Microsoft’s Brad Smith summoned by Homeland Security Committee over ‘cascade’ of IT security failures • The Register

The U.S. government wants Microsoft vice president and president Brad Smith to become the latest technology figurehead to answer questions from a House committee about recent cybersecurity lapses.

The House Homeland Security Committee has proposed that the hearing be held later this month, on May 22. It will be titled “Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Deficiencies and Homeland Security Implications.”

Recently, Microsoft has faced a wave of criticism following several significant revelations about its security practices. Namely, the attack on Microsoft Exchange in June 2023 was likely the catalyst for the increased focus on events at the headquarters in Redmond.

Senior US officials’ email accounts were compromised in an attack pinned to China-linked Storm-0558, which sent approximately 60,000 emails that they clearly should not have had access to. Incidents as serious as these usually receive some scrutiny.

The PR nightmare that Microsoft was facing at the time was recently reignited following an investigation by the Cybersecurity Board (CSRB) into how the attack occurred.

The conclusions were scathing. More drastic passages include the CSRB’s recommendation for “rapid cultural change” and the assessment that a “cascade of avoidable errors” was responsible for the attack’s success.

The CSRB also sharply criticized Microsoft for publishing a blog post in September in which it “explained” how attackers gained access to Exchange – which was never true – and continued for months, knowing that it was just one of 46 investigated by hypotheses that did not produce any results. specific conclusions.

The House Homeland Security Committee’s letter to Smith also referenced the January attack, this time by the Russian crew Midnight Blizzard, also known as Cozy Bear and APT29 – the same behind a series of major attacks on systems around the world, exploiting a vulnerability in the widely SolarWinds network management software used.

Midnight Blizzard hacked email accounts, but this time they were accounts belonging to Microsoft executives rather than US officials. The attackers stole messages and files from the company’s management and cybersecurity and legal departments. Two months later, Microsoft admitted that the source code had also been stolen and that the Russians had gained access to internal systems.

“These cyberattacks not only undermine public confidence in Microsoft’s ability to protect its operating systems, cloud platforms and productivity software, but also raise serious questions about its apparent lack of accountability and oversight,” reads the letter to Smith, obtained by CNBC. .

“It is imperative that Microsoft, which has nearly 85 percent of the U.S. government office software market share, be held to the same level of accountability as other trusted U.S. government vendors.”

In a blog post last week, Charlie Bell, executive director of Microsoft Security, confirmed both incidents, stating that “we must do more and we will do more.”

He then revealed that major changes to Microsoft’s culture are coming, following advice from the CSRB report. Bell said Microsoft puts security above all else and all other features, adding that it is focused on six key pillars:

  • Protect identities and secrets

  • Protect tenants and isolate production systems

  • Protect your networks

  • Protect engineering systems

  • Monitor and detect threats

  • Accelerate response and recovery

The six pillars form the new framework of the Secure Future Initiative (SFI), which was launched in November 2023 amid mounting pressure to take action following the June exchange breach.

At launch, SFI’s main focus was on artificial intelligence and how it would help it “find the right needle in a sea of ​​needles” – a different take on the classic haystack and needle metaphor.

It was urged that software engineering should also be reviewed. Adopting security-by-design and default security principles will also be fundamental to Microsoft’s future approach to information security, he added.

Security expert and former Microsoft security analyst Kevin Beaumont, who was openly critical of certain aspects of his former employer’s security while working for his former employer, called his response to the CSRB “the company’s last-ditch security moment.” .

In a blog analyzing Microsoft’s communications about the proposed changes, Beaumont said that despite “more egregious violations” expected and that these plans would take years to fully implement, Microsoft had taken the right approach.

“Microsoft is well on its way to regaining my trust as a customer,” he said. “They talk about real internal problems at Microsoft – in the style of a corporate blog cosplay, of course – and really go directly to long-standing and festering problems that need to be addressed.”

Although the House Homeland Security Committee has proposed May 22 as the date for Smith’s hearing, nothing has been put on the calendar yet. Smith and Microsoft are reportedly considering their response, but have not provided any specific dates at this stage.

We pressed Microsoft for a response on this matter, but it did not immediately respond, although it did acknowledge the request. ®