Biden briefed on CrowdStrike IT outage as multiple federal systems impacted

President Joe Biden was briefed on an ongoing global Microsoft outage linked to an update pushed by cybersecurity giant CrowdStrike, the White House said Friday.

The incident has led the Social Security Administration offices to close for the day, the agency said in an update. Identity verification services provided by the Login platform are experiencing outages in multiple states, according to an incident report. The Federal Communications Commission also said some 911 services have been disrupted.

The widespread outages — affecting banks, airlines and other essential services worldwide — were caused by a defect update pushed to Windows operating systems by the cybersecurity firm over the past day. CrowdStrike CEO George Kurtz said the incident is not a cyberattack.

“The President has been briefed on the CrowdStrike outage and his team is in touch with CrowdStrike and impacted entities,” a White House official said. “His team is engaged across the interagency to get sector by sector updates throughout the day and is standing by to provide assistance as needed.”

The National Security Council is aware of the situation. At the Aspen Institute think tank’s annual Security Forum, deputy national security advisor for cyber and emerging technology Anne Neuberger said her day began “with a 4 a.m. call from the Situation Room to highlight the issue that occurred with CrowdStrike” and that she has been in touch with company leadership.

The extent of the impact on federal government operations is still not known. Crowdstrike is in wide use across federal agencies and it is a key vendor on the governmentwide Continuous Diagnostics and Mitigation cybersecurity support services contract. The company has contracts with the Justice Department, State Department and Department of Homeland Security, according to GovTribe, a federal market intelligence platform owned by Nextgov/FCW parent company GovExec.

The issues involve a patch sent to customers that use the company’s flagship Falcon platform, which is sold as a method of stopping cyberattacks by linking onboarded computer systems to a suite of CrowdStrike tools designed to target and quash malicious hacking attempts.

The recovery process will likely take a while to see through, said John Hammond, a head cybersecurity researcher at Huntress Labs and a former Defense Department cyber developer.

“Each sector and industry is affected, and unfortunately recovery will be a time-consuming manual process across an organizations’ servers and workstations,” he told Nextgov/FCW in a text message.

“The mitigation and recovery workaround that is suggested is unfortunately a very manual process...it needs to be done at the physical location of the computer, by hand, for every computer impacted. It will be a very long and very slow recovery process,” he said.

A Pentagon spokesperson said that the Defense Department "is aware of the reporting and personnel are monitoring our networks for possible impacts. For operational security reasons, we do not comment on the status of our network operations, information systems or operations to assess cyber threats."

The Defense Department is heavily reliant on Microsoft products across its enterprise, and has plans to be fully migrated to Microsoft 365 by June 2025.

A spokesperson for Microsoft's federal operations did not immediately respond to a request for comment.

“We are aware of this issue and are working closely with CrowdStrike and across the industry to provide customers technical guidance and support to safely bring their systems back online,” company CEO Satya Nadella said in an X post.

The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is “working with CrowdStrike, Microsoft and our federal, state, local and critical infrastructure partners to fully assess and address system outages,” DHS said in a post on the X platform. A spokesperson for the federal chief information officer did not immediately respond to a request for comment.

CISA itself is affected, according to an analyst who spoke on the condition of anonymity because they were not permitted to provide updates on the internal status of agency systems.

“People in other components aren’t able to log in because of this CrowdStrike issue. IT support is swamped helping get people back up and running,” they said.

Also at DHS, Customs and Border Protection reported "processing delays due to the global technology outage," in a post on X (formerly Twitter) late Friday afternoon. The agency said its own trade and travel applications including the Global Entry mobile app, CBP One, which assists asylum seekers, Simplified Arrival and the Automated Commercial Environment are operational.

An ongoing mystery surrounding the outage is how deeply embedded CrowdStrike’s systems are within the Windows operating systems affected in the incident. Third party cybersecurity products like those offered by CrowdStrike are often bolted onto the core operating platforms of the devices they service in order to get a comprehensive view of potential cyber threats that seek to sabotage devices.

The company in a blog post flagged a specific file deployed during the update that should be removed in Safe Mode, a procedure that starts a computer’s operating system in a basic format that can help troubleshoot problems on the device.

A security architect that provides services to Delta, an airline impacted by the outage, was shocked by how the incident occurred.

“Usually, they’re better than this. CrowdStrike is a massive company at this point,” said the person, who spoke on the condition of anonymity because they were not authorized to publicly express their views. “Why are they pushing half-baked updates?” 

The incident is a bit of a perfect storm, said Josh Thorngren, a strategist at cybersecurity provider ForAllSecure.

“CrowdStrike keeps millions of computers protected worldwide, but in order to do that, it requires deep system access on those machines,” he said in an email. “That same deep access means that when there’s a bug in Crowdstrike, it can cripple the entire operating system, as we’ve seen today.”  

It could take some time before all affected systems are recovered, Krutz, the company CEO, said in an interview on the Today show. He apologized to anyone impacted by the update.

Hackers may be leveraging the chaos to push out sham updates claiming to be CrowdStrike support, said the SANS Institute, a company that provides cybersecurity training and certificates.

“We do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any ‘patches’ that may be delivered this way,” said Johannes Ullrich, the company’s dean of research.

CrowdStrike is regarded as a top cybersecurity services titan, having become famous for its modern endpoint protection technologies and its cyber threat reports that frequently echo the clandestine findings of the intelligence community but aren’t shrouded in a veil of classified restrictions. It works with hundreds of top companies and nearly all U.S. states, according to its website.

It made headlines for investigating the 2016 Democratic National Committee hack that was likely authorized by Russia, where the intelligence community aligned on the company’s findings.

As of Friday afternoon, many of the issues affecting Microsoft’s 365 services  that were linked to a separate, unrelated incident on the tech giant’s Azure offering appear to have been resolved, according to an update thread on X.

A senior administration official said the White House has been convening agencies to assess impacts to the U.S. government’s operations and entities around the country. Biden will continue to receive updates on the matter.

“At this time, our understanding is that flight operations have resumed across the country, although some congestion remains, and 911 centers are able to receive and process calls,” the senior administration official said. “We are assessing impact to local hospitals, surface transportation systems, and law enforcement closely and will provide further updates as we learn more. We stand ready to provide assistance as needed.”

Kurtz said in an X post that the company is “working on a technical update and root cause analysis” that will be shared publicly.

Defense One's Lauren C. Williams contributed to this report. This is an ongoing story and will be updated.