Congress questions Microsoft boss after a ‘cascade’ of security errors

The House Homeland Security Committee grilled Microsoft President Brad Smith on Thursday about the software giant’s plans to improve its security after devastating hacks reached into federal officials’ email accounts, challenging the company’s fitness as a dominant government contractor.

The questioning followed a withering report on one of those breaches, in which the federal Cyber Safety Review Board found the event was made possible by a “cascade of avoidable errors” and a security culture “that requires an overhaul.”

In that hack, suspected agents of China’s Ministry of State Security last year created digital keys using a tool that allowed them to pose as any existing Microsoft customer. Using that tool, they impersonated 22 organizations, including the U.S. Departments of State and Commerce, and rifled through Commerce Secretary Gina Raimondo’s emails and those of others.

The event triggered the sharpest criticism in decades of the stalwart federal vendor, and it has prompted rival companies and some authorities to push for less government reliance on its technology. Two senators wrote to the Pentagon last month, asking why the agency plans to improve unclassified Defense Department tech security with more expensive Microsoft licenses instead of with alternative vendors.

“Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers,” wrote Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.). “Through its buying power, DOD’s strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services.”

Any serious shift in executive branch spending would take years, but Department of Homeland Security leaders say plans are in motion to add security guarantees and requirements to more government purchases – an idea touted in the Cyber Safety Review Board’s Microsoft report. The report found that current requirements “do not consistently require sound practices” for authenticating users.

Homeland Security Committee members of both parties followed that theme Thursday, asking Smith to explain the risks of having the military depend on a single vendor. Smith argued that a multi-vendor environment is equally risky, because hackers can more easily break in at the “seams” where two systems connect.

Smith ran out the clock on some members’ questions and smoothly deflected multiple inquiries, including several about a Thursday ProPublica report that said a Microsoft security expert had repeatedly complained about a company authentication flaw that was exploited years later, in the hacks of software company SolarWinds and its government customers.

The same flaw was called out in the intervening years by security companies CyberArk and Mandiant without being fixed.

Smith said that he hadn’t read the article and that the flaw in question involved an industry standard instead of a Microsoft product.

Other representatives pressed Smith about the company’s dealings in China, prompting him to say the nation generates less than 1.5 percent of Microsoft’s revenue. Smith also said that the company was there mainly to serve other American companies and that Microsoft does not obey the Chinese law requiring all organizations to cooperate with national intelligence agencies and the military.

“Every time there is something remotely close to a request, I make sure we say no,” Smith said to one openly skeptical member of the committee.

In written testimony submitted earlier, Smith echoed previous statements welcoming the findings of the review board, which was established by a White House executive order. Smith touted a companywide security initiative that has brought in 1,600 security engineers in the current fiscal year and will add another 800 positions next year.

Smith said Microsoft had made security its top priority throughout the company and would fulfill the review board’s recommendations for both the company and the industry as a whole.

“Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith testified.

Smith’s testimony raised eyebrows among some security professionals who pointed to Microsoft’s rollout this month of a Windows feature called Recall, which takes screenshots of most activity on a personal computer every few seconds and stores them to make searching for past actions easier.

Though Microsoft said that users would only be able to see their own histories and that they would otherwise remain encrypted and stored locally, experts called it a treasure trove for electronic intruders. They alleged that anyone with administrative rights to a machine could spy on other users, and that a hacker could export and read files, including records of financial passwords and encrypted messages, if they broke in.

After declining to comment on those reports for more than a week, Microsoft said that it would not ship software with Recall automatically active, as planned, and that it would require more authentication by a user to turn on the feature.

In his written testimony, Smith cited that reversal as an example of the company’s revitalized efforts in security.