Microsoft president Brad Smith in sworn testimony before a congressional committee this week said with humility the company accepts full responsibility for every cybersecurity issue raised in a recent Cyber Safety Review Board report created by multiple officials from several U.S. government agencies including the Department of Homeland Security, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).
The investigation was commissioned by President Biden in response to Microsoft disclosing that a Chinese hacking group referred to as “Storm-0558” was responsible for a security breach that led to the access of the email accounts belonging to multiple Federal agencies.
Rep. Mark Green, MD (R-TN), chairman of the House Committee on Homeland Security, noted the unsophisticated attack that the U.S. State Department first discovered, has raised doubts about Microsoft’s ability to ensure U.S. national security. The report concludes that the internal culture at Microsoft needs an overhaul following a cyberattack on Federal agencies that exploited a vulnerability, first disclosed in 2016.
In response, Microsoft is reviewing its internal cybersecurity processes, including making it part of the bi-annual internal review process for employees and tying a third of bonuses for senior executives to incentives for maintaining and improving cybersecurity, said Smith. In addition, Microsoft will appoint a Deputy CISO who is specifically focused on integrating tools and platforms that Microsoft acquires and is now making logs available to existing enterprise customers at no extra cost, said Smith.
Microsoft Apologizes
Microsoft apologizes for the breaches and inadequacies described in the Cyber Safety Review Board report and is now working to integrate Secure by Design principles into every aspect of its software development processes and cloud services platforms, said Smith. He added that Microsoft’s biggest mistake was becoming too dependent on cybersecurity specialists rather than embedding cybersecurity across its entire employee base.
However, governments and Microsoft customers need to do more to help secure Microsoft application environments that are attacked more than 300 million times a day, said Smith.
The cybersecurity professionals working at the State Department should be given a medal for their efforts, said Smith.
Rep. Bennie Thompson (D-MS), however, reminded Smith that as a customer of Microsoft, it is not the responsibility of the Federal government to secure Microsoft software. That responsibility lies with Microsoft, as a supplier of software to the Federal government.
In general, Microsoft is pledging to be better, and rivals would be well-advised to not take advantage of this issue to make a case for replacing Microsoft software, lest they find themselves in a similar position when more inevitably more cyberattacks are launched against them, said Smith.
Microsoft has more than 34,000 engineers working on cybersecurity initiatives, said Smith. Nevertheless, it’s “open season” on customers of IT vendors as cyberattacks continue to be launched around the world with impunity, said Smith. Countries need to extend the Geneva Convention to make it a crime to launch cyberattacks against civilians in peacetime, he added. That convention today makes it a crime against civilian populations in times of war.
It’s better late than never when it comes to cybersecurity issues finally being publicly discussed by elected officials, but the real issue is, as always, what level of accountability vendors should be held to, when crippling cybersecurity attacks have become all too common.
Recent Articles By Author
GIPHY App Key not set. Please check settings