A congressional committee on Monday summoned the CEO of the security firm whose botched update caused Friday’s massive computer outage to testify, according to a letter shared exclusively with The Washington Post, allowing lawmakers to further investigate the incident.
Republican leaders of the House Homeland Security Committee demanded that CrowdStrike CEO George Kurtz appear on Capitol Hill by Wednesday to explain how the outages occurred and what “mitigation measures” the company is taking to prevent future outages.
Kurtz confirmed friday that a faulty content update shipped to Windows users caused the outages, which disrupted businesses and government organizations worldwide. The bug forced airlines to ground thousands of flights and disrupted emergency services such as 911. Microsoft estimates that 8.5 million Windows devices were affected.
The global crisis is forcing regulators and lawmakers to question the extent to which the global economy and critical infrastructure depend on a limited number of software services.
Kurtz said in an X message Friday that the outages were not caused by “a security or cyber incident” and that the company has since released a fix.
GET CAUGHT
Stories to keep you informed
Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairmen of the Homeland Security Committee and the Cybersecurity Subcommittee, respectively, wrote in their letter that the outages “should serve as a broader warning about the national security risks associated with network dependency.”
“To protect our critical infrastructure, we must learn from this incident and ensure it does not happen again,” the lawmakers wrote.
CrowdStrike spokeswoman Kirsten Speas said in an emailed statement Monday that the company is “actively in contact” with the relevant congressional committees and that “timelines for engagement may be disclosed at the members’ discretion,” but declined to say whether Kurtz will testify.
The committee is one of several investigating the incident, with members of the House Oversight Committee and the House Energy and Commerce Committee separately requesting briefings from CrowdStrike. But the effort by leaders of the Homeland Security Committee marks the first time the company has been publicly called to testify about its role in the disruptions.
CrowdStrike has emerged as a major security provider, including by identifying malicious online campaigns by foreign actors. However, the outages have raised growing concerns in Washington that international adversaries could exploit incidents in the future.
“Malicious cyber actors, backed by nation states such as China and Russia, are closely monitoring our response to this incident,” Green and Garbarino wrote.
The outages, which have caused problems at both the federal and state levels, also raise questions about the extent to which businesses and government officials have become dependent on Microsoft products for their day-to-day operations.
“These incidents show how concentration can create vulnerable systems,” Federal Trade Commission Chair Lina Khan (D), whose agency is investigating consolidation among cloud computing services, said in a post on X on Friday.
Microsoft spokesperson Kate Frischmann said in a written statement to The Post that the impact of the outages “was determined by CrowdStrike’s reach; not Microsoft’s reach.”
Many security vendors have privileged positions within the Windows structure, allowing them to block attacks more effectively and quickly. But that also means that mistakes by any of those companies can have an immediate and pervasive impact on Windows users. Apple no longer grants other software vendors such pervasive access. Microsoft spokesman Frank Shaw said Microsoft must give security vendors the same privileges it gives to its own security products because of a 2009 agreement with European antitrust officials.
Publisher’s Note
An earlier version of this article was accidentally published earlier than intended.
Joseph Menn contributed to this report.
