Microsoft’s Role in Email Breach to Be Part of Cyber Inquiry

William Turton and Dina Bass
4 min read
10
In this article:

(Bloomberg) -- A US cybersecurity advisory panel will investigate malicious targeting of cloud computing environments, including Microsoft Corp.’s role in a recent breach of government officials’ email accounts by suspected Chinese hackers, the Department of Homeland Security confirmed on Friday.

Most Read from Bloomberg

The review by the Cyber Safety Review Board, which was created by the Biden administration to investigate major cybersecurity events, will focus on approaches cloud service providers, the government and industry should employ to strengthen identity management and authentication in the cloud, according to a DHS statement.

Homeland Security officials began considering whether the email breach would be an appropriate subject for board review “immediately upon learning of the incident in July,” according to the statement.

“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” said Secretary of Homeland Security Alejandro Mayorkas. “Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure.”

Bloomberg News, citing two people familiar with the matter, previously reported the board would review cloud security and Microsoft’s role in the email breach. Shares of Microsoft were down about 1% on Friday morning in New York.

The board’s decision to focus on cloud computing follows a request last month by Senator Ron Wyden to investigate Microsoft’s role in the breach. In a July 27 letter, Wyden asked Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan and Cybersecurity and Infrastructure Security Agency Director Jen Easterly to investigate Microsoft and hold the company “responsible for its negligent cybersecurity practices.”

Microsoft didn’t respond to requests for comment.

Wyden, in a statement, said he applauded the decision. “The government will only be able to protect federal systems against cyberattacks by getting to the bottom of what went wrong,” he said.

Microsoft, the world’s largest software maker, is facing increasing scrutiny from computer security experts and government agencies over its ability to protect customers from breaches. Amit Yoran, the chief executive officer of the cybersecurity company Tenable Holdings Inc., criticized Microsoft, saying on LinkedIn that the company’s “lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.”

Easterly’s agency, which is part of the Department of Homeland Security and known as CISA, manages the board and is responsible for convening it after significant cybersecurity events, according to a 2022 statement when the board was established. Following the conclusion of an investigation, the board issues a report detailing what went wrong and makes recommendations for future changes.

In an interview, Easterly suggested that Microsoft should “recapture the ethos” of what Microsoft co-founder Bill Gates called “trustworthy computing” in 2002, when he instructed employees to focus on security over adding new features.

“I absolutely positively think they have to focus on ensuring their products are both secure by default and secure by design, and we are going to continue to work with them to urge them to do that,” Easterly said of Microsoft.

The hack of US officials’ email, which included the accounts of Commerce Secretary Gina Raimondo and State Department officials, took place in the weeks before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping. The hackers got into the networks by taking a Microsoft consumer signing key, which allowed them to obtain access to officials’ emails.

“Government emails were stolen because Microsoft committed another error,” Wyden, a Democrat from Oregon, said in his letter. “Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”

Wyden has also pushed for US officials to investigate the so-called SolarWinds attack, saying in his letter that Microsoft “never took responsibility for its role.” In that attack, which was disclosed in 2020, Russian state-sponsored hackers compromised computer networks in the federal government and private sector.

SolarWinds was planned as the first investigation carried out by the board, according to the executive order that created it. But that probe never happened. Instead, the board investigated the Log4j software vulnerability and later, the Lapsus$ hacking group, which breached major US companies. The board’s report on Lapsus$ was released on August 10.

Wyden said he has been rebuffed in getting CISA and the Department of Homeland Security to direct the board to study the SolarWinds breach.

“Had the board studied the 2020 SolarWinds hack, as President Biden originally directed, its findings might have been able to shore up federal cybersecurity in time to stop hackers from exploiting a similar vulnerability in the most recent incident,” Wyden said, in his statement released on Friday.

(Updates with additional information in first four paragraphs.)

Most Read from Bloomberg Businessweek

©2023 Bloomberg L.P.

Advertisement

Recommended Stories