Microsoft under fire for recent cybersecurity lapses

At a Congressional hearing last week, Microsoft president Brad Smith took responsibility on his company’s behalf for a cyberattack that took place last year in which China-linked hackers gained access to 60,000 U.S. State Department emails.

The hearing is part of growing scrutiny toward Microsoft regarding its cybersecurity practices following the hack, and another like it this year in which Russian-linked hackers gained access to emails belonging to officials at Microsoft, Hewlett Packard Enterprise, and the U.S. federal government.

As one of the largest software vendors to the U.S. government and domestic industries including banking, the company’s cybersecurity practices are vital to national security, Smith acknowledged in his testimony before the U.S. House Committee on Homeland Security.

Smith appeared before the committee months after a report from the Cyber Safety Review Board, a government committee composed of cybersecurity leaders from the federal government and private sector that reviews cybersecurity events that substantially impact national security, excoriated the company for a “cascade” of “avoidable errors” that allowed the State Department email hacks to occur.

Among the major contributing factors to the hack were “Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed,” the report said. Because Microsoft was not able to detect the access the Chinese hackers gained early on, they were not able to mitigate their subsequent covert actions.

In his testimony Thursday, Smith said, “Microsoft accepts responsibility for each and every one of the issues cited” in the report, “without equivocation or hesitation, and without any sense of defensiveness, but rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.”

Another report discussed during the hearing came from investigative journalism outlet ProPublica, based on testimony from former Microsoft employee turned whistleblower Andrew Harris. The report found that in 2016, while working as an engineer at Microsoft, Harris discovered a vulnerability in a Microsoft product that he went on to report through various internal channels. At each turn, he was met by dismissals, and in 2020, Russian hackers ended up exploiting the very flaw Harris had found as part of their cyberattack against SolarWinds.

That 2020 attack on SolarWinds, which also exploited VMware vulnerabilities, became one of the most damaging cyber-espionage campaigns ever carried out against the U.S. government and affected up to 100 companies.

In response to the ProPublica report, Microsoft said it “gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners,” and in the case of the vulnerabilities Harris uncovered, “our assessment of this issue received multiple reviews and was aligned with the industry consensus.”

Some observers have downplayed the degree to which Microsoft acted negligently in its handling of Harris’s vulnerability reports, including Jeff Williams, co-founder and CTO at cybersecurity firm Contrast Security. Williams said the “overwhelming majority of these reports turn out to be false, unexploitable, or low risk,” making it a tall order to differentiate the severe reports from the mundane ones.

“It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government all carry huge application vulnerability backlogs,” Williams said. “In most companies I talk with, the number is usually hundreds of thousands or millions of vulnerabilities that are waiting to be investigated.”

While he said that the huge pile of potentially meaningless vulnerabilities that Microsoft and its peers have likely accumulated is a problem that cannot be excused, they stem from a more fundamental issue.

“We reward companies for new features, not security,” Williams said. “Our governments have not mandated serious security transparency on companies or created a liability regime for software producers.”

Bankers have made similar complaints, including about Microsoft, saying that consolidation in the cloud computing industry has allowed actors like Microsoft to ignore requests about security by large customers and even the government to secure its products and processes. But, the market forces on cloud providers are changing.

“If you look back at SolarWinds, the entire process was, of course, not visible to the customers,” said Subra Kumaraswamy, Visa’s chief information security officer. “But now with some of the secure-by-design requirements and ensuring that we can hold our vendors accountable, there’s going to be a lot more appetite to share [security bills of materials], share about their practices, and give the right to test and audit in real time.”

At the conclusion of its report on the Microsoft cyberattack, one way the Cyber Safety Review Board suggested the government hold cloud vendors accountable is through the Federal Risk Authorization Management Program. The program was established by the Office of Management and Budget in 2011 to promote the adoption of secure cloud services across the federal government. The report includes five suggestions for the program to more flexibly tailor security controls to such services.

“Cloud services are a critical component of the cybersecurity ecosystem, especially when they protect the most sensitive government data,” the report reads. “However, the board finds that existing compliance requirements for government cybersecurity do not consistently require sound practices around key management or token issuance,” which were two major processes Russian hackers exploited in 2023 and that the report found to be common targets in other cyberattacks.