“Each and every day, the United States depends upon Microsoft cloud services. ... Microsoft is deeply integrated into our nation’s digital infrastructure,” House Committee on Homeland Security Chair Mark Green said during a hearing Thursday.
That hearing focused on a 2023 incident in which Chinese government threat actors compromised Microsoft Online Exchange and breached emails from senior U.S. government officials. The federal Cyber Safety Review Board’s (CSRB) March 20 examination of the incident concluded that the attackers succeeded “because of a cascade of security failures at Microsoft.”
In its report, the Board called out the company for these “avoidable errors” and for failures to detect the compromise, adopt the kinds of security controls seen at peer cloud service providers or correct inaccurate public statements about the incident — thus preventing customers from making informed risk assessments, among other issues. Overall, Microsoft’s company culture failed to take security sufficiently seriously, the report said.
“By any measure, the cyber intrusion was not sophisticated,” Green said. “[The threat actors] exploited basic, well-known vulnerabilities that could have been avoided through basic cyber hygiene.”
Microsoft President and Vice Chair Brad Smith accepted the criticisms:
“We accept responsibility for each and every finding in the CSRB report,” he said during the hearing.
Legislators questioned whether they should still trust Microsoft, and how government and cloud providers can create a more secure landscape overall.
Smith said Microsoft’s “biggest mistake” was expecting its security team alone to handle cybersecurity, rather than making security everyone’s responsibility.
“What I think perhaps happened was, as we hired so many cybersecurity experts, it became possible for people who were not in the cybersecurity teams to think that they can rely on one of those people alone to do a job that we all needed to do together,” Smith said.
Microsoft is now creating a more security-focused culture, Smith said.
One step toward that is a new governance structure that provides a deputy CISO to each company department. Another piece entails incentivizing cybersecurity.
A ProPublica article released Thursday morning details a history of Microsoft downplaying cybersecurity concerns. Reportedly, a Microsoft employee had for years sought unsuccessfully to get the company to mitigate or warn customers about a serious flaw in its cloud logon service. Eventually, Russian hackers exploited it in their attack on SolarWinds.
Smith, who said he had not read the article yet, pushed back slightly, saying the flaw was an industry-wide concern, not just at Microsoft. Regardless, he asserted, the company will now actively encourage all employees to pay attention to and speak up about cyber issues. While the average employee’s compensation won’t be specifically tied to cybersecurity, it will be discussed during their biannual reviews.
Additionally, in the new fiscal year starting July 1, the 16 most senior members of Microsoft will see one-third of their annual cash bonuses tied to cybersecurity performance, Smith said. Rhode Island Rep. Seth Magaziner recommended the company add clauses allowing the portions of those bonuses tied to cybersecurity to be clawed back, given that security issues may be only discovered years after the fact.
Microsoft has also said it will bake security into its products and ship offerings with security settings enabled by default — goals that the Cybersecurity and Infrastructure Security Agency has urged all software manufacturers to follow.
But some questioned Microsoft’s faithfulness to these goals. The company’s announcement in May of its forthcoming Recall feature, which would repeatedly take and save screenshots of Windows 11 users’ activities without obscuring sensitive information like financial account numbers and passwords, was met with outcry that it was a security and privacy disaster waiting to happen. Smith told legislators the company learned from that feedback and has redesigned the feature.
Legislators also raised concern that it was the State Department — not Microsoft — that discovered the Exchange intrusion. Smith characterized this as normal, and indicative of the kind of collaboration necessary in cyber defense.
“That’s the way it should work,” Smith said. “No one entity in the ecosystem can see everything.”
But Mississippi Rep. Bennie Thompson argued that detecting intrusion into its offerings is Microsoft’s job, not its customers’.
Microsoft’s presence in China also came under scrutiny, with Florida Rep. Carlos Gimenez questioning how it deals with a Chinese law compelling companies to cooperate with that government’s intelligence gathering. Smith said his company’s presence in China is not a U.S. security risk, asserting that China has not been applying the law and that he has pushed back on some Chinese government requests. “I say, ‘No. We will not do certain things,’” Smith said.
The Cyber Safety Review Board said Microsoft left some customers with insufficient information about the Exchange incident, in part by failing to keep its blog post about the incident updated with new findings. Smith accepted that critique but said Microsoft faced challenges alerting impacted individuals — as company personnel reaching out to alert users were often mistaken for scammers by wary consumers.
The U.S. needs better ways of notifying victims, the Board said. It proposed that cloud service providers, federal government and major mobile device platform providers collaborate on creating a cyber equivalent of the Amber Alert.
