Microsoft under fire from US Congress for cybersecurity

WASHINGTON On June 13, members of the US Congress pressed Microsoft for an explanation of a “cascade” of errors that could have been avoided, which allowed a Chinese hacking team to access emails of senior US officials.

Microsoft’s Brad Smith answered questions for more than three hours from the House Committee on Homeland Security, Washington. He assured them that cybersecurity was being integrated more deeply into Microsoft’s company culture.

Smith, Smith’s deputy, told the committee that “Microsoft accepts full responsibility for all the issues” cited in the report of the US government about the breach. “Without equivocation or hesitance,” Smith said.

Cyber Safety Review Board, led by US Department of Homeland Security (DHS), conducted a 7-month investigation last year into an incident involving the cyberespionage actor Storm 0558.

Bennie Thompson, a US congressman who is a committee member, said that Microsoft has ‘an enormous footprint’ in government and critical infrastructure networks.

It is in our mutual interest to address the security concerns raised by (the report) as quickly as possible.

The US State Department first detected the operation in June 2023. It involved hacking the personal and official mailboxes for US Ambassador to China Nicholas Burns and Commerce Secretary Gina Raimondo.

Microsoft’s core business involves providing cloud computing services such as Azure and Office360 that store sensitive data, and support business and government operations in major sectors.

The report criticised a Microsoft corporate cultural that was “at odds… with the level of confidence customers place in the organization.”

Microsoft made a number of strategic and operational decisions that led to the breach. One example was the failure to detect a compromised laptop belonging to a new employee after a corporate purchase in 2021.

Microsoft also fell short of the safety standards set by other cloud providers, such as Google, Amazon, and Oracle.

The review stated that “the Board finds that this invasion was preventable and shouldn’t have occurred” and pointed out “the cascade Microsoft’s avoidable mistakes that allowed this intrusion succeed”.

‘Lasting change’

Microsoft was also urged to develop and release a public plan that included a timeline for implementing wide-ranging reforms in its products and practices.

Smith, a Microsoft employee with nearly 226,000 workers, said that the real challenge was to achieve a lasting and effective cultural change.

Smith stated that Microsoft employs the equivalent of 34,000 full-time engineers to address the security flaws in “the biggest engineering project focused on cyber technology in the history digital technology.”

Microsoft’s board approved on Wednesday a change which will link cybersecurity achievements with annual bonuses to senior executives. It will also be part of the annual reviews for every employee, Smith said.

Smith, a Microsoft representative, told the committee that Microsoft detects 300 million cyberattacks per day, most of which are from China, Iran and Russia.

Smith stated that “we’re dealing four formidable enemies in China, Russia North Korea, and Iran and they are improving.”

“We should expect that they will work together. They are launching attacks at a phenomenal rate.”

Smith said that while it’s inevitable that adversaries use artificial intelligence to launch increasingly sophisticated cyber attacks, the technology has already been used to improve cyber defenses. AFP

Related Articles