It’s been two weeks since Microsoft was grilled by the House Homeland Security Committee due to a “cascade of security failures”.
The hearing came as a response to a U.S. Cyber Safety Review Board’s (CSRB) report on the severity of the digital infiltration of U.S. critical infrastructure by the group Storm-0558, which is linked to China. Additionally, a whistleblower, a former Department of Defence worker, claimed that Microsoft chose profit over security when securing contracts with the federal government.
Microsoft provides vital services to U.S. defense and national security agencies, and its global ecosystem and supply chain extends to hundreds of thousands of businesses and organizations worldwide.
The brand Microsoft, which had earned a reputation for being on the cutting edge of security and privacy, is now under pressure to demonstrate its commitment.
Techopedia talked to experts to understand the “avoidable errors” Microsoft made, how this impacts the tech landscape, and how the conversation should move forward.
Key Takeaways
- Microsoft was criticized for security vulnerabilities that allowed Chinese hackers to access sensitive U.S. information.
- A whistleblower revealed Microsoft prioritized profits over security measures to win government contracts.
- Experts say Microsoft needs to improve its security culture and prioritize user safety over financial gain.
- Experts discuss Microsoft’s next moves, call for stricter government oversight and security standards for tech companies, and discuss the company’s uphill work to recover its reputation.
Microsoft’s Shocking ‘Avoidable Errors’
On June 13, the Vice Chair and President of Microsoft Corporation, Brad Smith, in his testimony to the U.S. House Committee on Homeland Security, took full responsibility for the failures in security.
“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report.
Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.”
The Cyber Safety Review Board’s (CSRB) report found that the Storm-0558 intrusion was preventable. CSRB identified a series of Microsoft operational and strategic decisions that collectively signaled corporate culture gaps and the prioritization of securing investments. The CSRB report language was clear.
“This intrusion was preventable and should never have occurred.”
CSRB added that “Microsoft’s security culture was inadequate and requires an overhaul”. It added that there has been a “cascade of avoidable errors that allowed this intrusion to succeed”.
Given the global and complex magnitude of Microsoft’s operations, supply chain, customers, and global business partners, the failures rippled internationally, leaving those working with Microsoft or its solutions wondering what to do next.
David McInerney, Commercial Manager of Data Privacy at Cassie, a consent and preference management platform that supports Fortune 500 companies globally, spoke to Techopedia about the “avoidable errors”.
“Microsoft didn’t have the proper enterprise security or risk management protocols in place, ultimately resulting in a series of avoidable errors.”
McInerney explained that perhaps the most notable avoidable error was brought to light by the ProPublica investigation which revealed product leaders ignored the security concerns of an employee who later became a whistleblower — Andrew Harris.
The issues Harris warned Microsoft about could have prevented the SolarWinds attack, one of the largest cybersecurity incidents in U.S. history. McInerney from Cassie said the incident speaks directly to the security culture inside Microsoft.
“These breaches are particularly important not only because they impacted U.S. federal employees, but also because they revealed Microsoft’s internal culture encouraged developing new products and features over ensuring existing offerings were secure.”
McInerney described the avoidable security failures as being tied to negligence, prioritizing financial gains over security,
“The company was not prioritizing investing in the proper security protocols and testing its existing products against them, but rather trying to stay ahead of competitors and release new products as quickly as possible.”
Failed Security Culture: From Top to Bottom, Reputation Damages Spread
Stephen Moore, VP, Chief Security Strategist, and Co-founder of Ten18 Research and Insight Group of Exabeam, a cybersecurity research and insights group, speaking to Techopedia aimed directly at top Microsoft executives for their role in the crisis.
“The choices made by executive leadership at Microsoft contributed heavily to several costly widespread problems; as some say, your greatest insider threat is the behavior of your executive leadership team.”
These avoidable errors not only resulted in significant breaches that put national security at risk. Moore explains that they also compromised product integrity for financial and reputational considerations.
“The critical issue was not merely the technical mishandling of a cryptographic key or an unresolved authentication flaw in Active Directory Federation Service; it was the deliberate decision to prioritize cost avoidance and pursue lucrative contracts over addressing known security vulnerabilities,” Moore explained.
