After pleading guilty, MPs were impressed by CrowdStrike’s “humility”.

Two months after a botched update caused widespread IT outages across the globe, the cyber security firm that caused it faced both praise and attention from US lawmakers seeking details on exactly how the outage occurred .

CrowdStrike sent Adam Meyers, senior vice president of adversary operations, to testify before the Subcommittee on Cybersecurity and Infrastructure Protection on Wednesday in a 90-minute hearing that earned the company more praise than condemnation from lawmakers .

The hearing follows an incident on July 19 that prevented numerous Windows users from logging on to their computers, including employees at Fifth Third Bank. At TD Bank, online and mobile banking services have been discontinued. Synovus Financial had to implement “contingency plans” to minimize disruption to customers. All branches and banking offices of Canandaigua National Bank, a $5 billion institution in Canandaigua, New York, were affected.

Other sectors were hit even harder. Airlines saw a spike in flight delays and cancellations at the start of the glitches just after midnight East Coast time. Delta ended up canceling 7,000 flights and suffering losses of $550 million. NBC News, Sky News and several Australian broadcasters have temporarily stopped broadcasting live content.

“The magnitude of this error was alarming,” said Andrew Garbarino, RN.Y., the subcommittee’s chairman. “If a routine update could cause this level of disruption, imagine what a skilled and determined nation state actor could do. We cannot lose sight of how this incident impacts the broader threat environment.”

Many of the most dramatic outages were resolved within a day; it took 10 days for error rates to return to pre-incident normal, according to CrowdStrike.

During the hearing, several lawmakers, including Laurel M. Lee, R-Fla., focused on one change CrowdStrike made after the debacle: enabling phased releases for security updates rather than pushing updates to everyone customers at the same time. Combined with improved testing, the move is meant to reduce the risk of widespread outages in the future.

During the hearing, Lee asked Meyers if he agreed that the failure to phase out rapid response content “ended up being catastrophic.” He said the company is putting “a lot of time and effort” into making sure customers have a choice in when and how they receive such updates.

Lee and others also questioned Meyers about the kernel-level system access of CrowdStrike’s software, echoing concerns from some observers that CrowdStrike’s use of a kernel driver must be weighed against the risks of blocking the entire computer rather than only blocking the CrowdStrike application in that case. of an error.

Meyers said he can’t think of a security product that doesn’t have a kernel driver. One reason for this is that endpoint detection and response, or EDR, software, which monitors computers for fishy behavior and shuts it down once detected, must have access to the entire system to detect threats, otherwise threat actors would only target software dead spots.

Lawmakers were not strictly critical of CrowdStrike’s response to the incident. At times, they explicitly praised the company for its response.

One element that received praise was CrowdStrike’s apology. CEO George Kurtz initially made a statement about the incident that he did not express regret, which earned him some flak in the mass media. But by the end of the day, he said sorry.

“I want to sincerely apologize directly to all of you for the interruption,” Kurtz said in a statement posted on CrowdStrike’s website on July 19. “All of CrowdStrike understand the gravity and impact of the situation. We quickly identified the issue and implemented a fix, allowing us to focus diligently on restoring customer systems as our highest priority.”

This week, Meyers made his own apology written testimony before the subcommitteeadding that the company appreciates the “round-the-clock efforts” of customers and partners who “mobilized immediately to restore systems and bring many back online within hours.”

The sentiment impressed Mark Green, R-Tenn., chairman of the House Homeland Security Committee.

“There’s been a degree of humility that’s impressive, and I appreciate the transparency that we’ve seen,” Green said. “I think some of the greatest lessons we learn are in times of adversity, and you guys showed the right attitude. So thank you.”

Green’s colleague Tony Gonzales, R-Texas, a member of the subcommittee, echoed his sentiments, saying he was “grateful” for CrowdStrike’s quick response and the documentation they publicly released to explain the error.

Across the aisle, Democratic lawmakers haven’t been as warm to CrowdStrike. Eric Swalwell, D-Calif., the top Democrat on the subcommittee, said in his opening remarks that the subcommittee “wasn’t here today to denigrate CrowdStrike,” but rather to get to the bottom of the circumstances and failures that led to upon interruption.

Beyond Swalwell’s comments, Democratic members thanked Meyers just for appearing before the committee.