CrowdStrike’s ubiquity under fire as Congress calls for CEO to testify

In a letter Monday, the House Committee on Homeland Security demanded more transparency from CrowdStrike CEO George Kurtz after major global outages were triggered by a "defect" in a recent update to CrowdStrike's Falcon Sensor software.

Considered by some to be "the largest IT outage in history," the issue delayed or canceled thousands of flights, disabled emergency calls, postponed surgeries, and impacted banks, committee chairman Mark Green (R-Tenn.) and Subcommittee on Cybersecurity and Infrastructure Protection chairman Andrew Garbarino (R-NY) wrote in the letter.

"In less than one day, we have seen major impacts to key functions of the global economy, including aviation, healthcare, banking, media, and emergency services," their letter said. "Recognizing that Americans will undoubtedly feel the lasting, real-world consequences of this incident, they deserve to know in detail how this incident happened and the mitigation steps CrowdStrike is taking."

CrowdStrike may not be widely known to everyday consumers, but as The New York Times noted, it is the second largest American cybersecurity company, used by more than half of Fortune 500 companies. Responding quickly to fix the software defect, CrowdStrike has rushed to reassure its global customer base, explaining how it's accelerating remediations and creating a continually updated "guidance hub" where customers can keep up with the latest fixes and monitor emerging security risks.

But even supposedly "easy" fixes have caused major lags, requiring customers to reboot systems repeatedly or manually delete defective files from computers one by one. The House committee worried labor shortages might cause more repair delays and asked Kurtz to fully explain the next steps for CrowdStrike and warning that any further delays "could seriously affect Americans."

"Although a solution for this faulty software update has been identified, reporting indicates that it could take days to resolve this incident and millions of manual labor hours—something that is all the more challenging to address due to our significant cyber workforce shortage," their letter said.

So far, CrowdStrike has taken steps to be transparent about security risks, alerting customers about threat actors who actually leveraged the bug "to distribute a malicious ZIP archive." These attacks seemingly targeted Latin America-based CrowdStrike customers, using Spanish filenames and instructions within the ZIP archive, CrowdStrike warned. But CrowdStrike has claimed it is equipped to combat security risks as they're detected, writing in the guidance hub that its "team is fully mobilized to ensure the security and stability of CrowdStrike customers."

For customers still concerned about vulnerabilities, however, CrowdStrike has recommended that all communications with CrowdStrike remain only in official channels to avoid malicious activity.

"We know that adversaries and bad actors will try to exploit events like this," Kurtz said in a statement provided in the guidance hub. "I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates."

Although the House committee told CrowdStrike that it appreciated "CrowdStrike’s response and coordination with stakeholders," lawmakers remain concerned about the "global scale of this incident." And while they're relieved the issue didn't spring from a cyberattack, they also remain concerned about national security precisely because bad actors "have already seized the moment and sought to exploit the vulnerability."

"Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again," their letter said. "This incident must serve as a broader warning about the national security risks associated with network dependency."

Emphasizing the urgency of resolving the issue, the House committee asked Kurtz to schedule a hearing by "no later than 5 pm on Wednesday, July 24."

Ars could not immediately reach CrowdStrike to comment. But in the guidance hub, Kurtz apologized "for the inconvenience and disruption" and vowed to be transparent with stakeholders.

"Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike," Kurtz's statement concluded. "As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again."

CrowdStrike’s ubiquity under fire

The House Committee on National Security is only the latest US regulatory body to probe the Crowdstrike outage, following briefing requests from the House Oversight Committee and the House Energy and Commerce Committee. But the most recent request for Kurtz to testify "marks the first time the company is being publicly summoned to testify about its role in the disruptions," Reuters reported.

On Sunday, the chair of the Federal Trade Commission, Lina Khan, also expressed concerns as an antitrust regulator, suggesting that the global network outage shows how weak systems that depend on one major supplier are.

"All too often these days, a single glitch results in a system-wide outage, affecting industries from healthcare and airlines to banks and auto-dealers," Khan wrote on X (formerly Twitter). "Millions of people and businesses pay the price. These incidents reveal how concentration can create fragile systems."

"Concentrating production can concentrate risk," Khan warned.

Microsoft security executive David Weston seemed to somewhat agree with Khan, writing in a blog Sunday that "this incident demonstrates the interconnected nature of our broad ecosystem—global cloud providers, software platforms, security vendors and other software vendors, and customers."

Weston seemed to suggest, however, that the solution was for tech companies to be more vigilant when deploying updates, not for lawmakers to intervene and more closely monitor what the House committee described as "national security risks associated with network dependency."

"It’s also a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist," Weston wrote.