Congress grills Microsoft boss Brad Smith after ‘cascade’ of security errors

The House Homeland Security committee is grilling Microsoft President Brad Smith Thursday about the software giant’s plans to improve its security after a series of devastating hacks reached into federal officials’ email accounts, challenging the company’s fitness as a dominant government contractor.

The questioning followed a withering report on one of those breaches, where the federal Cyber Safety Review Board found the event was made possible by a “cascade of avoidable errors” and a security culture “that requires an overhaul.”

In that hack, suspected agents of China’s Ministry of State Security last year created digital keys using a tool that allowed them to pose as any existing Microsoft customer. Using the tool, they impersonated 22 organizations, including the U.S. Departments of State and Commerce, and rifled through Commerce Secretary Gina Raimondo’s email among others.

The event triggered the sharpest criticism in decades of the stalwart federal vendor, and has prompted rival companies and some authorities to push for less government reliance on its technology. Two senators wrote to the Pentagon last month, asking why the agency plans to improve nonclassified Defense Department tech security with more expensive Microsoft licenses instead of with alternative vendors.

“Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers,” Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.) wrote. “Through its buying power, DOD’s strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services.”


Stories to keep you informed

Any serious shift in executive branch spending would take years, but Department of Homeland Security leaders say plans are in motion to add security guarantees and requirements to more government purchases — an idea touted in the Cyber Safety Review Board’s Microsoft report. The report found that current requirements “do not consistently require sound practices” for authenticating users.

Committee Chair Mark Green (R-Tenn.) said ahead of the hearing that “it is now Congress’s responsibility to examine Microsoft’s response to this report. We must restore the trust of the American people, who depend upon Microsoft products every day.”

In written testimony submitted Wednesday, Smith echoed earlier statements welcoming the Review Board findings and committing to do better. Smith touted a companywide security initiative that has brought in 1,600 security engineers in the current fiscal year and will add another 800 positions next year.

Smith said the company had made security its top priority throughout the company and would fulfill the Review Board’s recommendations for both the company and the industry as a whole.

“Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith testified.

The testimony raised eyebrows among some security professionals who pointed to Microsoft’s rollout this month of a Windows feature called Recall, which takes screenshots of most activity on a personal computer every few seconds and stores them to make searching for past actions easier.

Though Microsoft said that users would only be able to see their own histories and that they would otherwise remain encrypted and stored locally, experts called it a treasure trove for electronic intruders. They alleged anyone with administrative rights to a machine could spy on other users, and that a hacker could export and read files, including records of financial passwords and encrypted messages, if they broke in.

After declining to comment on those reports for more than a week, Microsoft said it would not ship software with Recall included automatically, as planned, and that it would require more authentication by a user to turn on.

In his written testimony, Smith cited that reversal as an example of the company’s revitalized efforts in security.

Leave a Reply

Your email address will not be published. Required fields are marked *