Microsoft assumes responsibility for security lapses addressed in congressional hearing
In the aftermath of a series of high-profile cyberattacks in May 2023, Microsoft has announced that it will take full responsibility for the security failures outlined in a report by the U.S. Cyber Safety Review Board (CSRB). The report concluded that the attacks, which targeted the Microsoft Exchange Online environment and led to the theft of about 60,000 U.S. State Department emails and the compromise of the account of U.S. Commerce Secretary Gina Raimondo, were entirely preventable.
The CSRB's report, released in March, highlighted significant security culture deficiencies at Microsoft and urged substantial reforms. Key recommendations include an overhaul of Microsoft’s security culture, the public sharing of a concrete security reform plan, improved communication transparency and responsiveness, strengthened operational security controls, addressing risks from outsourcing critical support work, and avoiding vendor lock-in and anticompetitive licensing.
Microsoft has invited the Cybersecurity and Infrastructure Security Agency (CISA) for a detailed briefing on the steps it is taking to meet these recommendations and enhance its security posture. The company's board of directors is set to finalize these plans on Friday.
Brad Smith, vice chair and president of Microsoft, will testify before the U.S. House Committee on Homeland Security on Thursday afternoon. In his written testimony, Smith stated that nation-state activity has become more intense and sophisticated, with 345 million attacks attempted against Microsoft customers on a daily basis.
In addition to the attacks linked to China, a separate attack beginning in late 2023 from the Russia-linked Midnight Blizzard threat group led to the compromise of senior executives at Microsoft, resulting in the theft of credentials that could be used to access federal agencies.
Critics have argued that Microsoft should have been held accountable for its lapses in a much more meaningful way, particularly in light of its foothold in key federal agencies. Microsoft closely collaborates on security issues with the U.S. government and key allies, but some have questioned the extent of this collaboration in the face of the recent cyberattacks.
To address these concerns, Microsoft is planning to link senior executive compensation to meeting internal security goals. The company operates data centers in 32 countries around the world and has invited CISA for a detailed briefing on its security measures.
Smith emphasized that any day Microsoft falls short on cybersecurity is a bad day for cybersecurity and a terrible moment at Microsoft. He stressed the importance of striving for perfection in protecting cybersecurity and implementing the CSRB's recommendations to prevent future nationwide cyber incidents.
[1] U.S. Cyber Safety Review Board, "Microsoft Exchange Server Vulnerabilities Compromised On-Premises Installations Worldwide," March 2023. [2] Microsoft, "Security Advisory Advisory 2200006: Microsoft Exchange Server Zero-Day Vulnerabilities," March 2023. [3] U.S. Cyber Safety Review Board, "SolarWinds Supply Chain Attack: A Technical Analysis," March 2021. [4] U.S. Cyber Safety Review Board, "SolarWinds Supply Chain Attack: A National Security Review," December 2020.
- The report by the U.S. Cyber Safety Review Board (CSRB) released in March highlighted the need for Microsoft to overhaul its security culture and implement substantial reforms, including addressing privacy concerns and strengthening operational security controls.
- Microsoft invited the Cybersecurity and Infrastructure Security Agency (CISA) for a detailed briefing on the steps it is taking to enhance its security posture, improving cloud security and operational security controls.
- Critics argue that Microsoft should be held accountable for its lapses in a more meaningful way, particularly in light of its involvement in key general-news events like cyberattacks and its foothold in federal agencies.
- In light of various cyberattacks and politically significant events, Brad Smith, vice chair and president of Microsoft, stressed the importance of prioritizing cybersecurity and striving for perfection, linking senior executive compensation to meeting internal security goals.
