“We Cannot Allow a Mistake of This Magnitude to Happen Again”: Chairmen Green, Garbarino Open Subcommittee Hearing with CrowdStrike VP

WASHINGTON, D.C. - Today, House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) delivered the following opening statements in a hearing to examine CrowdStrike's defective software update that caused a global information technology (IT) outage on July 19. Read the opening statements below and watch the hearing live here.

Watch Chairman Green's opening statement.

Chairman Green's opening statement as prepared for delivery:

Thank you, Chairman Garbarino, for your leadership on advancing our nation's cybersecurity, and for holding this very important hearing.

On July 19th, Americans woke up to shock. Their flight home? Grounded. Their scheduled medical procedure? Canceled. Their call to 911? It wouldn't go through. The list goes on.

Everywhere Americans turned, basic societal functions were unavailable. As Americans looked across our borders they saw other countries-including our allies Australia and the UK-were affected too.

A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie. It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor.

To add insult to injury, the largest IT outage in history was due to a mistake. In this case, CrowdStrike's Content Validator used for its Falcon Sensor did not catch a bug in a channel file. It also appears that the update may not have been appropriately tested before being pushed out to the most sensitive part of a computer's operating system. This caused about 8.5 million devices to crash.

Mistakes can happen. However, we cannot allow a mistake of this magnitude to happen again.

As the July 19th outage has demonstrated yet again, our networks are increasingly interconnected. While we know that nation-state actors and criminals try to exploit our networks, we would not expect companies to defend themselves from these targeted attacks.However, as I emphasized with the President of Microsoft in June, we do expect companies to implement the strongest cybersecurity practices possible. Our nation's security depends on a strong public-private partnership for protecting our networks.

Ensuring our partnership is strong is important because our adversaries always watch how we respond to major incidents like the July 19th outage. You can bet that they're watching us right now.

The good news is that since this was not due to a cyberattack, we can learn from this incident.

Today's hearing is both timely and overdue. Timely because we now have two months of information to understand exactly what happened. I'm hopeful this will make for a very productive hearing.

It is overdue because we had hoped to give Americans the answers they deserve much sooner, given the extent of the outage. Although I had hoped to hear from CrowdStrike's CEO directly, I am grateful for Mr. Meyers's presence. I'm confident he will deliver the answers we need.

Thank you, Mr. Meyers, for taking the time to walk us through the course of events leading up to July 19th, and the steps CrowdStrike has taken since.

In August, CISA Director Jen Easterly described this incident as, quote, "a useful exercise - a dress rehearsal for what China may want to do to us." We look forward to working with you to make sure we never make it to opening night.

Watch Chairman Garbarino's opening statement.

Subcommittee Chairman Garbarino's opening statement as prepared for delivery:

Just over two months ago, many essential functions came to a grinding halt. Hospitals saw disruptions in their medical systems, thousands of flights were grounded or canceled worldwide, banks experienced downtime in transaction processing, and U.S. Federal government agencies were temporarily unable to access certain data.

Shortly after detection, we learned that this global IT outage-regarded as the largest in history-was not due to a malicious cyberattack but instead a faulty software update pushed out by CrowdStrike.

According to a company statement, a sensor configuration update triggered a logic error, leading to system crashes, an inability to properly reboot, and ultimately the "blue screen of death" appearing on impacted systems worldwide.

CrowdStrike's software updates are essential for addressing vulnerabilities, enhancing threat detection, and ensuring that the cybersecurity infrastructure of its customers remains robust as the cyber threat landscape rapidly evolves. Most importantly, given CrowdStrike's value as a resource across the greater cyber ecosystem, these updates are meant to build customer confidence and trust.

We are here today to get answers for our constituents: what went wrong, what was required in response, and what we have learned for the future of our nation's cybersecurity posture.

The sheer scale of this error was alarming. If a routine update could cause this level of disruption, just imagine what a skilled and determined nation-state actor could do.

We cannot lose sight of how this incident factors into the broader threat environment. Without question, our adversaries have assessed our response, recovery, and true level of resilience.

However, our enemies are not just nation-states with advanced cyber capabilities. They include a range of malicious cyber actors who often thrive in the uncertainty and confusion that arise during large-scale IT outages. For example, CISA issued a public statement noting that it had "observed threat actors taking advantage of this incident for phishing and other malicious activity." So, it is clear that this outage created an advantageous environment ripe for exploitation by malicious cyber actors.

We are joined today by Mr. Adam Meyers, who serves as the Senior Vice President of Counter Adversary Operations at CrowdStrike.

Mr. Meyers, I look forward to hearing your testimony about how a faulty software update was pushed out globally, what CrowdStrike has learned from this event to prevent future outages, and how CrowdStrike is working to rebuild trust.

I would also like to discuss the impact this global outage has had on our nation's various critical infrastructure sectors, what support CrowdStrike has provided to those who were disrupted, and how the company has addressed certain malicious cyber actors who have attempted to take advantage of the global outage.

Mr. Meyers, thank you for being here with us today. I look forward to a productive discussion.

###

Public link

Please use the above public link if you want to share this noodl on another website.