Archived version

Microsoft president Brad Smith will tell lawmakers on Capitol Hill Thursday that the company is responsible for “each and every one of the issues” that a government advisory board uncovered while investigating a recent China hack, according to prepared remarks.

Why it matters: Lawmakers, administration officials and regulators have started to lose trust in the tech giant’s ability to secure its products after a series of nation-state cyberattacks.

Driving the news: Microsoft has faced two notable nation-state cyberattacks in the last year that has put federal agencies’ communications in jeopardy.

  • Microsoft disclosed last July that a China-backed hacking group had broken into the email accounts of several organizations, including federal offices. Commerce Secretary Gina Raimondo and several State officials were affected.

  • Russian intelligence hackers also stole several federal agencies’ emails after breaching Microsoft, the Cybersecurity and Infrastructure Security Agency said earlier this year.

The big picture: Ever since these incidents, Microsoft has faced a mountain of scrutiny in Washington from lawmakers and competitors.

  • The Cyber Safety Review Board (CSRB) said in an April report that the Chinese espionage campaign, in particular, was “preventable and should never have occurred.”

  • Senators are pushing back against the Pentagon’s reported plans to upgrade its suite of Microsoft products as part of its zero-trust transition.

  • And eager competitors have gone on a campaign to woo Microsoft’s government customers.

The other side: Microsoft has been briefing federal security leaders and their teams on a new set of security principles it’s been implementing internally, known as the Secure Future Initiative.

-The plan ties executives’ pay to improving cybersecurity and calls on teams to prioritize security investments over fast product development.

Zoom in: In his remarks to the House Homeland Security Committee, Smith will tell lawmakers that he sees the advisory board’s recommendations as good advice for all corporations to follow as they face “more prolific, well-resourced, and sophisticated cyberattacks.”

  • Smith plans to lay out how the new Secure Future Initiative will help address each issue in the advisory board’s report, per his remarks published Wednesday.

  • “We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted,” Smith will say.

  • Microsoft has invited the Cybersecurity and Infrastructure Security Agency (CISA) to its headquarters for a “detailed technical briefing” on the initiative, according to the published remarks.

Between the lines: Compared to past hearings about cyberattacks, Thursday’s congressional hearing will hit close to home for lawmakers given the federal government’s heavy reliance on Microsoft’s products.

  • Many agencies rely on Microsoft as their sole operating system, email provider, cybersecurity product vendor and office software provider.

  • The Software & Information Industry Association — a trade group that represents software vendors — sent a letter Wednesday to agency leaders urging them to find ways to diversify beyond Microsoft.

What we’re watching: Smith will need to provide bulletproof reassurances and transparency about Microsoft’s security plans to lawmakers and regulators to regain their trust in Washington.

  • ghostpony@infosec.pub
    link
    fedilink
    arrow-up
    25
    ·
    edit-2
    5 months ago

    It’s good that the lawmakers are holding Microsoft responsible and taking them to task about these incidents, but the only reason this is happening is because they were directly affected. If this weren’t the case, MS would’ve published their usual “we take privacy and security very seriously” BS and continued on cashing that check.

    Also Microsoft is “sorry” but does that include giving all the money they got from the government, i.e. the taxes collected from citizens, back? I know the answer is “No” but this is another indicator that the government officials only care about their own privacy and security. If they cared about the tax payers, they would’ve asked for the money back.

    Edit: Also, there’s a whistleblower: https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers

    Edit 2, from the ProPublica article:

    This is part of the problem overall with the industry,” said Nick DiCola, who was one of Harris’ bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly-traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up.”

    Truer words have never been spoken, Nick.

  • BCsven@lemmy.ca
    link
    fedilink
    arrow-up
    16
    ·
    5 months ago

    German state that moved 30000 seats of Windows over to Linux: Hans, zome schadenfraude dis morning, neh?

    • jmp242@sopuli.xyz
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      I think it’s more the cloud being the issue here. Such an obvious and large and valuable target. Of course Microsoft also isn’t that secure historically.