Microsoft 'Accepts' Every Cyber Failing Cited in DHS Report
Microsoft accepts “every finding” in the Department of Homeland Security’s report about a 2023 Chinese cyberattack against the company, President Brad Smith told the House Homeland Security Committee on Thursday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Chairman Mark Green, R-Tenn., and ranking member Bennie Thompson, D-Miss., repeatedly mentioned Microsoft’s heightened level of responsibility since the company provides about 85% of the federal government’s productivity software. Citing DHS’ Cyber Safety Review Board (CSRB) report from April, Green gave a detailed timeline of several Microsoft security lapses that, he said, enabled Chinese and Russian hackers to exploit its products during multiple incidents, including the 2020 SolarWinds breach (see 2104060058).
“We accept responsibility for each and every finding in the CSRB report,” said Smith. He and CEO Satya Nadella agreed after the 2023 attack that the company wasn’t going to react with “defensiveness,” he said.
Microsoft’s Secure Future Initiative, announced in November, crafted plans to follow the CSRB’s 16 Microsoft-related recommendations, Smith said. There are 34,000 engineers working on the initiative, making it the largest cyber engineering project in the “history of digital technology,” Smith said. Microsoft announced this month the pay structure for the 16 most senior executives will be tied to cyber performance, with one-third of individual bonuses granted based on cybersecurity grades.
Green and Thompson credited Microsoft for cooperating with the CSRB, but Thompson said the board found Microsoft slow and less than fully transparent. For example, the company hasn’t explained publicly how the hackers obtained the sign-in key and has shown a lack of confidence in the root cause of the breach, he said.
Green noted the CSRB findings showed Chinese hackers exploited an inactive, private encryption key from 2016 and gained access to tens of thousands of U.S. government email accounts, including those of officials working on China-related national security issues. The hackers exploited “basic, well-known vulnerabilities,” Green said.
The Cybersecurity and Infrastructure Security Agency said in a 2021 report that hackers in the Russian-led SolarWinds attack exploited Microsoft’s cloud software, including Microsoft 365 and Azure tools. Yet Thompson noted Microsoft in 2021 Senate testimony denied any Microsoft vulnerability was exploited during the SolarWinds attack. A company employee reportedly alerted Microsoft leadership to a vulnerability in its active directory federation services before third-party researchers publicly reported it in 2017, Thompson said. Microsoft “chose not to fix” the vulnerability, and ultimately Russian hackers used it in secondary phases of the SolarWinds attack, he said. Thompson explained Russian hackers again breached the email accounts of high-level employees communicating with government officials in January, less than three months after Microsoft announced its new cyber initiative.
Smith said it’s critical the company acknowledge its shortcomings, accept responsibility and execute this new strategy with transparency while listening to feedback. He noted the initiative established a governance structure that added deputy chief information security officers to every major department at the company. This represents a “fundamental change” to integrate new security measures at every level, he said.
“Everybody in here has some sort of interaction with Microsoft,” Rep. Clay Higgins, R-La., said. “We really don’t have much choice, so it’s critical that this committee gets this right.” Thompson said members will be exploring whether they should grant the CSRB additional investigatory authority to examine cyber incidents.