Kurtz confirmed Friday that a faulty content update shipped for Windows users prompted the outages, which threw businesses and government organizations worldwide into disarray. The error forced airlines to ground thousands of flights and disrupted emergency services such as the 911 call line. Microsoft has estimated that 8.5 million Windows devices were impacted by the issue.
The global meltdown is forcing regulators and lawmakers to confront the extent to which the global economy and critical infrastructure relies on a small set of software services.
CrowdStrike’s Kurtz said in an X post Friday that the outages were not caused by “a security or cyber incident” and that the company has since issued a fix to address the problem.
GET CAUGHT UP
Stories to keep you informed
Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairs of the full homeland security panel and its cybersecurity subcommittee, respectively, wrote in their letter that the outages “must serve as a broader warning about the national security risks associated with network dependency.”
“Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again,” the lawmakers wrote.
Spokespeople for CrowdStrike did not immediately respond to a request for comment. Kurtz said Friday that the company “continues to work closely with impacted customers and partners to ensure that all systems are restored.”
The committee is one of several looking into the incident, with members of the House Oversight Committee and House Energy and Commerce Committee separately requesting briefings from CrowdStrike on the matter. But the effort by House Homeland Security leaders marks the first time the company is being publicly summoned to testify about its role in the disruptions.
CrowdStrike has risen to prominence as a major security provider partly by identifying malicious online campaigns by foreign actors, but the outages have heightened concern in Washington that foreign adversaries could look to exploit future incidents to their benefit.
“Malicious cyber actors backed by nation-states, such as China and Russia, are watching our response to this incident closely,” Green and Garbarino wrote.
The outages, which disrupted a spate of agencies at the federal and state level, are also raising questions about how much businesses and government officials alike have come to rely on Microsoft products for their daily operations.
“These incidents reveal how concentration can create fragile systems,” Federal Trade Commission Chair Lina Khan, a Democrat whose agency is examining consolidation among cloud computing services, said in a Friday post on X.
Microsoft spokeswoman Kate Frischmann responded that the impact of the outages “was defined by the reach of CrowdStrike; not the reach of Microsoft.”
Many security companies have a privileged position within the structure of Windows, giving them the power to block attacks more effectively and quickly. But that also means that mistakes by one of those vendors can have an immediate and profound impact on Windows users. Apple no longer allows other software providers such deep access. Microsoft spokesman Frank Shaw said Microsoft must offer security companies the same powers as its own security products because of a 2009 agreement with European antitrust officials.
Editor’s note
A previous version of this article was inadvertently published earlier than intended.
Joseph Menn contributed to this report.
