Microsoft CEO urges focus on cybersecurity amid rising hacking concerns — Read full memo here
Nadella’s companywide memo underscored a clear directive: prioritise security above all else, even if it means sacrificing other objectives, The Verge reported on Friday. He emphasised that safeguarding against cyber threats must take precedence over pursuits such as rolling out new features or maintaining outdated systems.
This directive coincided with Microsoft’s announcement of a series of proactive measures aimed at fortifying its defenses against hacking. These initiatives include tying a portion of senior leaders’ compensation to the achievement of cybersecurity goals and integrating cyber experts into product development teams.
Microsoft’s cybersecurity efforts have come under increased scrutiny following its involvement in several high-profile security breaches. A government panel recently characterised the company’s security practices as insufficient and urgently in need of reform. In response, Microsoft unveiled its Secure Future Initiative in November, marking its most significant security strategy since prioritising product safety over new features in 2002 at the directive of co-founder Bill Gates.
Read the full memo here:
“Today, I want to talk about something critical to our company’s future: prioritizing security above all else.
Microsoft runs on trust, and our success depends on earning and maintaining it. We have a unique opportunity and responsibility to build the most secure and trusted platform that the world innovates upon.
The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors.
Last November, we launched our Secure Future Initiative (SFI) with this responsibility in mind, bringing together every part of the company to advance cybersecurity protection across both new products and legacy infrastructure. I’m proud of this initiative, and grateful for the work that has gone into implementing it. But we must and will do more.
Going forward, we will commit the entirety of our organization to SFI, as we double down on this initiative with an approach grounded in three core principles:
• Secure by Design: Security comes first when designing any product or service.
• Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
• Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.
These principles will govern every facet of our SFI pillars as we: Protect Identities and Secrets, Protect Tenants and Isolate Production Systems, Protect Networks, Protect Engineering Systems, Monitor and Detect Threats, and Accelerate Response and Remediation. We’ve shared specific, company-wide actions each of these pillars will entail – including those recommended in the CSRB’s report which you can learn about here. Across Microsoft, we will mobilize to implement and operationalize these standards, guidelines, and requirements and this will be an added dimension of our hiring and rewards decisions. In addition, we will instill accountability by basing part of the compensation of the senior leadership team on our progress towards meeting our security plans and milestones.
We must approach this challenge with both technical and operational rigor, and with a focus on continuous improvement. Every task we take on – from a line of code, to a customer or partner process – is an opportunity to help bolster our own security and that of our entire ecosystem. This includes learning from our adversaries and the increasing sophistication of their capabilities, as we did with Midnight Blizzard. And learning from the trillions of unique signals we’re constantly monitoring to strengthen our overall posture. It also includes stronger, more structured collaboration across the public and private sector.
Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need.
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.
Satya.
Microsoft’s recent troubles
Recent years have seen Microsoft grapple with a string of security challenges. In early 2021, Chinese government hackers exploited zero-day vulnerabilities in Microsoft Exchange servers, compromising email accounts and installing malware on servers used by numerous businesses.
Additionally, Chinese hackers breached U.S. government emails last year through a Microsoft Cloud exploit.
More recently, Russian state-sponsored hackers, known as Nobelium or Midnight Blizzard, infiltrated the email accounts of certain Microsoft senior leadership members and even pilfered source code earlier this year, following their involvement in the SolarWinds incident.
