Members of the US Congress on Thursday pressed Microsoft to explain a “cascade of avoidable errors” that allowed a Chinese hacking group to breach the emails of senior US officials.
Microsoft Chairman Brad Smith spent more than three hours answering questions from members of the House Homeland Security Committee in Washington, assuring them that cybersecurity has become more deeply embedded in the tech company’s culture.
“Microsoft accepts responsibility for every one of the issues listed” in a scathing US government report on the breach “without question or hesitation,” Smith told the committee.
The Cyber ββSecurity Review Board (CSRB), led by the US Department of Homeland Security, conducted a seven-month investigation into the incident last year involving China-linked cyber espionage actor Storm-0558.
“Microsoft has a huge footprint in both government and critical infrastructure networks,” U.S. Rep. and committee member Bennie Thompson told Smith at the start of the hearing.
Boeing faces deadline to fight possible US prosecution
“It is in our common interest that the security issues raised by (the report) are quickly addressed.”
The operation, first discovered by the US State Department in June 2023, involved breaches of the official and personal mailboxes of Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.
Microsoft’s core business is to provide cloud computing services, such as Azure or Office360, that host sensitive data and power business and government functions in large sectors of the economy.
The report criticized Microsoft’s corporate culture which was “at odds with the level of trust customers have placed in the company”.
The review found a series of operational and strategic decisions by Microsoft that opened the door to the breach, including failing to locate a new employee’s compromised laptop after a corporate acquisition in 2021.
Pope Francis to consider ‘ethical’ artificial intelligence at G7 summit
It also found that Microsoft falls short of the security standards seen at rival cloud companies, including Google, Amazon and Oracle.
“The Board finds that this intrusion was preventable and should never have occurred,” the review said, noting “the cascade of preventable errors by Microsoft that allowed this intrusion to succeed.”
“Permanent Change”
The report also recommended that Microsoft develop and make public a plan with timelines for implementing extensive security reforms to its products and practices.
“The real challenge is how do you achieve effective lasting cultural change,” Smith said, noting that Microsoft has nearly 226,000 employees.
Smith said Microsoft has the equivalent of 34,000 engineers working full-time to address security flaws in “the largest engineering project focused on cybersecurity in the history of digital technology.”
Microsoft’s board on Wednesday approved a change that would tie cybersecurity achievements to annual bonuses for senior executives and include it in each employee’s annual evaluation, according to Smith.
Samsung workers in South Korea stage first strike: union
Microsoft detects about 300 million cyberattacks on its customers every day, with most of them coming from China, Iran, Korea, Russia or ransomware operations, Smith told the committee.
“We’re dealing with four formidable enemies in China, Russia, North Korea and Iran, and they’re getting better,” Smith said.
“We’ll have to expect them to work together; they’re attacking at a great pace.”
While it’s inevitable that adversaries will use artificial intelligence for increasingly sophisticated attacks, the technology is already being used to bolster cyber defenses, Smith added.
Source: AFP