A review board appointed by the Biden administration has issued a scathing report criticizing Microsoft for its poor corporate security practices and lack of transparency. The report highlights a breach by state-backed Chinese cyber operators that allowed them to access email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo. The panel concluded that Microsoft’s security culture was inadequate and in need of a complete overhaul, given the company’s essential role in the global technology ecosystem.
The intrusion, which was discovered in June and dated back to May, was deemed preventable by the board, attributing its success to a series of avoidable errors. Despite this, Microsoft still does not know how the hackers gained access. The panel made sweeping recommendations, including urging Microsoft to halt the addition of features to its cloud computing environment until significant security improvements have been implemented. They called for rapid cultural changes within the company and the sharing of a plan with specific timelines to improve security across all products.
The state-backed Chinese hackers were able to breach the Microsoft Exchange Online email of 22 organizations and over 500 individuals worldwide, accessing cloud-based email boxes for at least six weeks. The board, convened by Homeland Security Secretary Alejandro Mayorkas in August, accused Microsoft of making inaccurate public statements about the incident, including misleading information about the root cause of the intrusion. Additionally, the board expressed concern over a separate hack by state-backed Russian hackers targeting senior Microsoft executives and customers.
The board highlighted a corporate culture at Microsoft that neglected enterprise security investments and rigorous risk management. The Chinese hack, initially disclosed by Microsoft in July, was carried out by a group known as Storm-0558, which has a history of similar intrusions dating back to 2009. Microsoft acknowledged the need for a new culture of engineering security within its networks, mobilizing engineering teams to address legacy infrastructure, improve processes, and enforce security standards. The company emphasized the continuous threat posed by well-resourced nation state actors.
In response to the board’s report, Microsoft stated that it appreciated the investigation and would continue to strengthen its systems against cyber threats. The company committed to implementing more robust sensors and logs to detect and repel cyber-attacks from adversaries. The board’s findings underscore the importance of prioritizing cybersecurity measures and maintaining transparency in the face of escalating cyber threats from state-backed actors. Microsoft must take immediate steps to address the deficiencies identified by the board and bolster its security culture to safeguard against future breaches.
