Microsoft grilled on Capitol Hill over security failures

Brad Smith, president of Microsoft, testifies during a House Committee on Homeland Security hearing Thursday. PHOTO: SAUL LOEB/AGENCE FRANCE-PRESSE/GETTY IMAGES
Brad Smith, president of Microsoft, testifies during a House Committee on Homeland Security hearing Thursday. PHOTO: SAUL LOEB/AGENCE FRANCE-PRESSE/GETTY IMAGES

Summary

President Brad Smith pledged to address security failures that led to a hack of U.S. government systems last year.

Microsoft President Brad Smith said the company bears responsibility for a raft of security failures that led to a hack of U.S. government systems last year, and vowed to address them in testimony before Congress on Thursday.

Smith, in an appearance before the House Committee on Homeland Security, said the company accepts the findings of an investigation into its security practices “without equivocation or hesitation."

“We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted," he said.

The committee summoned Microsoft following the federal Cyber Safety Review Board’s withering April report on the breach, which called into question security practices at the Redmond, Wash.-based tech giant. The CSRB, a public-private group set up to examine serious cybersecurity incidents, said the company’s culture deprioritized enterprise security and risk management.

The board found that a “cascade of Microsoft’s avoidable errors" allowed a successful attack by a hacking group known as Storm-0558. The group stole a cryptographic key for Microsoft’s Exchange product, which allowed the hackers access to the email inboxes of senior U.S. government officials, including Commerce Secretary Gina Raimondo; the U.S. ambassador to China, Nicholas Burns; and Rep. Don Bacon (R., Neb.).

The CSRB and Microsoft have linked Storm-0558 to the Chinese government, which has denied any association with cybercriminals.

In a hearing that often veered between polite recognition from lawmakers of Microsoft’s importance as a supplier to the federal government, and visible irritation over recent breaches, Smith was repeatedly pressed on several issues relating to the attack. Smith fielded repeated questions about Microsoft’s business practices in China, its vulnerability-management processes and how it was informed about the government hack by the State Department rather than discovering it on its own.

“It’s not our job to find the culprits. That’s what we’re paying you for, don’t switch the role," said Rep. Bennie Thompson (D., Miss.), after Smith suggested that the State Department employees who discovered the breach should be given medals.

In May, Microsoft published an extensive plan to overhaul its security processes and culture, expanding on a previous initiative announced in November. The company said it would integrate the CSRB’s 16 recommendations specific to the company, and promised to go further. Satya Nadella, Microsoft’s chief executive, said in an accompanying memo that when faced with a trade-off between security and another priority, the company should always pick security.

“Some of the findings of that report really catalyzed change in how they are approaching the development of their technology products," Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in an interview at the time.

Microsoft might have taken congressional heat Thursday, but many of the problems pegged by CSRB are common among cloud companies, said Tim Youngblood, chief information security officer in residence at cyber company Astrix Security.

As cloud businesses grew over the past decade, security often came afterward, said Youngblood, who has spent 30 years in cybersecurity including stints as CISO at T-Mobile US, McDonald’s, Kimberly-Clark and Dell.

Cloud companies, including Microsoft, “would add on a security layer and say, ‘You can buy this. You can pay extra for it,’" he said. “Cloud was never a secure-by-design model."

Pressure from regulators, Congress and customers will force positive change at Microsoft, said Doug Shepherd, senior director of information security at real-estate company Jones Lang LaSalle. The company has spent the past year expanding its use of Microsoft security products, though Shepherd said JLL and other big companies aren’t likely to lock themselves into cyber tools from a single vendor.

In response to the recent China-linked attack, Microsoft “largely did the right things," he said. “At the end of the day if the FSB or the Chinese want you, they will get in," he said, using an acronym that refers to Russia’s Federal Security Service.

The state of Microsoft’s cybersecurity has caused such concern because of the company’s ubiquity in both corporate and federal technology networks. The U.S. government paid at least $498.5 million to the company in 2023 alone for products and services according to government data, and Microsoft supplies around 85% of its productivity tools, Rep. Thompson said, demonstrating its importance within Washington.

Microsoft’s tech is often so deeply embedded that it is impossible to move away from, said Felicia King, president of Quality Plus Consulting, which provides virtual chief information security officer services to smaller companies.

“Most businesses are using some custom, business-line application that was only written for Microsoft operating systems. So, they don’t have the luxury of saying, you know what, we’re just going to run Linux on everything," King said.

“Am I going to continue to use Microsoft operating systems for a lot of business functions? Yes, because I have to," she said.

Write to James Rundle at james.rundle@wsj.com, Kim S. Nash at kim.nash@wsj.com and Catherine Stupp at catherine.stupp@wsj.com

Catch all the Corporate news and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
more

MINT SPECIALS