Microsoft will take full responsibility for security failures outlined in a March report by the Cyber Safety Review Board, Brad Smith, vice chair and president of the company, said in written testimony prepared for the U.S. House Committee on Homeland Security.
Smith will testify Thursday afternoon in a highly anticipated hearing following the company’s massive security debacles related to two state-linked cyberattacks that compromised key federal agencies.
“We recognize that Microsoft plays a unique and critical cybersecurity role,” Smith said in written testimony. “Not only for our customers, but for this country. And not only for this country, but for this nation’s allies.”
Microsoft operates data centers in 32 countries around the world, and closely collaborates on security issues with the U.S. government and key allies, Smith said.
Security concerns
Beginning in May 2023, hackers linked to the People’s Republic of China targeted the Microsoft Exchange Online environment of 22 organizations and 500 individuals, leading to the theft of about 60,000 U.S. State Department emails and compromising the account of U.S. Commerce Secretary Gina Raimondo.
A report released by the U.S. Cyber Safety Review Board concluded the attack was entirely preventable and blasted Microsoft for emphasizing speed to market and new features rather than focusing on security.
A separate attack beginning in late 2023 from the Russia-linked Midnight Blizzard threat group led to the compromise of senior executives at Microsoft. That attack resulted in another series of mishaps, including the theft of credentials that could be used to access federal agencies.
Critics say Microsoft should have been held accountable for its lapses in a much more meaningful way, particularly in light of the foothold it has in key federal agencies.
“Microsoft has not demonstrated the commitment to security that would justify its dominant position in the Department of Defense ecosystem or at any other government system,” Mark Montgomery, senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said via email.
The CSRB report issued a total of 25 recommendations, 16 that apply to Microsoft and others related to the larger cloud security industry.
Smith said nation-state activity has become more intense and far more sophisticated — 47 million phishing attacks have been launched against Microsoft and its employees in the past year. However, 345 million attacks are attempted Microsoft customers on a daily basis, according to the written testimony.
“As a company, we need to strive for perfection in protecting this nation’s cybersecurity,” Smith said. “Any day we fall short is a bad day for cybersecurity and a terrible moment at Microsoft.”
Microsoft is planning additional steps to enhance its internal security policies. The Microsoft Board of Directors on Friday is set to finalize plans to link senior executive compensation to meeting internal security goals.
The company has also invited CISA to its headquarters for a detailed briefing on steps Microsoft is taking to meet its security objectives.