Cybersecurity company CrowdStrike faced its biggest scrutiny yet in Congress on Tuesday about its role in July’s massive global IT outage.
Adam Myers, a senior executive at the company, appeared before a congressional committee on July 19 to answer questions about a flawed software update that rendered millions of PCs inoperable.
The incident caused payment services to be halted, flights to be canceled, and some hospitals were forced to cancel appointments and postpone surgeries.
Myers said the company is “deeply sorry” for the blackout that affected millions of people and vowed to “try to prevent it from happening again.”
CrowdStrike described the outage as the result of a “catastrophe.”
Lawmakers on the House Cybersecurity Subcommittee pressed Myers about how this could have happened in the first place.
“A global IT outage affecting every sector of the economy is the kind of disaster you see in the movies,” House Homeland Security Committee Chairman Mark Green said in his opening remarks.
The Tennessee representative likened the widespread impact of CrowdStrike’s faulty content updates to an attack “that would be expected to be carefully carried out by a sophisticated malicious nation-state actor.”
Instead, “the biggest IT outages in history were caused by mistakes,” he said.
Myers said the company will continue to act on “lessons learned” from the incident and share them to help prevent something like this from happening again.
Among the questions directed at Myers during the 90-minute hearing was a technical one about whether the company’s software should have access to core parts of a device’s operating system.
However, there were also more general questions about artificial intelligence (AI) and its potential impact on cybersecurity.
Congressman Carlos Gimenez asked about the threat of AI writing malicious code.
Myers added that he believes the technology is “not there yet,” but that it’s “getting better” every day.
In response to a question from a representative, Myers reiterated that the AI the company uses to detect threats to its systems was not responsible for pushing the erroneous update that crashed computers around the world.
He said CrowdStrike releases 10 to 12 configuration updates every day.
The lawmakers on the committee expressed concern about the impact a large-scale cyber attack could have on national security, adding that it could be exploited by malicious actors seeking to profit from the confusion and panic.
But overall, Myers did not face the same level of scrutiny as other tech executives when called to testify before Congress about apparent failures.
Rep. Eric Swalwell said the committee did not meet to “smear” the company, and Greene said Myers had shown “remarkable” humility.
Rather, the focus was on working with the Commission and the Government to prevent the possibility of similar incidents occurring in the future.
The company still faces numerous lawsuits from individuals and businesses caught up in the massive blackout in July.
Some affected people told BBC News that their holidays had been “totally ruined” or that they had lost business opportunities.
The company is being sued not only by its own shareholders, but also by Delta passengers who were left stranded after thousands of flights were canceled.
Delta Airlines said it had suffered losses of $500m (£374m) due to Crowdstrike’s “negligence”.
