Microsoft President Brad Smith addressed Microsoft’s recent security shortcomings during a House Committee on Homeland Security hearing Thursday. The hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security,” delved into the findings of the April Cyber Safety Review Board (CSRB) report. This report highlighted a chain of errors that allowed a Chinese nation-state threat actor known as Storm-0558 to breach email accounts at 22 organizations in the previous year, including some federal agencies.
The breach was facilitated by the threat actors using Outlook Web Access in Exchange Online and Outlook.com, forging authentication tokens using a stolen Microsoft account (MSA) signing key. Interestingly, a Federal Civilian Executive Branch agency detected suspicious activity in its Microsoft 365 environment a month before the breach was disclosed, thanks to enhanced cloud logging features available at the government 365 licenses level. This incident prompted Microsoft to address the lack of these features across all subscription levels, a measure implemented in September of the previous year.
While the Storm-0558 attack was at the forefront of the hearing, other significant topics were also discussed during the three-hour meeting. Smith fielded questions from members of Congress on various issues, including the breach involving Russian nation-state actor Midnight Blizzard, the controversial AI-powered Recall feature, and Microsoft’s Secure Future Initiative aimed at enhancing security throughout the company.
In his written testimony, Smith unreservedly accepted responsibility for the security lapses highlighted in the CSRB report and emphasized Microsoft’s commitment to addressing all the board’s recommendations. He expressed regret for the security missteps that resulted in the breaches and conceded that both the Midnight Blizzard and Storm-0558 attacks could have been prevented with better security measures in place. Smith outlined the company’s shift towards prioritizing cybersecurity, with substantial investments, resource reallocations, and a strengthened cybersecurity culture.
During the hearing, Smith was questioned about a recent ProPublica article where a former employee alleged that Microsoft had disregarded warnings about a critical flaw, which Russian state-sponsored hackers later exploited during the SolarWinds attacks. The flaw, named “Golden SAML,” reportedly allowed the compromise of critical organizations, including the National Nuclear Security Administration. While Smith refrained from commenting on the article during the hearing, the issue raised concerns about the management of critical vulnerabilities within Microsoft.
Rep. Clay Higgins raised specific questions about the mishandling of the MSA key in the Storm-0558 attack, highlighting discrepancies in Microsoft’s initial blog post and subsequent updates regarding the incident. Smith acknowledged the oversight and attributed it to evolving information and hypotheses surrounding the intrusion, leading to multiple revisions of the blog post. Despite this explanation, some members of Congress expressed skepticism about the transparency and accountability in Microsoft’s response to the breaches.
The discussion also touched on Recall, a controversial tool embedded in Microsoft’s AI-powered CoPilot+ PCs for Windows, which triggered data privacy and security concerns due to its intrusive features. Smith defended the development process of Recall, stating that secure design practices were considered, though questions regarding its privacy implications persisted. The decision to delay Recall’s release, coinciding with Smith’s testimony, raised speculations about the scrutiny and potential impact of the security concerns highlighted during the hearing on Microsoft’s product development decisions.
The ongoing efforts by Microsoft to enhance cybersecurity and address past security failings underscore the company’s commitment to safeguarding its products and services. As the technology landscape evolves, Microsoft faces the challenge of balancing innovation with robust security measures to mitigate cyber threats effectively. The revelations and discussions at the Homeland Security hearing serve as a pivotal moment for Microsoft to reassess its security practices and regain trust among its customers and stakeholders in an increasingly complex cybersecurity landscape.