Functionality Microsoft Chairman Brad Smith struck a conciliatory tone over his computer giant’s repeated IT security lapses during a congressional hearing on Thursday – while asserting that the Windows maker is above Rule of law, at least in China.
He responded for nearly three hours to questions from representatives of the United States House of Representatives about Microsoft’s computer security shortcomings. Now is the time for the White House and Congress to do their job and ensure that we don’t learn of another Redmond mistake exploited by a foreign government in six months.
And the US government has several tools, from executive orders to federal spending, to avoid another Microsoft-related security breach.
Smith began his testimony before Congress this week by accepting “responsibility for each of the problems” cited in a recent Homeland Security report that accused Microsoft of a series of “preventable errors.” According to the investigation, these errors allowed Beijing-backed cyberspies to steal tens of thousands of sensitive emails from Exchange Online inboxes hosted by Microsoft and belonging to senior US government officials.
This theft was made possible by China stealing a cryptographic key from a crash dump file that had been left on Microsoft’s internal internet-connected corporate network; the key should not have left the isolated production environment of the mega-corporation.
Despite this major Chinese intrusion into security, Smith defended Microsoft’s activities in the Middle Kingdom. China’s domestic intelligence laws can be used to force companies operating there to provide surveillance services to the government, or to hand over proprietary code if forced to do so. But Microsoft doesn’t have to comply, Smith told some incredulous members of Congress.
Mea culpa, then turn away
It gets an A for presentation, but a D for content. Smith issued a mea culpa, but also sidestepped some of the tough questions from lawmakers about China and why Microsoft isn’t doing a very important job (securing its code, which in this case is also a national security issue ) that the government is doing. paying him millions of dollars to do it.
Smith also said he had not read a ProPublica report released before the Homeland Security subcommittee hearing and which was the subject of several questions to the executive branch. This investigative report cited a former Microsoft whistleblower engineer who claimed to have repeatedly warned bosses as early as 2017 about an authentication flaw that left Microsoft users and their professional accounts vulnerable to compromise.
If something like that happened to us…it would not only destroy our product in the market, but the government would simply kick us out.
This flaw, which we’re told involves exploiting weaknesses in Microsoft’s Active Directory Federation Service and SAML, is believed to have been used by Russian government spies behind the SolarWinds backdoor.
According to the whistleblower, Kremlin spies used the SAML-based authentication flaw to gain full access to the organizations’ files and messages after infiltrating these victims’ computer networks via hijacked SolarWinds software . In other words, it was a post-exploitation vulnerability.
It was further alleged that Microsoft refused to fix this years-old problem because in doing so the company would have had to admit that its Active Directory software was flawed, which could have cost it billions of dollars while the he company was vying for a massive IT contract. with the American federal government of the time.
In the wake of the Exchange Online intrusion, all of Microsoft’s commitments to improving security and overhauling its entire security culture are either voluntary or – with ideas like tying top executive pay to safety performance – is going to be very difficult to measure. .
“If it was any other vendor, if something like this happened at home, where we had such a security breach that foreign governments could get into our cloud environment, it would not only destroy our product on the market because we have no credibility, but the government would just kick us out,” said Karan Sondhi, CTO of Trellix. The register.
Repeated intrusions by Russian and Chinese cyber spies highlight the national security risks of Uncle Sam’s growing dependence on a single technology provider, Sondhi told us.
Microsoft and US specific: The US government uses everything from the super-company’s cloud infrastructure to its operating system and productivity tools, then also adds Redmond’s security products, which, according to Trellix and other information security vendors, discourage competition in the market.
“We are simply saying to the government: do an independent assessment of security tools,” Sondhi said. “Measure the effectiveness of security tools, regardless of the bundle offered by Microsoft, and choose your favorite. If it’s us, great. If it’s CrowdStrike, more power to you. If it’s Sentinel One, perfect.”
Microsoft, he added, “should fix vulnerabilities in their products. They should focus directly on that instead of trying to sell you security tools.”
Microsoft… should fix vulnerabilities in its products. They should focus directly on that
Asked at the congressional hearing whether Microsoft’s bundling practices might deter government and other customers from choosing a third-party vendor for security reasons, Smith responded: “I’m not aware of any so-called practice that limits what our customers can do in terms of cybersecurity protection.
No real incentive for change
As long as federal money continues to flow into Microsoft’s coffers, there is no real incentive for change. US government data showed at least $498 million in payments to Microsoft in 2023 alone.
In a May 29 letter to U.S. Department of Defense CIO John Sherman, Senators Ron Wyden (D-OR) and Eric Schmitt (R-MO) question why the Pentagon is “doubling down” on its product investments Microsoft despite the serious efforts of the IT giant. chess.
This, after the Department of Homeland Security’s Cyber Safety Review Board denounced Microsoft’s “cascade” of security issues that made possible China’s digital intrusion into government inboxes.
Microsoft opens new source code audit center in China to reassure Beijing
SINCE 2016
“What should the government do? Probably not award a $10 billion DoD contract to Microsoft for a commercial, off-the-shelf product,” said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology and a senior advisor. of the Cyberspace Solarium Commission. .
“You have a national security entity that says this is an entity that poses a risk, and then you have the DoD, another national security entity, that is doubling down on Microsoft,” Simpson said . The register. “We need to have this conversation, and it needs to happen with the White House.”
According to Simpson, the first thing to do is sorting, which must come from an executive order from the White House. Then there’s long-term care, which comes from Congress.
Even though the administration doesn’t control the government’s purse strings, it could pause future Microsoft integrations while the government explores security products from other vendors, he said. “This could be done through an executive order,” Simpson noted.
The Office of the National Cybersecurity Director at the White House declined to comment for this story.
Long-term care, on the other hand, involves action by Congress to codify best or even simplest security practices, such as requiring Microsoft products to be interoperable with those of its peers.
“Both ends of the continuum are a decoupling between Microsoft and the other end doing nothing,” Simpson said. “And there’s a whole range of options in between.”
It’s time for the Biden administration to ‘lead by example’
Under President Joe Biden, the administration has touted its commitment to strengthening the nation’s networks. This included the publication of the national cybersecurity strategy in March 2023.
Part of the strategy involves holding software companies responsible for security flaws in their products, thereby shifting IT defense from the end users of the technology to the vendors. It also says the administration will work with Congress and the private sector to develop legislation around secure software and services.
Microsoft fixes pwn-me-by-Wi-Fi bug in Windows
THIS WEEK
What’s more, it’s the focus of the US Cybersecurity and Infrastructure Security Agency’s Security by Design Pledge, signed by nearly 70 software companies – including Microsoft – at this month’s RSA conference. last.
Another element of the strategy is investing in long-term security practices at the government and enterprise level, rather than relying on short-term fixes, such as patches and more temporary solutions to problems.
“You can’t accomplish both of those things with minimal regulation,” Simpson said. “The best way to do this is to take full advantage of the government as the largest consumer in the world. It’s about purchasing power. If they don’t change their purchasing practices, shame on them . They must lead by example of their strategy.” ®