Function Microsoft President Brad Smith struck a conciliatory tone during a congressional hearing on Thursday over his IT giant’s repeated computer security failures — while also arguing that the Windows maker is above the rule of law, at least in China.
He answered nearly three hours of questions from representatives of the U.S. House of Representatives about Microsoft’s information security shortcomings. Now it’s time for the White House and Congress to do their job and ensure that in six months we don’t find out about another blunder in Redmond being exploited by a foreign government.
And the US government has several tools at its disposal, from executive orders to federal spending, to prevent another Microsoft-related security breach.
Smith began his testimony before Congress this week by accepting “responsibility for each of the issues” cited in a recent Homeland Security report that accused Microsoft of a series of “avoidable mistakes.” The investigation found that these flaws allowed Beijing-backed cyber spies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking U.S. government officials.
That theft was made possible because China stole a cryptographic key from a crash dump file left on Microsoft’s internal, Internet-connected corporate network; the key should not have come from the mega-company’s isolated production environment.
Despite this major security breach by China, Smith defended Microsoft’s activities in the Middle Kingdom. National intelligence laws in China can be used to force companies operating there to provide spy services to the government, or to hand over proprietary code if they are pressured to do so. But Microsoft doesn’t have to comply, Smith claimed to some disbelieving members of Congress.
Mea culpa, and then reject
He gets an A for presentation, but a D for content. Smith issued a mea culpa, but also dismissed some tough questions from lawmakers about China, and why Microsoft isn’t doing such an important job (securing the code, which in this case is also a matter of national security) which the government is not doing. pay millions of dollars for it.
Smith also said he had not read a ProPublica report that came out ahead of the Homeland Security subcommittee hearing and was the subject of several questions to the executive branch. That investigative report cited a now ex-Microsoft whistleblower who claimed he had repeatedly warned bosses as early as 2017 about an authentication flaw that left Microsoft users and their work accounts vulnerable to compromise.
If something like that were to happen to us… it would not only destroy our product in the market, but the government would just kick us out
This flaw, which we’re told involves exploiting weaknesses in Microsoft’s Active Directory Federation Service and SAML, was reportedly used by the Russian government snooping around SolarWinds’ backdoor.
According to the whistleblower, Kremlin spies used the SAML-based authentication flaw to gain full access to organizations’ files and messages after sneaking into those victims’ IT networks through the backdoor of SolarWinds software. In other words, this was a post-exploitation vulnerability.
It was further alleged that Microsoft refused to fix this long-standing problem because doing so would require the company to admit that its Active Directory software was defective, which could have cost it billions of dollars as the company competed for a huge IT contract . with the then US federal government.
In the wake of the Exchange Online breach, any of Microsoft’s promises to do better on security and overhaul its entire security culture are either voluntary or – with ideas like tying executive pay to security performance – very are difficult to measure. .
“If it was any other vendor, if something like this were to happen to us, where we had such a gaping hole in security that foreign governments could get into our cloud environment, it would not only destroy our product in the marketplace because we would have no credibility but the government would just kick us out,” said Karan Sondhi, CTO of Trellix The register.
The repeated intrusions by both Russian and Chinese cyber spies highlight the national security risks of Uncle Sam’s increasing dependence on a single technology provider, Sondhi told us.
Specific to Microsoft and America: The U.S. government uses everything from the supercompany’s cloud infrastructure to its operating system and productivity tools, then adds Redmond’s security products, which Trellix and other infosec vendors say will boost competition in the discourage the market.
“We are just saying to the government: ensure an independent evaluation of the security tools,” Sondhi said. “Measure the effectiveness of the security tools, regardless of the bundle Microsoft offers, and pick your favorite. If it’s for us, great. If it’s CrowdStrike, more power to you. If it’s Sentinel One, great.”
Microsoft, he added, “should be fixing vulnerabilities in their products. They should be completely focused on that instead of trying to sell you security tools.”
Microsoft… should fix vulnerabilities in their products. They should fully concentrate on that
When asked at the Congressional hearing about Microsoft’s bundling practices that could prevent government and other customers from selecting a third-party security vendor, Smith said: “I am not aware of any so-called practices that limit what our customers can do.” do in the field of cybersecurity.”
No real incentive to change
As long as federal dollars continue to flow into Microsoft’s coffers, there is no real incentive to change. US government data shows that at least $498 million in payments were made to Microsoft in 2023 alone.
In a May 29 letter to Defense Department CIO John Sherman, Senators Ron Wyden (D-OR) and Eric Schmitt (R-MO) questioned why the Pentagon is “doubling down” on its investments in Microsoft products despite the serious efforts by the IT giant. shortcomings.
This comes after the Department of Homeland Security’s Cyber Safety Review Board condemned Microsoft’s ‘cascade’ of security snafus that enabled China’s digital intrusion into government inboxes.
Microsoft opens a new source code audit hub in China to reassure Beijing
FROM 2016
“What should the government do? Probably not give Microsoft a $10 billion DoD contract for a commercial off-the-shelf product,” said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology and senior advisor to the Cyberspace Solarium Commission. .
“You have an entity responsible for national security saying this is an entity that poses a risk, and then you have DoD, another entity responsible for national security, giving additional impetus to Microsoft,” Simpson said. The register. “We need to have that conversation, and it needs to be with the White House.”
The first thing that needs to happen, according to Simpson, is triage, which comes from an Executive Order from the White House. Later there is long-term care, which comes from Congress.
While the government doesn’t control the government’s wallet, it could pause future Microsoft integrations while the government examines other vendors’ security products, he explained. “That could be done with an executive order,” Simpson noted.
The White House Office of the National Cyber Director declined to comment for this story.
The long-term concern, on the other hand, involves action by Congress to codify best security practices and even simpler practices, such as requiring Microsoft products to be interoperable with those of its peers.
“The two ends of the continuum are a disconnect from Microsoft, and on the other end, doing nothing,” Simpson said. “And there is a range of options in between.”
Time for the Biden administration to ‘walk the talk’
Under President Joe Biden, the administration has touted its commitment to strengthening national networks. This included releasing the National Cyber Security Strategy in March 2023.
Part of the strategy revolves around holding software makers accountable for security flaws in their products, shifting IT defenses from the end users of the technology to the providers. It also says the administration will work with Congress and the private sector to develop legislation around secure software and services.
Microsoft fixes pwn-me-by-Wi-Fi bug in Windows
THIS WEEK
Furthermore, this is the focus of the US Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge, signed by nearly 70 software companies – including Microsoft – at last month’s RSA conference.
Another part of the strategy is investing in longer-term security practices at government and corporate levels, rather than relying on short-term solutions such as patches and more temporary fixes to problems.
“You can’t achieve either of those things with minimal regulation,” Simpson said. “The best way to do that is to take full advantage of government as the world’s largest consumer. It’s about purchasing power. If they don’t change purchasing practices, shame on them. They need to walk the talk on their strategy.” ®