CrowdStrike heads to Capitol Hill in first hearing on global outage
Add Axios as your preferred source to
see more of our stories on Google.
/2024/09/20/1726843163789.gif?w=3840)
Illustration: Brendan Lynch/Axios
CrowdStrike will face lawmakers for the first time this afternoon after its devastating global outage this summer bricked roughly 8.5 million Windows devices.
Why it matters: As of now, this is the only hearing on lawmakers' calendars looking into the global CrowdStrike issue that caused what's now considered the largest IT outage in history.
State of play: Adam Meyers, CrowdStrike's senior vice president of counter adversary operations, is testifying this afternoon before a House Homeland Security subcommittee.
- His testimony comes after lawmakers originally requested to hear from CEO George Kurtz.
- In a disclosure form submitted to lawmakers Monday, Meyers said the company has more than 20,000 customers across critical infrastructure sectors and government offices.
- "On behalf of everyone at CrowdStrike, I want to apologize," Meyers plans to tell lawmakers, according to a copy of his opening remarks submitted to Congress ahead of the hearing.
- "We are deeply sorry this happened and are determined to prevent it from happening again."
Catch up quick: CrowdStrike has said that a faulty content error that was misinterpreted by the Windows kernel — the deepest level of access on a Windows system — caused the "blue screen of death" that several major companies experienced in July.
- CrowdStrike has since updated its internal testing and started implementing phased rollouts for its security updates, so if there is another similar issue, only a limited number of devices will be impacted at once.
- But the company is now facing lawsuits and legal threats from Delta Air Lines and passengers whose flights were cancelled as a result of the outage.
The big picture: Cyber policy experts and CrowdStrike's competitors are hoping Tuesday's hearing will yield more information about how exactly one of the most respected cybersecurity companies found itself in this situation.
- "There's still some unanswered questions that we need to explore further," J. Michael Daniel, CEO and president of the Cyber Threat Alliance, told Axios.
- Many of those questions are focused on how CrowdStrike has adapted to prevent a similar outage, why only Windows systems were affected, and what lessons other IT vendors can learn from this, Daniel noted.
What they're saying: "A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie," Rep. Mark Green (R-Tenn.), chair of the House Homeland Security Committee, will say at Tuesday's hearing, according to an excerpt of his remarks shared with Axios.
- "It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor," Green will say. "To add insult to injury, the largest IT outage in history was due to a mistake."
- Rep. Bennie Thompson (D-Miss.), the committee's ranking member, will also say in his remarks, shared with Axios, that, "the potential for malicious or accidental incidents disrupting critical functions has increased, and reducing that risk will require public-private collaboration on developing best practices and standards."
Between the lines: While the public might be looking for accountability from the hearing, experts note that a congressional hearing isn't the best venue for that.
- Most lawmakers — and their constituents — don't understand how security products and Windows systems work or why a misconfiguration would cause such an outage.
- The hearing is designed more to teach lawmakers about how an outage like this could even happen.
- "I don't think you need the CEO. You need the person who can answer: 'Why was the outcome of this so much different than the outcome we've come to expect from you?'" Mark Montgomery, director of the Cyberspace Solarium Commission 2.0, told Axios.
The intrigue: CrowdStrike and its top executives have spent years building a lot of goodwill across Washington, including on Capitol Hill.
- The company often participates in government threat intelligence sharing partnerships, like the Cybersecurity and Infrastructure Security Agency's Joint Cyber Defense Collaborative.
- And it's supported difficult-to-pass laws like one that will soon require mandatory cyber incident reporting for critical infrastructure organizations.
Yes, but: Competitors are still holding the company accountable and hoping the hearing will help the public view the outage as solely a CrowdStrike problem — not a broader issue with all security tools.
What we're watching: Whether lawmakers seem satisfied with Meyers' answers will dictate how likely it is members will pursue new legislation or further hearings.
- Other regulatory bodies and advisory boards — like the Cyber Safety Review Board — could also decide to dig into the global IT outage, experts say.
