Microsoft president faces tough questions from Congress on China, security

Microsoft’s president Brad Smith faced tough questioning on the company’s security track record and presence in China during a Congressional hearing on Thursday.

The House Committee on Homeland Security convened a hearing to consider last summer’s Microsoft Exchange Online hack, attributed to Chinese-government-linked cyber-espionage group Storm-0558.

A highly critical March report by the Department of Homeland Security’s Cyber Safety Review Board blamed Microsoft for a “cascade of security failures” that allowed attackers to steal Microsoft Services Account (MSA) key and forge authentication tokens before accessing targeted Microsoft Exchange accounts. This compromised access was used to hack into the Microsoft Exchange email accounts of State Department officials, among other (largely government) targets in the US and UK.

In his opening remarks, Committee Chairman Rep. Mark Green characterised the attack as unsophisticated and preventable.

The attack made no reliance on “advanced techniques or cutting-edge technologies. Instead, Storm-0558 exploited basic, well-known vulnerabilities that could have been avoided through basic cyber hygiene practices,” Green said.

“The US government would never expect a private company to work alone in protecting itself against nation-state attacks.. but we do expect government vendors to implement basic cybersecurity practices,” Green argued, adding that the 2023 assault is not the first time “Microsoft has been the victim of an avoidable cyberattack.”

In response, Microsoft’s Smith said the company “accepts responsibility for each and every one of the issues cited in the CSRB’s report”.

The CSRB’s report provides 25 recommendations, 16 of which apply to Microsoft. “We are acting on all 16 of these recommendations,” according to Smith.

Secure Future Initiative

Lessons taken from the Microsoft Exchange attack were used by Redmond to develop its Secure Future Initiative, a strategic “Secure by Default” initiative that was expanded in January following attacks blamed on Russia and further expanded upon publication of the CSRB’s report.

The CSRB’s report called for an overhaul in Microsoft’s security culture which was faulted as inadequate given its dominant role as a technology provider. Microsoft’s “corporate culture[has] de-prioritized both enterprise security investments and rigorous risk management”, the report concludes.

Aside from launching “the single largest cybersecurity engineering project in the history of digital technology”, Microsoft is looking to revamp its working practices and culture in response to criticisms.

Smith told the hearing that Microsoft’s board had agreed that a third of the potential performance bonuses for its 16 most senior executives every year would be judged on their success in achieving cybersecurity-focused targets and goals. In future, mainstream Microsoft employees would be evaluated on cybersecurity as part of their twice-a-year performance reviews, he said.

Chinese walls

Representative Carlos Gimenez, a Florida Republican, questioned Microsoft’s operations in China, which Smith testified accounted for less than 1.5% of Microsoft’s sales. China’s 2017 National Intelligence Law obliges all organisations including foreign companies to cooperate with China’s intelligence agencies in matters of national security.

Smith, an attorney and Microsoft’s general counsel for more than a decade, said it does not comply with this law. “There are countries that enact certain laws but don’t apply them,” Smith said, adding that this was the case with China’s national security law.

He earlier said that Microsoft’s operations in China supported multinational customers operating in the country, and that Microsoft routinely turned down Chinese government requests to hand over source code or other sensitive data.

The Microsoft president and vice-chair added that Microsoft was looking to relocate 700 to 800 workers in China as it reduced its engineering presence within the country.

Trustworthy Computing

During the three-hour-long hearing, lawmakers grilled Smith on Microsoft’s past failures to prioritize security over new product features, despite previous promises — most notably Bill Gates’ “Trustworthy Computing” memo from 2002 that pledged to make security a top priority.

Congressman Bennie Thompson cited a ProPublica investigation that found Microsoft had ignored warnings from an employee about a critical vulnerability later exploited in the 2020 SolarWinds supply chain attack.

“One of the changes we’ve just made as part of the Secure Future Initiative is a new governance structure” that will better allow staff to offer feedback and report problems, Smith said. “The fundamental cultural change that we are seeking to make is to integrate security into every process,” the Microsoft president concluded.