Microsoft is driving its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be “even more important than the company’s work in artificial intelligence.”
Satya Nadella, Microsoft’s CEO, “has taken the responsibility personally to serve as the senior executive with overall responsibility for Microsoft’s security,” Smith told Congress.
His testimony comes after Microsoft admitted it could have taken steps to prevent two aggressive nation-state cyber attacks from China and Russia.
According to Microsoft whistleblower Andrew Harris, Microsoft spent years ignoring a vulnerability while he proposed fixes for the “security nightmare.” Instead, Microsoft feared it could lose its government contract by reporting the bug and allegedly played down the problem, choosing profits over security, ProPublica reported.
This apparent negligence led to one of the largest cyber attacks in US history, and sensitive data of officials was compromised due to Microsoft’s security failures. Hackers linked to China stole 60,000 US State Department emails, Reuters reported. And several federal agencies were hit, giving attackers access to sensitive government information, including data from the National Nuclear Security Administration and the National Institutes of Health, ProPublica reported. Even Microsoft itself was breached, with a Russian group accessing the emails of senior staff this year, including “their correspondence with government officials,” Reuters reported.
“We recognize that we can and must do better,” Smith told Congress today, according to his prepared written testimony. “As a company, we must strive for excellence in protecting this nation’s cybersecurity. Every day we fall short is a bad day for cybersecurity and a terrible moment at Microsoft.”
To reinforce the shift in company culture toward “empowering and rewarding every employee to find security issues, report them” and “help fix them,” Smith said Nadella sent an email to all staff asking that safety always remain top of mind. .
“If you’re faced with a trade-off between security and another priority, your answer is clear: Make it security,” Nadella’s email said. “In some cases, this will mean prioritizing security over other things we do, such as releasing new features or providing ongoing support for legacy systems.” To ensure everyone is on board, Microsoft has also begun tying executive pay to meeting security goals.
Microsoft to adopt all government recommendations
Smith was the only witness to testify at a House Homeland Security Committee hearing titled, “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Deficiencies and Implications for National Security.”
He told Congress that Microsoft was following all 16 recommendations that the Cyber Security Review Board (CSRB) made in a report that “identified a series of operational and strategic decisions by Microsoft that together point to a corporate culture that devalued how investments in enterprise security as well as enterprise and strategic investments”. rigorous risk management”.
As part of those obligations, Microsoft has pledged to stop charging for key security-related features like the more detailed logging that the CSRB said should be a core part of their cloud service. (Last July, Microsoft began changing that culture by expanding the accessibility and flexibility of cloud logging to give customers “access to the most extensive cloud security logs” at no additional cost.)
Smith also said Microsoft was “pursuing new strategies, investing more resources and fostering a stronger cybersecurity culture.” This includes adding “an additional 18 concrete security objectives” beyond the CSRB’s recommendations and “dedicating the equivalent of 34,000 full-time engineers to what has become the single largest cybersecurity engineering project in the history of digital technology.” , Microsoft’s Secure Future Initiative (SFI). .
Microsoft also strengthened its security team, Smith said, adding “1,600 more security engineers this fiscal year” and planning to “add another 800 new security positions” in the next fiscal year. Additionally, the company’s Chief Information Security Officer (CISO) will now lead an office of senior-level deputy CISOs “to extend oversight of various engineering teams to assess and ensure that security “is enters” into decision-making and engineering processes”.
Smith described SFI as “a multi-year effort” focusing all of Microsoft’s product and service development efforts “on achieving the highest possible standards for security.” He warned that online threats are always evolving, but said Microsoft was committed to supporting projects in core cybersecurity principles that would prioritize security in product designs and ensure that defenses are never optional and always enabled by default.
The initiative is part of Microsoft’s plan to regain trust after Smith and Microsoft previously appeared not to accept full responsibility for the Russian cyber attack. In 2021, Smith told Congress that “there were no vulnerabilities in any Microsoft products or services that were exploited” in that cyberattack, while arguing that “customers could have done more to protect themselves,” ProPublica reported.
In an exchange with Sen. Marco Rubio (R.-Fla.), Smith specified that customers could have paid for “an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune,” ProPublica reported .
Now, Smith told Congress on Thursday, “Microsoft accepts responsibility for each of the issues cited in the CSRB report. Without equivocation or hesitation. And without any sense of defensiveness.”