Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

The US government wants to make Microsoft's vice chair and president, Brad Smith, the latest tech figurehead to field questions from a House committee on its recent cybersecurity failings.

The House Committee on Homeland Security has proposed the hearing take place later this month on May 22. It will be referred to as "A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security."

In recent times, Microsoft has faced a barrage of criticism following some significant revelations about its security practices. Namely, the attack on Microsoft Exchange in June 2023 was arguably the catalyst for the heightened focus on the goings on at its Redmond HQ. 

Senior US officials had their email accounts compromised as a result of the attack pinned to China-linked Storm-0558, which made off with circa 60,000 emails that it definitely shouldn't have had access to. Incidents as serious as that tend to be met with some scrutiny.

The PR nightmare Microsoft faced at the time was once again reignited more recently by the Cyber Safety Review Board's (CSRB) investigation into how the attack was able to unfold. 

The conclusions were scathing. Among the more cutting excerpts included the CSRB's recommendation for "rapid cultural change" and its assessment that a "cascade of avoidable errors" were to blame for the attack's success.

The CSRB also blasted Microsoft for leaving a September blog post that 'explained' how the attackers gained access to Exchange – which it never proved to be true – up for months all while knowing it was just one of the 46 hypotheses it investigated that yielded no concrete conclusions.

The House Committee on Homeland Security's letter to Smith also referred to a January attack, this time at the hands of Russia's Midnight Blizzard crew, otherwise known as Cozy Bear and APT29 – the same lot behind a string of major worldwide systems attacks exploiting a flaw in widely used network management software made by SolarWinds.

Midnight Blizzard broke into email accounts, but this time it was those belonging to Microsoft's execs rather than US officials. The attackers stole messages and files from the company leadership team, and the cybersecurity and legal divisions. Two months later Microsoft admitted source code was also stolen and the Russians gained access to internal systems.

"These cyber intrusions not only undermine public confidence in Microsoft's ability to safeguard its operating systems, cloud platforms, and productivity software, but also raise serious questions about an apparent lack of accountability and oversight," the letter to Smith, seen by CNBC, reads. 

"It is imperative that Microsoft, which accounts for nearly 85 percent of the market share in the US government's productivity software, be held to the same level of accountability as the rest of the US government's trusted vendors."

In a blog post last week, Charlie Bell, exec veep at Microsoft Security, acknowledged both incidents, saying "we must and will do more."

He went on to reveal that major changes in Microsoft's culture were coming, following the advice of the CSRB's report. Bell said Microsoft is prioritizing security above everything else and all other features, adding that it's focusing on six key pillars:

Protect identities and secrets

Protect tenants and isolate production systems

Protect networks

Protect engineering systems

Monitor and detect threats

Accelerate response and remediation

The six pillars form the new backbone of its Secure Future Initiative (SFI) which it launched in November 2023 amid mounting pressure to take action following the June Exchange breach.

At launch, the SFI focused largely on AI and how it was going to help it "find the right needle in a sea of needles" – a different take on the classic haystack and needle metaphor. 

Software engineering should be overhauled too, it urged. Adopting security by design and security by default principles would also be fundamental to Microsoft's infosec approaches going forward, it added. 

Security expert and former Microsoft security analyst Kevin Beaumont, who was openly critical about certain aspects of his former employer's security while still working there, called its response to the CSRB the company's "last chance saloon moment on security."

In a blog dissecting the communications from Microsoft about its proposed changes, Beaumont said that despite expecting "more clanger breaches" to come and that it will take years to fully implement those plans, Microsoft was taking the right approach. 

"Microsoft are on the right track here towards earning my trust back as a customer," he said. "They're talking about real internal issues at Microsoft – in a corporate blog cosplay way of course – and actually heading straight at long-standing and festering issues which need addressing."

Although the House Committee on Homeland Security proposed May 22 as the date for Smith's hearing, nothing has been put in the calendar yet. Smith and Microsoft are reportedly mulling their response, but have not committed to any firm dates at this stage.

We pressed Microsoft for a response on this but it didn't immediately provide one, although it did acknowledge the request. ®