CrowdStrike will appear before lawmakers today for the first time since the largest IT outage in history rendered about 8.5 million Windows devices inoperable this past summer.
Adam Meyers, CrowdStrike’s senior vice president of counter adversary operations, will testify before a House Homeland Security subcommittee. Lawmakers had initially requested the company’s CEO, George Kurtz, but Meyers will speak on behalf of the company. In a disclosure submitted to Congress, Meyers revealed that CrowdStrike has more than 20,000 customers across critical infrastructure sectors and government agencies.
“On behalf of everyone at CrowdStrike, I want to apologize,” Meyers will say in his opening remarks, according to a copy shared with Congress. “We are deeply sorry this happened and are determined to prevent it from happening again.”
CrowdStrike attributes the outage to a faulty content error that was misinterpreted by the Windows kernel, resulting in the infamous “blue screen of death” that crippled major companies in July. In response, the company has updated its internal testing procedures and begun rolling out phased updates to limit the impact of potential future errors. However, CrowdStrike now faces legal threats, including lawsuits from Delta Air Lines and passengers affected by flight cancellations during the outage.
Cybersecurity experts and competitors are closely watching today’s hearing, hoping it will provide clarity on how CrowdStrike found itself in this situation. “There's still some unanswered questions that we need to explore further,” said J. Michael Daniel, CEO of the Cyber Threat Alliance. Among the key issues are why only Windows systems were affected and how other IT vendors can learn from the incident.
Representative Mark Green (R-Tenn.), chair of the House Homeland Security Committee, is expected to underscore the severity of the event. “A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie,” Green will say during the hearing. “To add insult to injury, the largest IT outage in history was due to a mistake.”
Rep. Bennie Thompson (D-Miss.), the committee's ranking member, is also slated to discuss the increasing risk of both accidental and malicious disruptions to critical functions, emphasizing the need for public-private collaboration to develop better cybersecurity standards.
While the hearing is expected to focus on the technical aspects of the outage, cybersecurity policy experts note that lawmakers and their constituents may not fully grasp how such misconfigurations occur. The goal of the hearing may be more about educating lawmakers than holding CrowdStrike accountable, said Mark Montgomery, director of the Cyberspace Solarium Commission 2.0.
CrowdStrike has built significant goodwill in Washington over the years through its participation in government intelligence-sharing initiatives like the Cybersecurity and Infrastructure Security Agency's Joint Cyber Defense Collaborative. The company has also supported major legislative efforts, including mandatory cyber incident reporting for critical infrastructure organizations.
Despite this, competitors hope the hearing will reinforce that the outage was specific to CrowdStrike and not indicative of a larger problem within the cybersecurity industry. How lawmakers respond to Meyers' testimony could shape the likelihood of new legislation or further hearings, while other bodies, such as the Cyber Safety Review Board, may also investigate the incident.
The hearing is slated to began at 2pm ET at the Cannon House Office building.
