Microsoft is evolving its corporate culture to make security a top priority, President Brad Smith told Congress on Thursday, promising that security will be “even more important than the company’s work on artificial intelligence.” .
Satya Nadella, Microsoft’s CEO, “has taken personal responsibility for serving as the senior executive responsible for Microsoft’s security,” Smith told Congress.
His testimony comes after Microsoft admitted it could have taken steps to prevent two aggressive nation-state cyberattacks from China and Russia.
According to Microsoft whistleblower Andrew Harris, Microsoft spent years ignoring a vulnerability while pushing out fixes to the “security nightmare.” Instead, Microsoft feared losing its government contract by warning of the bug and allegedly downplayed the problem, choosing profits over security, ProPublica reported.
This apparent negligence led to one of the largest cyberattacks in U.S. history, and officials’ sensitive data was compromised due to Microsoft’s security breaches. China-linked hackers stole 60,000 emails from the US State Department, Reuters reported. And several federal agencies were hit, giving attackers access to sensitive government information, including data from the National Nuclear Security Administration and the National Institutes of Health, ProPublica reported. Even Microsoft itself was hacked, with a Russian group this year accessing the emails of senior officials, including their “correspondence with government officials,” Reuters reported.
“We recognize that we can and must do better,” Smith told Congress today, according to his prepared written testimony. “As a company, we must strive for perfection in protecting this country’s cybersecurity. Every day we fail is a bad day for cybersecurity and a terrible time for Microsoft.”
To reinforce the company culture shift toward “empowering and rewarding every employee to spot safety issues, report them” and “help resolve them,” Smith said Nadella sent an email to all staff to emphasize that safety must always remain a priority. .
“If you are faced with a tradeoff between security and another priority, your answer is clear: do security,” Nadella’s email said. “In some cases, this will mean prioritizing security ahead of other things we do, like releasing new features or providing ongoing support for existing systems. To ensure everyone’s participation, Microsoft has also started linking the salaries of managers to the achievement of safety objectives.
Microsoft will adopt all government recommendations
Smith was the only witness to testify at a House Committee on Homeland Security hearing, titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Deficiencies and Their Implications for Homeland Security.” .
He told Congress that Microsoft was acting on 16 recommendations made by the Cyber Safety Review Board (CSRB) in a report that “identified a series of operational and strategic decisions by Microsoft that, collectively, denote a corporate culture that has deprioritized both investments in corporate security and rigorous risk management.
As part of these obligations, Microsoft has committed to stop charging for key security-related features, such as more granular logging that the CSRB says should be an essential part of its cloud service. (Last July, Microsoft began changing this culture by expanding the accessibility and flexibility of cloud logging to give customers “access to broader cloud security logs” at no additional cost.)
Smith also said Microsoft was “pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture.” This involves adding “18 other concrete security goals” beyond the CSRB’s recommendations and “dedicating the equivalent of 34,000 full-time engineers to what has become the nation’s largest cybersecurity engineering project.” “history of digital technology”, according to Microsoft’s Secure Future Initiative (SFI). .
Microsoft has also strengthened its security team, Smith said, adding “an additional 1,600 security engineers this fiscal year” and planning to “add an additional 800 new security positions” in the next fiscal year. Additionally, the company’s Chief Information Security Officer (CISO) will now lead an office with senior deputy CISOs “to extend oversight of the various engineering teams to assess and ensure that the Safety is “integrated” into decision-making and engineering processes.
Smith described the SFI as “a multi-year effort” focusing all of Microsoft’s efforts to develop products and services “on achieving the highest possible security standards.” He warned that online threats are constantly evolving, but said Microsoft was committed to basing its plans on fundamental cybersecurity principles that would prioritize security in product design and ensure protections were not compromised. never optional and always enabled by default.
The move is part of Microsoft’s plan to regain trust after Smith and Microsoft did not appear to accept full responsibility for the Russian cyberattack. In 2021, Smith told Congress that “no vulnerabilities in any Microsoft products or services were exploited” in this cyberattack, while asserting that “customers could have done more to protect themselves,” ProPublica reported.
In an exchange with Sen. Marco Rubio (R.-Fla.), Smith clarified that customers could have paid for “an antivirus product like Microsoft Defender and secured the devices with another Microsoft product called Intune,” ProPublica reported.
Now, Smith told Congress on Thursday, “Microsoft accepts responsibility for each of the issues cited in the CSRB report. Without equivocation or hesitation. And without any sense of defensiveness.”