Brad Smith Says the Tech Giant ‘Accepts Responsibility’ for Cyber Breaches
Microsoft President Brad Smith during a tense U.S. congressional hearing Thursday acknowledged responsibility for a series of security failures that facilitated multiple high-profile state-sponsored cyberattacks targeting government institutions and the company itself.
Lawmakers on the House Committee on Homeland Security grilled Smith over Microsoft’s failure to address critical vulnerabilities and its mishandling of whistleblower warnings, which they argued led to the SolarWinds attack and other major breaches that federal cyber authorities say could have been avoided.
Rep. Mark Green, R-Tenn., who chairs the committee, described recent federal findings about Microsoft’s security blunders as “extremely concerning” and said the company’s “underinvestment in essential security measures exposed critical vulnerabilities.”
“Microsoft is deeply integrated into our nation’s digital infrastructure,” Green said, adding that the company has a “heightened responsibility” to ensure federal systems are protected from intrusion.
The hearing took place the same day ProPublica released a bombshell report alleging Microsoft ignored warnings from a whistleblower about a critical vulnerability that left the company susceptible to Russian hackers for several years. The whistleblower left the company in August 2020 out of frustration with its handling of the security flaw that ultimately facilitated Russia’s attack against SolarWinds just months later.
The federally empaneled Cyber Safety Review Board in a report published following a seven-month probe of the company’s security practices blamed Microsoft’s corporate culture for deprioritizing enterprise security investments and allowing preventable security breaches.
“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” Smith said in his prepared opening remarks, adding: “Without equivocation or hesitation.”
The Russian state hacking group tracked as Midnight Blizzard, also known as APT29 and CozyBear, breached senior Microsoft executives’ email inboxes after using an unsophisticated hacking technique (see: Microsoft’s Latest Hack Sparks Major Security Concerns). The incident came less than a year after Microsoft disclosed that a group of Chinese hackers breached customers’ email systems as part of a cyberespionage campaign targeting federal agencies and other major organizations.
Lawmakers on both sides of the political aisle expressed doubts over whether Microsoft has been fully transparent with its customers and the federal government in the wake of recent security breaches. The ProPublica report published Thursday says that Smith testified to the Senate Intelligence Committee in 2017 that Microsoft became aware of the flaw leading to the SolarWinds attack only after the cybersecurity firm CyberArk published a blog post describing the exploit, known as Golden SAML.
“My concerns about whether we can rely on Microsoft to be transparent were heightened this morning when I read a ProPublica article about how an employee alerted Microsoft’s leadership to a vulnerability,” said ranking member Rep. Bennie Thompson, D-Mo. “That vulnerability was ultimately used by Russian hackers to carry out secondary phases of the SolarWinds attack in 2020.”
“Transparency is the foundation of trust, and Microsoft needs to be more transparent,” he said.
In response, Smith testified that Microsoft has made changes to its corporate governance structure to improve enterprisewide cybersecurity efforts and “integrate security into every process.” The company has added deputy CISOs to each of its components as part of its Secure Future Initiative, Smith said. The company launched the initiative in November 2023 (see: Microsoft Overhauls Security Practices After Major Breaches).
Smith also told lawmakers he is not aware of any vulnerabilities within Microsoft’s operating system that could affect government networks and said the company was “focused on identifying every vulnerability our employees can find.”
AJ Grotto, director of Stanford University’s geopolitics, technology and governance program and former senior White House director for cyber policy, said Microsoft “uses restrictive licensing to dominate the public sector” despite repeatedly putting federal networks in harm’s way.
“We’ve become accustomed to security flaws in Microsoft’s products, followed by promises from Microsoft to improve security, only to have the cycle repeat – with no consequences for Microsoft,” Grotto said in a statement sent to Information Security Media Group. Grotto urged lawmakers to demand the company “develop and share with Congress a plan for diversifying its exposure to cybersecurity risk.”
Smith told the House committee Microsoft has begun implementing 16 of the CSRB’s recommendations that apply directly to the company and added an additional 18 security measures to help improve its overall cyber posture.
Asked directly about the risk associated with the federal government’s reliance on a single technology vendor, Smith acknowledged potential concerns but said a network with too many players could be equally problematic.
“Just as there is risk relying on one vendor, there are risks in relying on multiple vendors,” Smith said. “Fundamentally, whether you have one vendor or multiple, the problem is similar – we all need to work together and just keep making progress.”
Big Breaches: Cybersecurity Lessons for Everyone
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot