In that hack, suspected agents of China’s Ministry of State Security last year generated digital keys using a tool that allowed them to pose as any existing Microsoft customer. Using that tool, they impersonated 22 organizations, including the US Department of State and Commerce, and passed along the email of Commerce Secretary Gina Raimondo, among others.
The incident sparked the fiercest criticism in decades for the federal powerhouse vendor and has prompted rival companies and some authorities to seek less government support for its technology. Two senators wrote to the Pentagon last month, asking why the agency plans to improve the security of unclassified Defense Department technology with more expensive Microsoft licenses instead of alternative vendors.
“Cybersecurity should be a core attribute of software, not a premium feature that companies sell to deep-pocketed government and corporate customers,” wrote Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.). “Through its purchasing power, DOD’s strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services.”
caught
Stories to keep you informed
Any serious changes to executive branch spending would take years, but Homeland Security Department officials say plans are in motion to add safeguards and security requirements to more government purchases — an idea championed in the Microsoft report. of the Cyber Security Review Board. The report found that current requirements “do not consistently require sound practices” for user authentication.
Bipartisan Homeland Security committee members took up the issue Thursday, asking Smith to explain the dangers of the military’s reliance on a single vendor. Smith argued that a multi-vendor environment was just as dangerous because hackers could more easily get into the “seams” where two systems connect.
Smith spent the hour fielding questions from several members and smoothly dodged numerous questions, including some about a Thursday ProPublica report that said a Microsoft security expert had repeatedly complained about the company’s authentication flaw that had been in use for years. later, in the hacks of software company SolarWinds and its government clients.
The same flaw was pointed out in previous years by security companies CyberArk and Mandiant without being fixed.
Smith said he had not read the article and that the flaw in question involved an industry standard rather than a Microsoft product.
Other representatives pressed Smith about the company’s dealings in China, prompting him to say that the country generates less than 1.5 percent of Microsoft’s revenue. Smith also said the company was there primarily to serve other American companies and that Microsoft does not obey Chinese law that requires all organizations to cooperate with national intelligence agencies and the military.
“Anytime there’s anything close to a request, I make sure we say no,” Smith told an openly skeptical committee member.
In written testimony filed earlier, Smith echoed earlier statements welcoming the findings of the review board, which was created by a White House executive order. Smith promoted a company-wide security initiative that has brought on 1,600 security engineers in the current fiscal year and will add another 800 positions next year.
Smith said the company had made safety its top priority company-wide and would comply with the review board’s recommendations both for the company and the industry as a whole.
“Microsoft accepts responsibility for each of the issues cited in the CSRB report,” Smith testified.
Smith’s testimony raised eyebrows among some security professionals, who pointed to Microsoft’s rollout this month of a Windows feature called Recall, which captures much of the activity on a PC every few seconds. and saves them to make it easier to search for past actions.
Although Microsoft said users would only be able to see their own stories and that they would otherwise remain encrypted and stored locally, experts called it a treasure trove for cyber intruders. They claimed that anyone with administrative rights to a machine could spy on other users and that a hacker could export and read files, including financial password records and encrypted messages, if they got inside.
After declining to comment on those reports for more than a week, Microsoft said it would not ship software with Recall automatically enabled, as planned, and would require more authentication from a user to enable it.
In his written testimony, Smith cited that change as an example of the company’s revitalized efforts at security.