Cybersecurity company CrowdStrike faced its biggest grilling yet over its role in July’s mass global IT outage in Congress on Tuesday.
Adam Meyers, a senior executive at the company, appeared before a US congressional committee to answer questions about its faulty software update that disabled millions of PCs on 19 July.
The incident knocked payment services offline, grounded flights and forced some hospitals to cancel appointments and delay operations.
Mr Meyers said the firm was “deeply sorry” for the outage that affected millions of people and is “determined to prevent it from happening again”.
CrowdStrike described the outage as the result of a “perfect storm”.
Lawmakers on the House of Representatives cybersecurity subcommittee pressed Mr Meyers on how it occurred in the first place.
“A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie,” said Mark Green, chairman of the House Homeland Security Committee, in his opening remarks.
The Tennessee representative likened the widespread impact of CrowdStrike’s faulty content update to an attack “we would expect to be carefully executed by a malicious and sophisticated nation-state actor”.
Instead “the largest IT outage in history was due to a mistake”, he said.
Mr Meyers said the company would continue to act on and share “lessons learned” from the incident to make sure it would not happen again.
Among the questions directed at Mr Meyers during the 90-minute hearing were technical queries about whether the company’s software should have access to core parts of device operating systems.
But there were also more general questions about artificial intelligence (AI) and its potential impact on cybersecurity.
Congressman Carlos Gimenez asked about the threat of AI writing malicious code.
Mr Meyers said he thought the tech was “not there yet” but added that every day it “gets better”.
In response to one representative’s line of questioning, Mr Meyers reiterated that AI – which the company leverages to detect threats to systems – was not responsible for pushing the erroneous update that crashed computers around the world.
He said CrowdStrike releases between 10 and 12 configuration updates each day.
Lawmakers on the committee raised concerns about the impact of large-scale cyber events on national security, adding they could also be exploited by bad actors looking to capitalise on confusion or panic.
But all in all, Mr Meyers did not face quite the level of scrutiny that other high-level technology executives have when called to testify in Congress over apparent failings.
Congressman Eric Swalwell said the committee had not gathered to “malign” the firm, while Mr Green said Mr Meyers showed an “impressive” degree of humility.
Instead there was an emphasis on working together with the committee and government to prevent the possibility of any such further incidents in future.
The company still faces a number of lawsuits from people and businesses that were caught up in July’s mass outage.
Some of the people affected told BBC News it “totally ruined” their holidays, or caused them to lose out on business.
The firm has been sued by its own shareholders, as well as by Delta Airlines passengers left stranded by thousands of flight cancellations.
Delta said it lost $500m (£374m) due to CrowdStrike’s “negligence”.
