Microsoft in damage-control mode, says it will prioritize security over AI
Microsoft offers recommendations for regulators
The company has invited the Cybersecurity and Infrastructure Security Agency to attend a “detailed technical briefing” on SFI and Microsoft’s other engineering objectives to explain “the specific ways we are implementing the CSRB’s recommendations,” Smith said.
Smith repeatedly emphasized to Congress that Microsoft alone cannot solve the country’s cybersecurity problems. Although he acknowledged that Microsoft has “by far the first and greatest responsibility” to heed the CSRB’s report, “no single company can protect a country and other nations from what is emerging as a cyberwar waged by four aggressive governments,” Smith said.
While some think that the US government’s over-reliance on Microsoft is itself a problem, Smith suggested that the US government also bears some responsibility in strengthening cybersecurity protection.
“The cyber domain is becoming more lawless, dangerous, and hostile,” Smith testified.
Smith suggested that the committee members could “do more in support of cyber defense” by funding critical cybersecurity programs, strengthening countermeasures, and “imposing appropriate punishment” and heavy fines to deter malicious activity.
“Cybersecurity protection requires a whole-of-industry and whole-of-society mission across multiple countries,” Smith said. “Each of us can and must learn from each other and work together to protect cybersecurity for our nation and the world.”
Microsoft’s response to whistleblower report
Harris, who left Microsoft over the lack of security culture and now works for a rival cybersecurity company called CrowdStrike, told ProPublica that previously Microsoft’s customers, including the US government, “were never given the chance” to defend against known vulnerabilities.
“The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” Harris told ProPublica.
Microsoft did not dispute ProPublica’s report. Instead, the company provided a statement that almost seems to contradict Smith’s testimony to Congress today by claiming that “protecting customers is always our highest priority.”
“Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners,” Microsoft’s spokesperson said, claiming that Microsoft’s response when Harris flagged a major security risk “received multiple reviews and was aligned with the industry consensus.”
The spokesperson further explained that Microsoft historically has prioritized its “security response work by considering potential customer disruption, exploitability, and available mitigations.”
“We continue to listen to the security research community and evolve our approach to ensure we are meeting customer expectations and protecting them from emerging threats,” Microsoft’s spokesperson said.
On Thursday, Smith apologized to Congress for Microsoft’s security failures, saying that “a willingness to acknowledge our shortcomings and address problems head-on inspires us to learn from our mistakes and to apply the lessons we learn so we constantly can get better.”
“We accept responsibility for the past and are applying what we’ve learned to help build a more secure future,” Smith said, vowing that Microsoft would soon “establish stronger multi-layered defenses to counter the most sophisticated and well-resourced nation-state actors.”
Microsoft will likely remain under the microscope while lawmakers weigh whether the cloud service provider can be trusted with safeguarding national security.
According to Reuters, US Representative Bennie Thompson (D-Miss.) told Smith that “Microsoft is one of the federal government’s most important technology and security partners, but we cannot afford to allow the importance of that relationship to enable complacency or interfere with our oversight.”
