Microsoft is facing scrutiny and criticism in a 34-page report released by the Cyber Safety Review Board, which was created by the U.S. Secretary of Homeland Security. The report focuses on a cybersecurity incident in May and June 2023, where the Chinese hacking group Storm-0558 compromised Microsoft Exchange Online mailboxes belonging to over 500 individuals and 22 organizations worldwide, including senior U.S. government officials. The report criticizes Microsoft’s security culture as inadequate and in need of an overhaul, especially considering the company’s central role in the technology ecosystem and the trust customers place in it to protect their data and operations.
The CSRB report also highlights Microsoft’s public communications shortcomings, noting that the company waited until recently to correct a blog post from September 2023 regarding the root cause of the breach after repeated inquiries from the board. The report indicates that Microsoft still does not know how Storm-0558 obtained the critical 2016 Microsoft Services Account (MSA) signing key used in the intrusion. It suggests Microsoft refocus its product development efforts by prioritizing security features over new product features, reflecting the spirit of the “Trustworthy Computing” initiative initiated by Bill Gates in 2002.
The CSRB report states that Microsoft has deviated from this ethos and must restore it immediately as a top corporate priority. The board recommends that Microsoft’s security-related efforts be overseen directly by the CEO and the Board of Directors, holding all senior leaders accountable for implementing necessary changes urgently. Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ announced in November 2023 are acknowledged by the board, but it emphasizes the need for closer oversight and accountability from the company’s leadership.
In response to the report, Microsoft stated that they appreciate the CSRB’s investigation into the impact of nation-state threat actors and recognize the need for a new culture of engineering security within their own networks. They have mobilized engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Microsoft’s security engineers are working to strengthen systems against cyberattacks and enhance detection and response capabilities. The company plans to review the final report for additional recommendations to further enhance its security measures.
Overall, the report calls for Microsoft to prioritize security and restore the “Trustworthy Computing” ethos as a top priority within the company. It recommends closer oversight and accountability from the leadership, with all necessary changes implemented urgently. Microsoft’s response acknowledges the need for a new security focus and highlights ongoing efforts to strengthen their systems against advanced cyber threats. The company will review the report for additional recommendations to further enhance its security posture in the face of evolving cyber threats.
