CrowdStrike will face lawmakers for the first time this afternoon after its devastating global outage this summer bricked roughly 8.5 million Windows devices.

Why it matters: As of now, this is the only hearing on lawmakers' calendars looking into the global CrowdStrike issue that caused what's now considered the largest IT outage in history.

State of play: Adam Meyers, CrowdStrike's senior vice president of counter adversary operations, is testifying this afternoon before a House Homeland Security subcommittee.

• His testimony comes after lawmakers originally requested to hear from CEO George Kurtz.
• In a disclosure form submitted to lawmakers yesterday, Meyers said the company has more than 20,000 customers across critical infrastructure sectors and government offices.
• "On behalf of everyone at CrowdStrike, I want to apologize," Meyers plans to tell lawmakers, according to a copy of his opening remarks submitted to Congress ahead of the hearing.
• "We are deeply sorry this happened and are determined to prevent it from happening again."

Catch up quick: CrowdStrike has said that a faulty content error that was misinterpreted by the Windows kernel — the deepest level of access on a Windows system — caused the "blue screen of death" that several major companies experienced in July.

• CrowdStrike has since updated its internal testing and started implementing phased rollouts for its security updates, so if there is another similar issue, only a limited number of devices will be impacted at once.
• But the company is now facing lawsuits and legal threats from Delta Air Lines and passengers whose flights were cancelled as a result of the outage.

The big picture: Cyber policy experts and CrowdStrike's competitors are hoping today's hearing will yield more information about how exactly one of the most respected cybersecurity companies found itself in this situation.

• "There's still some unanswered questions that we need to explore further," J. Michael Daniel, CEO and president of the Cyber Threat Alliance, told Axios.
• Many of those questions are focused on how CrowdStrike has adapted to prevent a similar outage, why only Windows systems were affected, and what lessons other IT vendors can learn from this, Daniel noted.

What they're saying: "A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie," Rep. Mark Green (R-Tenn.), chair of the House Homeland Security Committee, will say at today's hearing, according to an excerpt of his remarks shared with Axios.

• "It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor," Green will say. "To add insult to injury, the largest IT outage in history was due to a mistake."

Between the lines: While the public might be looking for accountability from the hearing, experts note that a congressional hearing isn't the best venue for that.

• Most lawmakers — and their constituents — don't understand how security products and Windows systems work or why a misconfiguration would cause such an outage.
• The hearing is designed more to teach lawmakers about how an outage like this could even happen.
• "I don't think you need the CEO. You need the person who can answer: 'Why was the outcome of this so much different than the outcome we've come to expect from you?'" Mark Montgomery, director of the Cyberspace Solarium Commission 2.0, told Axios.

The intrigue: CrowdStrike and its top executives have spent years building a lot of goodwill across Washington, including on Capitol Hill.

• The company often participates in government threat intelligence sharing partnerships, like the Cybersecurity and Infrastructure Security Agency's Joint Cyber Defense Collaborative.
• And it's supported difficult-to-pass laws like one that will soon require mandatory cyber incident reporting for critical infrastructure organizations.

Yes, but: Competitors are still holding the company accountable and hoping the hearing will help the public view the outage as solely a CrowdStrike problem — not a broader issue with all security tools.

What we're watching: Whether lawmakers seem satisfied with Meyers' answers will dictate how likely it is members will pursue new legislation or further hearings.

• Other regulatory bodies and advisory boards — like the Cyber Safety Review Board — could also decide to dig into the global IT outage, experts say.

Microsoft has made key improvements to an identity verification tool that Chinese hackers exploited last summer to hack government email accounts.

Why it matters: The changes will help keep malicious hackers from replicating last summer's hack, which exposed emails tied to officials at the State Department and even Commerce Secretary Gina Raimondo.

Driving the news: Microsoft shared the update in a progress report released Monday detailing ongoing work for its Secure Future Initiative.

Zoom in: U.S. government and public sector cloud accounts will now automatically generate, store and rotate token signing keys, Charlie Bell, Microsoft's executive vice president of security, wrote in a blog post.

• Signing keys are also now stored in a customer's so-called hardware secure module, making it virtually impossible for user accounts to access.
• The company also changed the lifespan of the access tokens given to internal employees to seven days — so even if a hacker somehow broke into an employee's account, they still wouldn't be able to break into the corresponding customer's account.
• Microsoft also removed about 730,000 unused apps across accounts and eliminated 5.75 million inactive tenants. Hackers have been known to find login credentials for third-party apps and break into companies that way.

Flashback: Last summer, Chinese hackers obtained a signing key for a Microsoft cloud account that allowed them to infiltrate government customers' email accounts.

What they're saying: "No human can either touch or take these signing keys" after these new changes, Joy Chik, president of identity and network access at Microsoft, told Axios.

• "It's automatically rotated by software, so there's no human intervention," Chik added.
• That means these signing keys are no longer vulnerable even if a user forgets to schedule a software update or make other changes.

The big picture: This is just one part of Microsoft's far-reaching security overhaul.

• The tech giant also created a new internal cybersecurity governance council — led by Microsoft CISO Igor Tsyganskiy and made up of each deputy CISO — that will oversee the company's cyber risk and compliance profile.
• Security performance is now officially linked to senior leadership's compensation and included in all employees' performance reviews.
• And Microsoft shared Monday that it has launched a Security Skilling Academy, an internal training tool for all of its employees.

Catch up quick: Microsoft started the Secure Future Initiative in November after a series of nation-state cyberattacks involving the company's technology.

• The company expanded this project in May after discovering in January that Russia had also successfully hacked senior Microsoft leadership's emails.

Go deeper: Microsoft mobilizes to regain government trust.

@ D.C.

🗳️ U.S. intelligence officials have warned that Russia, Iran and China are each using AI tools in election disinformation campaigns targeting Vice President Kamala Harris. (Washington Post)

🚗 The Commerce Department is pushing to ban the sale and import of smart vehicles that use certain Chinese and Russian technology. (CNN)

📝 Austria, Estonia, Lithuania and the Netherlands have signed a U.S.-led agreement to impose domestic and international controls on certain spyware makers. (Nextgov)

@ Industry

🤖 Cloudflare has unveiled new tools that could help websites block AI chatbots from scraping their data. (Ars Technica)

🇰🇵 Dozens of Fortune 100 companies have unknowingly hired North Korean IT workers, according to a new report. (The Record)

💻 Disney is moving most of its business units off of Slack after its server was hacked in July, resulting in a massive leak. (CNBC)

@ Hackers and hacks

👀 Hackers claim they stole sensitive information about more than 10,000 Dell employees, marking the second claim of a data breach at the company within a week. (HackRead)

Celebrated my own birthday recently, and I like to think this meme was made just for me (someone who also has an orange cat and a black cat). 🎂