At a Congressional hearing last week, Microsoft president Brad Smith took responsibility on his company's behalf for a cyberattack that took place last year in which China-linked hackers gained access to 60,000 U.S. State Department emails.
The hearing is part of growing scrutiny toward Microsoft regarding its cybersecurity practices following the hack, and another like it this year in which Russian-linked hackers gained access to emails belonging to officials at Microsoft, Hewlett Packard Enterprise, and the U.S. federal government.
As one of the largest software vendors to the U.S. government and domestic industries including banking, the company's cybersecurity practices are vital to national security, Smith acknowledged in
Smith appeared before the committee months after
Among the major contributing factors to the hack were "Microsoft's failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed," the report said. Because Microsoft was not able to detect the access the Chinese hackers gained early on, they were not able to mitigate their subsequent covert actions.
In his testimony Thursday, Smith said, "Microsoft accepts responsibility for each and every one of the issues cited" in the report, "without equivocation or hesitation, and without any sense of defensiveness, but rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board."
That 2020 attack on SolarWinds, which also exploited VMware vulnerabilities, became one of the most damaging cyber-espionage campaigns ever carried out against the U.S. government and affected
In
Some observers have downplayed the degree to which Microsoft acted negligently in its handling of Harris's vulnerability reports, including Jeff Williams, co-founder and CTO at cybersecurity firm Contrast Security. Williams said the "overwhelming majority of these reports turn out to be false, unexploitable, or low risk," making it a tall order to differentiate the severe reports from the mundane ones.
"It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government all carry huge application vulnerability backlogs," Williams said. "In most companies I talk with, the number is usually hundreds of thousands or millions of vulnerabilities that are waiting to be investigated."
While he said that the huge pile of potentially meaningless vulnerabilities that Microsoft and its peers have likely accumulated is a problem that cannot be excused, they stem from a more fundamental issue.
"We reward companies for new features, not security," Williams said. "Our governments have not mandated serious security transparency on companies or created a liability regime for software producers."
Bankers have made similar complaints, including about Microsoft, saying that consolidation in the cloud computing industry has allowed actors like Microsoft to
"If you look back at SolarWinds, the entire process was, of course, not visible to the customers," said Subra Kumaraswamy, Visa's chief information security officer. "But now with some of the secure-by-design requirements and ensuring that we can hold our vendors accountable, there's going to be a lot more appetite to share [security bills of materials], share about their practices, and give the right to test and audit in real time."
Microsoft has responded to these criticisms by reporting cybersecurity vulnerabilities using the Common Weakness Enumeration, which ensures that individual vulnerabilities the company publicly acknowledges and patches get mapped back to design flaws that may cause similar vulnerabilities.
"This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases," the company said in
At the conclusion of its report on the Microsoft cyberattack, one way the Cyber Safety Review Board suggested the government hold cloud vendors accountable is through the Federal Risk Authorization Management Program. The program was established by the Office of Management and Budget in 2011 to promote the adoption of secure cloud services across the federal government. The report includes five suggestions for the program to more flexibly tailor security controls to such services.
"Cloud services are a critical component of the cybersecurity ecosystem, especially when they protect the most sensitive government data," the report reads. "However, the board finds that existing compliance requirements for government cybersecurity do not consistently require sound practices around key management or token issuance," which were two major processes Russian hackers exploited in 2023 and that the report found to be common targets in other cyberattacks.