Lawmakers on Tuesday grilled executives at cybersecurity firm CrowdStrike Inc. about widespread technology outages this summer that paralyzed global travel, hampered government operations and sent major companies scrambling to move operations online.
The outage was caused by a faulty update sent to CrowdStrike software that runs on Microsoft’s Windows operating system, sending the devices into a spiral where they could not reboot normally unless someone removed the faulty files from the system.
Adam Myers, CrowdStrike’s senior vice president of adversary countermeasures, told members of the House Homeland Security Subcommittee that the company has implemented new safeguards to prevent such a mistake from happening again.
Lawmakers pressed Myers to explain why the error occurred in the first place and how the company plans to hold customers accountable for the harm caused by the outages.
“I want to make sure you know what happened, you can explain it, and you know what you’re doing to make sure this never happens again,” said Rep. Andrew Garbarino, R-New York.
The July incident highlighted how modern commerce and communications depend on a handful of big tech companies. Travelers were stranded as airlines canceled flights. Emergency services were interrupted as 911 operators discovered their systems were failing. Hospitals suspended some services.
Tuesday’s hearing pointed to persistent questions governments have about the power and influence of tech companies that dominate the modern internet age. Lawmakers around the world have recently passed laws to regulate how companies like Microsoft, Amazon, Apple, Google and Meta, the owner of Facebook and Instagram, operate. They have accused the companies of entrenching themselves by squeezing out smaller competitors, and have laid out new rules for how social media platforms handle content.
“High tech dependence is a new phenomenon that makes it more vulnerable to big shocks,” Jonathan Welburn, a senior fellow at the RAND Corporation who studies and models supplier relationships and dependencies between companies, said in a recent interview.
The July outage spread around the world as computers received the flawed update, and because CrowdStrike counts large corporations as clients, its immediate impact was mostly limited to computers used by businesses, rather than individual consumers.
The infamous Windows “Blue Screen of Death” appeared on disabled machines. Internally at CrowdStrike, engineers were instructed to focus on fixing the problem rather than tracking down the cause. The company eventually posted instructions telling customers how to fix the issue and issued a software patch designed to stop devices from rebooting continuously.
The company’s CEO, George Kurtz, did not appear at the hearing despite the committee’s initial request to testify, and Myers, who appeared instead, said in his opening statement that CrowdStrike had “let its customers down.”
“We deeply regret this and are determined to prevent this from happening again,” he said.
Many lawmakers praised CrowdStrike’s overall response, but they asked Myers to explain how such a mistake could have been made with updates that are so regular that the company sends out 10 to 12 times a day.
He said the issue wasn’t discovered during the company’s update review process: “Testing showed it was OK or good, so it was allowed to be released,” he said.
The company has since updated its internal processes to incorporate more rigorous testing to prevent a similar incident, Myers said. CrowdStrike customers can now choose to wait to receive the update.
CrowdStrike has stated that the outage was not the result of a cyberattack, but lawmakers remain concerned about the harm it has caused to Americans.
Rep. William R. Timmons IV, a Republican from South Carolina, asked Myers how the company planned to hold him accountable. Timmons said his “constituents who missed their flights and were stuck in airports for weeks” wouldn’t care that the company distinguished between a security breach and a faulty update.
During the company’s most recent earnings call, CrowdStrike executives said the company was setting aside $60 million for a “customer commitment package” that will be paid out in the form of credits to affected customers.
That’s far less than the $500 million loss Delta Air Lines says it lost as a result of the outage. The airline said in an August securities filing that it was “pursuing legal claims against CrowdStrike and Microsoft seeking damages for the outage.” CrowdStrike executives have previously said insurance would limit the company’s losses.
Republican Rep. Mark E. Green of Tennessee asked Myers whether artificial intelligence played a role in sending out the erroneous update.
“The AI was not responsible for making any decisions in that process,” Myers said.
Garbarino suggested that if this outage was a “catastrophe,” he was concerned it could happen again if CrowdStrike doesn’t make any changes.
“Because we’re now seeing perfect storms and once-in-100-year floods more frequently than not, every two years,” he said.
Eli Tan contributed reporting from San Francisco.
