Microsoft Grilled for Letting China and Russia Crack US Government Systems
-
The Record ☛ Microsoft president tells lawmakers 'red lines' needed for nation-state attacks
The Cyber Safety Review Board (CSRB) behind the report concluded the intrusion “should never have happened,” and throughout their review they “identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
-
Cyble Inc ☛ Microsoft Security Failures Get Rough Treatment On Capitol Hill
Microsoft security controls came under scrutiny in April with the release of a U.S. Cyber Safety Review Board (CSRB) report that detailed “a cascade of security failures at Microsoft” that allowed threat actors linked to China to access “the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China” in a July 2023 attack.
Rather than make good on pledges to make cybersecurity a top priority, Microsoft followed with the cybersecurity equivalent of an own goal when it pushed ahead with the new Windows Recall screen recording feature despite the concerns of security and privacy advocates that the company belatedly tried to address.
-
New York Times ☛ Lawmakers Question Brad Smith About Microsoft’s China Business
The hearing was a response to a scathing March report by the Department of Homeland Security’s Cyber Safety Review Board. The report detailed how “a cascade of security failures at Microsoft” allowed a hacking team called Storm-0558, which the report said was an espionage group affiliated with the Chinese government, to infiltrate Microsoft’s email systems in May and June last year.
The report criticized Microsoft for having “a corporate culture that deprioritized both enterprise security investments and rigorous risk management” and said the company’s cybersecurity practices were critical national security because “Microsoft’s products and services are ubiquitous.”
-
Silicon Angle ☛ Microsoft's Brad Smith acknowledges past security failures, outlines new initiatives
During his testimony, Smith (pictured) addressed significant breaches, including the SolarWinds hack and the compromise of Microsoft Exchange by hackers in 2023. He said the incidents had resulted from multiple failures within Microsoft’s security protocols.
-
The Register UK ☛ Congress hammers Microsoft president on security after hacks
A US House committee hearing was held in response to the Homeland Security Cyber Safety Review Board's (CSRB) report which found that a "cascade of Microsoft's avoidable errors" allowed Beijing's Storm-0558 spy crew to steal tens of thousands of sensitive emails from the cloud-based Microsoft Exchange Online inboxes of US Secretary of Commerce and high-ranking officials at the Department of State, among others.
-
Pro Publica ☛ Microsoft President Grilled by Congress Over Cybersecurity Failures
She said the hearing was a “reckoning moment” for the company, which has repeatedly downplayed its role in SolarWinds. One of the flaws the Russians exploited involved a Microsoft application, which was supposed to ensure users had permission to log on to cloud-based programs. The weakness allowed intruders to masquerade as legitimate employees and rummage through sensitive data in the cloud, including emails.
Rep. Seth Magaziner, D-R.I., asked Smith about his prior congressional testimony, in which he said that Microsoft had first learned about this weakness in November 2017, when an outside cybersecurity firm published a report on it. ProPublica’s investigation, Magaziner noted, found that Harris had raised it even earlier, only to be ignored. The lawmaker asked Smith if his prior testimony was incorrect.
-
RTL ☛ 'Cascade of avoidable errors': Microsoft faces heat from US Congress over cybersecurity
"Microsoft has an enormous footprint in both government and critical infrastructure networks," US congressman and committee member Bennie Thompson said to Smith as the hearing opened.
"It is our shared interest that the security issues raised by the (report) be addressed quickly."
The operation, which was first discovered by the US State Department in June 2023, included hacks on the official and personal mailboxes of Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns.
-
Federal News Network ☛ Four key highlights from the Microsoft cybersecurity hearing
Despite the scathing Cyber Safety Review Board report on his company’s cybersecurity practices, Microsoft President Brad Smith didn’t experience much venom when he testified before the House Homeland Security Committee today.
In fact, many lawmakers praised Smith for taking responsibility for the shortcomings identified in the report. Smith also described internal changes Microsoft is making under its “Secure Future” initiative, including efforts to implement many of the safety review board’s recommendations.
-
The Hill ☛ Microsoft seeks to ease government scrutiny in House hot seat
As the sole witness at a House Homeland Security Committee hearing, Smith faced pointed questions from both sides of the aisle about a hack that compromised emails of organizations and people, including U.S. government representatives working on national security matters.
Smith, in his opening statement and in response to the House panel, doubled down on Microsoft’s acceptance of its flaws and its commitment to improve.
-
Scoop News Group ☛ Lawmakers question Microsoft president over China ties, repeated breaches
Thursday’s hearing comes on the heels of a report by the Cyber Safety Review Board examining how Chinese hackers were able to steal a signing key and use it to steal emails belonging to senior U.S. officials. That report concluded that the breach was the result of “a cascade of security failures at Microsoft” and that the company has fostered a culture that deprioritizes security.