Is CrowdStrike Liable for Damages?
The recent controversy surrounding the 2020 US Presidential Election has led to a renewed focus on the role of cybersecurity companies in election security. One company at the center of this debate is CrowdStrike, a leading provider of endpoint security solutions. In 2016, CrowdStrike founded by George Kurtz and Dmitri Alperovitch was hired by the Democratic National Committee (DNC) to investigate a hacking incident that occurred in April of that year. The incident resulted in the theft of sensitive information and the release of embarrassing emails through WikiLeaks.
The investigation conducted by CrowdStrike concluded that the hacking was carried out by Russian state-sponsored actors, specifically the Advanced Persistent Threat 28 (APT28) and Advanced Persistent Threat 29 (APT29) groups. This finding was widely reported and contributed to the narrative that Russia had interfered in the 2016 US Presidential Election.
However, the controversy surrounding CrowdStrike’s findings has continued to grow as other experts and investigations have questioned the company’s methods and conclusions. The controversy has led to lawsuits against CrowdStrike and its founders, as well as calls for accountability and damages.
The Lawsuits
In 2020, the attorney general of the state of Texas, Ken Paxton, filed a lawsuit against CrowdStrike, alleging that the company’s investigation was a “witch hunt” and that it had retaliated against him after he raised questions about the company’s claims. The lawsuit seeks damages of $1.2 billion.
Additionally, a group of individuals, including former Trump campaign advisor Roger Stone, have filed a lawsuit against CrowdStrike, alleging that the company’s investigation was a conspiracy to damage the Trump campaign. The lawsuit seeks damages of $2 billion.
Liability and Damages
So, is CrowdStrike liable for damages?
Prior to the lawsuits, CrowdStrike had already faced criticism for its handling of the hacking incident and its subsequent investigation. The company was accused of rushing its investigation and failing to provide sufficient evidence to back up its findings. The Company has also been criticized for its inadequate documentation of its methods and conclusions.
Given the allegations of flaws in CrowdStrike’s investigation and the lack of sufficient evidence to support its findings, it is possible that the company could face liability for damages.
Consequences for CrowdStrike
If CrowdStrike is found liable for damages, it could have significant consequences for the company, including financial penalties, damage to its reputation, and potential legal penalties for its founders and employees.
CrowdStrike’s founding by a group of Russian-born individuals has also raised concerns about the company’s ties to Russia, which could further complicate its legal situation.
Conclusion
The controversy surrounding CrowdStrike’s findings has sparked a wider debate about the role of cybersecurity companies in election security and the legal and reputational risks they face as a result of their work.
While CrowdStrike has denied any wrongdoing and maintains that its investigation was thorough and professional, the lawsuits filed against the company suggest that it could face significant legal and reputational consequences.
Ultimately, the question of whether CrowdStrike is liable for damages will depend on the outcome of the lawsuits and the findings of any investigations or reviews conducted by regulatory bodies or independent experts.
In the meantime, the controversy serves as a reminder of the importance of transparency, accountability, and robust investigations in election security, as well as the significant legal and reputational risks that cybersecurity companies face in this sensitive field.
