the true story.”
McClure speaks from decades of experience, including co-founding Cylance, the Irvine-based cybersecurity firm he sold for $1.4 billion. In the late 1990s, he also wrote a bestselling book on cybersecurity that he co-authored with George Kurtz, CrowdStrike’s co-founder and current chief executive.
“I feel for him,” McClure said about Kurtz. “Anybody in that position has to fix it.”
While the exact causes are still to be determined, Kurtz said shortly after the crash: “This was not a cyberattack.”
Could Happen Again
CrowdStrike, which got its start in Irvine, sent out a faulty software update on July 19 that paralyzed airplane operations, closed businesses and derailed medical care at 8.5 million points around the world.
Shares in CrowdStrike, which was founded in 2011 and moved to Silicon Valley in 2017, dropped more than 30% after the fiasco. The failure is expected to generate billions of dollars in hotly contested insurance compensation claims.
“It could easily happen again,” McClure told the Business Journal on July 24.
McClure and Kurtz both have more than 30 years of experience in cybersecurity, including both having worked at Ernst & Young at the same time.
In 1999, the pair along with Joel Scambray wrote a bestselling book called “Hacking Exposed.” The book was the first in a series that eventually sold more than 1 million copies and was translated into more than 30 languages. It’s still popular on Amazon, where it ranks No. 44 in privacy and online safety, No. 64 in computer hacking and No. 65 in computer network security.
“This series is mandatory reading if you want to understand what is happening at a technical level,” according to a 2016 blog on the cybersecurity platform Palo Alto Networks.
In 1999, the pair helped co-found Foundstone, a cybersecurity firm that grew to almost $100 million in annual sales and in 2005 was acquired by McAfee.
Both worked several years at McAfee, where Kurtz became chief technical officer, responsible for driving the integrated security architectures and platforms across the company’s entire portfolio. McClure, who also became CTO at McAfee after Kurtz left, was known for running an elite team of good guy hackers inside McAfee called TRACE that discovered new vulnerabilities and emerging threats.
In one of the largest technology deals in 2011, Intel Corp. acquired McAfee for nearly $8 billion.
Kurtz left McAfee in 2011 and raised $26 million in venture capital to create CrowdStrike.
McClure left a year later to found Cylance, which he sold in 2019 to Blackberry (NYSE: BB).
The Newport Beach resident served as president of BlackBerry Cylance—later renamed BlackBerry Cybersecurity—for eight months following the Cylance sale before joining another cybersecurity company called Qwiet AI as CEO in 2022.
The San Jose-based firm, previously known as ShiftLeft, aims to prevent cyberattacks by identifying vulnerabilities in code.
CrowdStrike, Irvine
CrowdStrike went public in 2019. Its shares almost touched $400 in the month before the failed update. It currently trades at $216.50 and a $52.7 billion market cap.
The company, now based in Austin, Texas, still maintains a research and development center in Irvine’s Spectrum area. It counted some 337 local employees as of last year.
“I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted,” Kurtz wrote on a LinkedIn blog. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”
McClure spoke to the Business Journal after CrowdStrike issued a preliminary review of the outage and pledged to publicly release a more detailed analysis when it becomes available.
“It’s just as bad and could be very much worse,” McClure said. “We’re really trying to just understand it all at a very technical level.
“The only thing that we’re all asking ourselves is, ‘Is there something more to this?’ It could absolutely be. We don’t have all the information. It will take weeks before we really get even half of what is the true story.”
He emphasized that “bad guys get into systems all the time no matter how much protection you have.”
McClure, a 2016 Business Journal Innovator of the Year award winner, has an expert’s eye on the situation.
“They’re really only giving out dribs and drabs of technical history around what happened,” he said.
There were plenty of opportunities to find this problem before it hit the 8.5 million devices, McClure said.
As for his advice: “I do believe in multiple layers of security. I don’t believe in relying on any one vendor.”
The Plane Accident that Shook McClure
Stuart McClure has revealed a dramatic plane explosion that affected his life when he was 19 years old.
He was traveling to Australia with his mother and brother on United Flight 811 in 1989 when an explosion shook their Boeing 747.
“It was a huge explosion that rocked the whole plane,” McClure recalled in a documentary. “Everything that wasn’t bolted down took off out (the plane).”
“We were helpless with no control. At that point, I realized, ‘This is where we die.’”
The crew prepared the passengers for a possible ditch in the Pacific Ocean, including donning life jackets.
Despite two dead engines, the pilots were able to safely land 25 minutes later in Honolulu, where McClure slid down an emergency evacuation slide. The accident, attributed to a faulty cargo door, resulted in the death of nine people who were sucked out of the plane.
It’s the second plane accident survived by someone who would go on to build a prominent Orange County company. In 2000, William Wang survived a crash at a Taipei airport that killed 83 of the 179 passengers onboard; Wang in 2002 founded Vizio Inc., which is being sold to Walmart for $2.3 billion.
McClure wrote on the X platform that the 747 explosion “was perhaps the first domino cascading into my lifelong mission to protect and prevent bad things from happening to people.”
“The experience and event that night told me that I needed to make my life matter,” he said during the documentary.
McClure would go on to start several cybersecurity companies. His latest venture, Wethos AI, uses artificial intelligence to make insights about employees based on their work habits and behavior, then give suggestions on how to improve performance.
He says he continues to get a “lot of buzz” around Wethos.
McClure says he’s “successfully entertaining a number of investors.”
Wethos AI is one of the first companies to come out of McClure’s Newport Beach-based business accelerator NumberOneAI.
NumberOneAI was founded in 2021 and as of 2022 had raised $13 million to back companies focused on artificial intelligence and machine learning.
McClure envisions using artificial intelligence to prevent disasters like the plane he was on.
“Imagine what we could do with AI if we could predict and prevent all kinds of disasters, not just cyber. Imagine the world we could live in together,” McClure wrote.
—Kevin Costelloe