Microsoft Vice Chair and President Brad Smith testified before the House Homeland Security Committee in Washington DC yesterday afternoon; see the Microsoft website. He, and others at the tech firm, point to ‘more prolific, well-resourced, and sophisticated cyberattacks by four countries – Russia, China, Iran, and North Korea’.
The Congressional committee was addressing what it termed a ‘cascade of security failures’ by Microsoft, and the implications for the United States’ homeland security.
Background
As featured in the May edition of Professional Security magazine, the US federal Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) findings and recommendations after its review of the ‘summer 2023 Microsoft Exchange Online intrusion’. The review found that the intrusion by Storm-0558, a hacking group assessed to be affiliated with the People’s Republic of China, was preventable. Reviewers identified Microsoft operational and strategic decisions that collectively pointed to a corporate culture that de-prioritised enterprise security investments and rigorous risk management, at odds with the company’s centrality in the western world’s technology ecosystem. For the report, visit the US federal CISA (Cybersecurity and Infrastructure Security Agency) website.
Brad Smith gave ‘a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection’. In November the Silicon Valley firm launched its Secure Future Initiative. Among changes, the firm says it will consider senior leaders’ ‘cybersecurity performance when it makes its annual assessment of the executive’s performance’ for setting pay. The company will make security ‘a mandatory part of the bi-annual reviews for all Microsoft employees’.
Comment
Ryan Kalember, Chief Strategy Officer at the cyber firm Proofpoint, says: “There have been too many consequential cybersecurity incidents that have impacted consumers’ private information, organizations’ IP and sensitive data, and governments’ confidential intelligence that would have been avoidable had Microsoft made different choices and lived up their public promises. Microsoft has built a significant amount of tech debt by prioritizing speed of feature delivery and connecting legacy and cloud environments together, compounding the security risks of each and undermining the security advantage that the cloud should bring. This is an especially stark contrast with what Apple and Amazon have done habitually and what Google did after Operation Aurora.
“Security and privacy have unfortunately taken a back seat in Microsoft’s product design in their quest for new productivity features and a higher stock price, and their recent backtracking after the Microsoft Recall AI controversy is a particularly instructive example. It took an enormous amount of pressure from the entire cybersecurity industry and privacy experts for Microsoft to see this for what it is—a massive, trivially exploitable security risk – and to do the right thing by ensuring it is disabled by default.
“With the dominant market share of both Microsoft 365, we all live in houses built by Microsoft. By prioritizing product interconnectedness over building products that are secure by design, they continually compound the security risks they create themselves, rather than compartmentalizing them. And these risks are the same for everyone — from free development tenants to individual consumers to the US Department of Defense.”
