House committee calls on CrowdStrike CEO to testify on global IT outage

Kurtz confirmed Friday that a faulty content update shipped for Windows users prompted the outages, which threw businesses and government organizations worldwide into disarray. The error forced airlines to ground thousands of flights and disrupted emergency services such as the 911 call line. Microsoft has estimated that 8.5 million Windows devices were affected.

The worldwide meltdown is forcing regulators and lawmakers to confront the extent to which the global economy and critical infrastructure relies on a small set of software services.

Kurtz said in an X post Friday that the outages were not caused by “a security or cyber incident” and that the company has since issued a fix.

Reps. Mark Green (R-Tenn.) and Andrew R. Garbarino (R-N.Y.), chairs of the Homeland Security Committee and its cybersecurity subcommittee, respectively, wrote in their letter that the outages “must serve as a broader warning about the national security risks associated with network dependency.”

“Protecting our critical infrastructure requires us to learn from this incident and ensure that it does not happen again,” the lawmakers wrote.

CrowdStrike spokesperson Kirsten Speas said in an emailed statement Monday that the company is “actively in contact” with the relevant congressional committees and that “engagement timelines may be disclosed at Members’ discretion,” but declined to say whether Kurtz will testify.

The committee is one of several looking into the incident, with members of the House Oversight Committee and House Energy and Commerce Committee separately requesting briefings from CrowdStrike. But the effort by Homeland Security Committee leaders marks the first time the company is being publicly summoned to testify about its role in the disruptions.

CrowdStrike has risen to prominence as a major security provider partly by identifying malicious online campaigns by foreign actors, but the outages have heightened concern in Washington that international adversaries could look to exploit future incidents.

“Malicious cyber actors backed by nation-states, such as China and Russia, are watching our response to this incident closely,” Green and Garbarino wrote.

The outages, which disrupted agencies at the federal and state level, are also raising questions about how much businesses and government officials alike have come to rely on Microsoft products for their daily operations.

“These incidents reveal how concentration can create fragile systems,” Federal Trade Commission Chair Lina Khan (D), whose agency is examining consolidation among cloud computing services, said in a Friday post on X.

Microsoft spokeswoman Kate Frischmann said in a written statement to The Post that the impact of the outages “was defined by the reach of CrowdStrike; not the reach of Microsoft.”

Many security companies have a privileged position within the structure of Windows, giving them the power to block attacks more effectively and quickly. But that also means that mistakes by one of those companies can have an immediate and profound impact on Windows users. Apple no longer allows other software providers such deep access. Microsoft spokesman Frank Shaw said Microsoft must offer security companies the same powers as it does its own security products because of a 2009 agreement with European antitrust officials.

Joseph Menn contributed to this report.