Microsoft president grovels before Congress, takes responsibility for a ‘cascade’ of cybersecurity errors
Congress is currently holding Microsoft’s feet to the metaphorical as it gives the company a thorough toasting for what a government report has called a “cascade” of “avoidable errors”. The net result of Microsoft’s mess up is that Chinese hackers breached the tech giant’s network last year, allowing access to the email accounts of senior US officials including the Secretary of Commerce.
Speaking before Congress at the U.S. House Homeland Security Committee (via CNN), Microsoft President Brad Smith duly grovelled before law makers, conceding every failing highlighted in the US Cyber Safety Review Board’s report.
“Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said. “We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted.”
Reportedly, the hack involved agents of China’s Ministry of State Security, who created digital keys allowing them to pose as any existing Microsoft customer. They then impersonated multiple organisations, including the U.S. Departments of State and Commerce, gaining access to Commerce Secretary Gina Raimondo’s emails.
Unsurprisingly, calls for Microsoft contracts to be dropped in favour of alternative vendors are on the up. But Smith argued that operating multiple vendors poses its own risks, because hackers can attack the “seams” where rival systems connect.
Exactly what “taking responsibility” means in this context is unclear. It’s perhaps too much to hope Microsoft will refund its fees or resign from future contracts. That kind of thing would be to truly take responsibility.
Somewhat preposterously, Smith reportedly invoked Microsoft’s farcical roll back of a major feature planned as part of its Copilot+ AI initiative for Windows as an example of the company’s revitalised efforts to improve security.
The Recall recall, as it surely will be, well, recalled, means that a much touted AI feature that was due to be made available to all PC’s with Copilot+ capability (in practice, currently only laptops with Qualcomm’s new Snapdragon X chip, though Intel and AMD-powered laptops will follow later this year) will now be restricted to the more narrow tranche of users that are the members of the Windows Insider program.
“We are adjusting the release model for Recall to leverage the expertise of the Windows Insider community to ensure the experience meets our high standards for quality and security. This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users,” Microsoft explained.
That followed outcry from security experts that the Recall feature, which among other actions takes screenshots of basically everything a PC user does every few seconds, would provide a treasure trove for anyone who had gained access to a PC for nefarious means.
Microsoft has already had to make changes to how Recall data is stored in response to criticism. One major change is that all Recall screenshots will now be encrypted, but it perhaps says a great deal about the company’s attitude to security ad privacy that it thought a feature that sits in the background screenshotting everything and storing the raw images without a protection as obvious as encryption was a good idea.
Microsoft says it still intends to roll out Recall to all Copilot+ PC users “soon”, but has not put a date on that rather ominous eventuality.
