A US congressional committee has asked CrowdStrike's CEO to testify at a hearing about the company's role in a technology outage that disrupted the global economy, in one of the first attempts to hold cybersecurity companies accountable.
CrowdStrike sent a flawed security update to its customers on Thursday night, resulting in the shutdown of millions of Microsoft Windows devices and disruption to airlines, hospitals, logistics companies and more.
“The American people have a right to know the details of how this happened and what mitigation measures CrowdStrike is taking,” wrote Rep. Mark Green of Tennessee, the Republican chairman of the Homeland Security Committee, and Rep. Andrew Garbarino, a Republican from New York.
The letter was sent to CrowdStrike CEO George Kurtz. Green and Garbarino asked the company for a date for the hearing this week but did not say when it would take place.
“CrowdStrike is actively in contact with relevant congressional committees,” a company spokesperson said. “Timelines for briefings and other engagement may be made public at the discretion of lawmakers.”
The call comes as the world continues to deal with the effects of widespread power outages, with Delta cancelling more than 800 flights on Monday, stranding many more passengers, and other industries still recovering from being offline for hours.
The outage highlights how the world has come to depend on a few companies to maintain its digital infrastructure. CrowdStrike is the second-largest cybersecurity company in the U.S., though it is little known to most consumers. More than half of the Fortune 500 companies use its products.
“This incident illustrates the interconnectedness of our broad ecosystem – our global cloud providers, software platforms, security vendors, other software vendors, and our customers,” Microsoft executive David Weston said in a blog post on Saturday. “And it serves as a reminder of how important it is for all of us across the technology ecosystem to use existing mechanisms to prioritize secure deployment and disaster recovery.”
CrowdStrike's products are used primarily by large enterprises, not consumers. The company's flawed updates sent computers running Microsoft's Windows operating system into a spiral of repeated reboots. CrowdStrike sent out fixes, but many computers never got them because of the loop. In many cases, companies had to manually remove the malicious files from each machine.
Kurtz said on NBC's “Today” show on Friday that the incident was caused by a faulty update, not a cyberattack, but a congressional committee said in a letter to Kurtz on Monday that the incident still raises troubling security concerns.
“Malicious cyber actors, including those backed by nation-states such as China and Russia, are closely monitoring our response to this incident,” the lawmakers said. “To protect our critical infrastructure, we must learn from this incident and ensure that something like this never happens again.”
Rep. Ritchie Torres, D-New York, also called on the Department of Homeland Security on Friday to investigate the outage.