House Committee calls on CrowdStrike CEO to testify on global IT outage

Short confirmed Friday that a faulty content update for Windows users caused the outages that roiled businesses and government organizations around the world. The bug forced airlines to ground thousands of flights and disrupted emergency services such as 911. Microsoft estimates that 8.5 million Windows devices were affected.

The global collapse is forcing regulators and lawmakers to grapple with the extent to which the global economy and critical infrastructure depend on a small number of software services.

Short said in an X-Post on Friday that the outages were not caused by “a security or cyber incident” and that the company has since released a fix.

Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairmen of the Homeland Security Committee and its Cybersecurity Subcommittee, respectively, wrote in their letter that the outages “must serve as a broader warning about the national security risks associated with network dependency.”

“To protect our critical infrastructure, we must learn from this incident and ensure it does not happen again,” the lawmakers wrote.

Spokespeople for CrowdStrike did not immediately respond to a request for comment. Kurtz said Friday that the company “continues to work closely with affected customers and partners to ensure all systems are restored.”

The committee is one of several investigating the incident. Members of the House Oversight Committee and the House Energy and Commerce Committee have each requested separate briefings from CrowdStrike. But the move by the chair of the Homeland Security Committee is the first time the company has been publicly asked to testify about its role in the outages.

CrowdStrike has built a reputation as a key security vendor, in part by identifying malicious online campaigns by foreign actors, but the outages have heightened concerns in Washington that international adversaries could exploit future incidents.

“Malicious cyber actors backed by nation states like China and Russia are closely monitoring our response to this incident,” Green and Garbarino wrote.

The outages, which caused disruptions at federal and state agencies, also raise questions about the extent to which companies and government officials rely on Microsoft products in their daily work.

“These incidents show how concentration can create fragile systems,” Federal Trade Commission (FTC) Chairwoman Lina Khan (D), whose agency is investigating the consolidation of cloud computing services, said Friday in a post on X.

Microsoft spokeswoman Kate Frischmann responded in a written statement that the impact of the outages “was determined by CrowdStrike’s reach; not Microsoft’s reach.”

Many security companies have a privileged position within the Windows structure, giving them the power to block attacks more effectively and quickly. But that also means that mistakes by one of these companies can have an immediate and profound impact on Windows users. Apple no longer allows other software vendors such deep access. Microsoft spokesman Frank Shaw said Microsoft must give security companies the same powers as its own security products because of a 2009 agreement with European antitrust regulators.

Joseph Menn contributed to this report.