Despite repeated warnings from engineers about critical authentication flaws, Microsoft chose not to address these issues, fearing that acknowledging them would jeopardize their chances of securing a massive contract with the U.S. federal government.
As Moor explained, this is a profound failure in maintaining the integrity of its products, as the company placed business interests above the essential need for robust security.
Additionally, this decision led to significant breaches, such as Beijing-backed cyberspies accessing tens of thousands of sensitive emails from high-ranking U.S. officials.
“Ultimately, these flaws were brought to light, damaging Microsoft’s reputation and incurring significant costs,” Moore said.
How Should Microsoft Move Forward?
The world has witnessed numerous top tech executives sit through Congress special hearings due to large-scale security and privacy. From Mark Zuckerberg’s numerous congressional hearings — including the 2020 U.S. Election integrity failures — to X (formerly Twitter), TikTok, Discord, and Snap executives’ addressing failures to protect children from online sexual exploitation, tech leaders have responded time and time again to serious incidents with apologies. But is that enough to move forward?
Microsoft’s President Smith followed the same apology strategy and promised wide changes. Of the 25 CSRB’s recommendations, Microsoft says it will take action on 16 that apply to their company, as the other 12 are recommendations for all cloud service providers (CSPs).
“We have added another 18 concrete security objectives, reflecting the work we started last summer after we assessed the shortfalls we identified from the Storm-0558 intrusion from China,” Smith reassured members of the Committee.
While Microsoft said it has launched a company-wide initiative, called the Secure Future Initiative (SFI), and has recognized the unique and critical cybersecurity role it plays for customers, the U.S, and the nation´s allies, the company also deflected and spoke about nation-state-supported attacks, including Russia, China, Iran, and North Korea.
“During the past year, Microsoft detected 47 million phishing attacks against our network and employees. But this is modest compared to the 345 million cyber attacks we detect against our customers every day.”
McInerney from Cassie told Techopedia that Microsoft is a massive corporation that has a major influence on society and needs to act as such.
“The company needs to take a step back and reassess its approach to security and data privacy measures.”
McInerney added that if Microsoft wants to maintain customer trust, it would also benefit them to learn to be transparent from the start moving forward.
“For example, as Microsoft recently prepared to launch its Recall product, the company could have implemented a campaign to educate people on the new product weeks ahead of the now postponed launch date and made a clear and easily accessible opt-out option for consumers from the beginning,” McInerney said.
A Call for More Government Oversight and Control
Moore from Ten18 told Techopedia that the way forward is more oversight and control.
“Advancing the conversation necessitates a comprehensive approach involving stricter oversight and accountability measures for major IT vendors like Microsoft.
“The U.S. government should enforce independent evaluations of security tools, ensuring they are not solely reliant on a single vendor. Implementing requirements for interoperability with third-party security solutions can foster a more competitive and secure marketplace.”
Moore said that the White House could issue executive orders to halt further integrations with Microsoft until thorough reviews occur and security commitments are mandatory.
Additionally, Congress should legislate best security practices, hold software makers accountable for security flaws, and enforce secure-by-design principles.
“Microsoft’s most compelling yet humorous move is that they’ve now tied the bonus structure of the Senior Leadership Team to meeting security plan milestones. Shouldn’t this have always been the case?”
The Bottom Line
U.S. government contracts with big tech like Amazon, Google, and Microsoft are worth billions of dollars and fuel intense competition in the market. While the pressure and benefits that these contracts are massive, they are not an excuse for negligent actions that lead to cybersecurity failures.
Prioritizing financial gains over security and ignoring red flags from workers that result in incredibly damaging cybersecurity attacks is something few would have ever associated with the Microsoft brand. For the company today, reputation and financial damages are as inevitable as erosion of trust.
It is still hard to understand how Microsoft, a company extremely rich in resources and skills, failed not due to sophisticated nation-state attacks but rather neglected basic security principles.
Microsoft faces an uphill battle to recover its reputation because, today, something in the higher offices smells rotten.