Microsoft really blew it, says government report on Chinese hacks
A new report from a government-backed cybersecurity board criticizes Microsoft’s security culture, highlighting areas in need of improvement . Microsoft’s security culture needs work, a government-backed cybersecurity board says in a new report.
The US Department of Homeland Security recently released a scathing report from the Cyber Safety Review Board (CSRB) criticizing Microsoft’s security practices. The report highlights how Microsoft’s inadequate security measures facilitated a breach by a group of hackers associated with the Chinese government last summer. According to the report, the hackers, identified as Storm-0558, exploited vulnerabilities in Microsoft’s authentication system, granting them access to numerous Exchange Online accounts worldwide, including those of senior US officials like Commerce Secretary Gina Raimondo, United States Ambassador to China R. Nicholas Burns, and Congressman Don Bacon.
The CSRB points out that Microsoft failed to adequately safeguard signing keys, which allowed the hackers to compromise email accounts undetected. Microsoft only became aware of the breach when a customer reported an issue, indicating a lack of proactive security measures.
In its report, the CSRB unequivocally states that the intrusion was preventable and criticizes Microsoft’s security culture as inadequate. The board calls for a significant overhaul of Microsoft’s security practices, emphasizing the company’s pivotal role in the technology ecosystem and the trust customers place in it to protect their data and operations.
Responding to the report, a Microsoft spokesperson acknowledged the need for a new security-focused engineering culture within the company. Microsoft emphasized its efforts to address legacy infrastructure, enhance processes, and enforce security standards to mitigate cyber threats.
Furthermore, the CSRB rebuked Microsoft for initially misidentifying the root cause of the attack in September 2023 and failing to promptly correct the announcement until March 2024.
Given Microsoft’s essential role in national security and the global economy, the CSRB emphasizes the urgent need for Microsoft to swiftly and substantially address its security vulnerabilities.
It’s exhausting to find educated people on this subject, but you sound like you already know what you’re speaking about! Thanks