Microsoft’s Role in Email Breach to Be Part of US Cyber Inquiry

A US cybersecurity advisory panel will investigate risks in cloud computing, including Microsoft Corp.’s role in a recent breach of government officials’ email accounts by suspected Chinese hackers, according to two people familiar with the matter.

(Bloomberg) — A US cybersecurity advisory panel will investigate risks in cloud computing, including Microsoft Corp.’s role in a recent breach of government officials’ email accounts by suspected Chinese hackers, according to two people familiar with the matter.

The Cyber Safety Review Board, which was created by the Biden administration to investigate major cybersecurity events, will focus on risks to cloud computing infrastructure broadly, including identity and authentication management, and will examine all relevant cloud service providers, according to a Department of Homeland Security official. The issue was brought into focus by the breach of Microsoft’s email systems, the official said. Both people asked not to be named so they could discuss sensitive information.

The board’s decision to focus on cloud computing follows a request last month by Senator Ron Wyden to investigate Microsoft’s role in the breach. In a July 27 letter, Wyden asked Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan and Cybersecurity and Infrastructure Security Agency Director Jen Easterly to investigate Microsoft and hold the company “responsible for its negligent cybersecurity practices.”

A representative for Microsoft didn’t immediately respond to a request for comment.

Microsoft, the world’s largest software maker, is facing increasing scrutiny from computer security experts and government agencies over its ability to protect customers from breaches. Amit Yoran, the chief executive officer of the cybersecurity company Tenable Holdings Inc., criticized Microsoft, saying on LinkedIn that the company’s “lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.”

Easterly’s agency, which is known as CISA, manages the board and is responsible for convening it after significant cybersecurity events, according to a 2022 CISA statement when the board was established. Following the conclusion of an investigation, the board issues a report detailing what went wrong and makes recommendations for future changes. 

In an interview, Easterly suggested that Microsoft should “recapture the ethos” of what Microsoft co-founder Bill Gates called “trustworthy computing” in 2002, when he instructed employees to focus on security over adding new features. 

“I absolutely positively think they have to focus on ensuring their products are both secure by default and secure by design, and we are going to continue to work with them to urge them to do that,” Easterly said of Microsoft.

The hack of US officials’ email, which included the accounts of Commerce Secretary Gina Raimondo and State Department officials, took place in the weeks before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping. The hackers got into the networks by taking a Microsoft consumer signing key, which allowed them to obtain access to officials’ emails.

“Government emails were stolen because Microsoft committed another error,” Wyden, a Democrat from Oregon, said in his letter. “Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”

Wyden has also pushed for US officials to investigate the so-called SolarWinds attack, saying in his letter that Microsoft “never took responsibility for its role.” In that attack, which was disclosed in 2020, Russian state-sponsored hackers compromised computer networks in the federal government and private sector. 

SolarWinds was planned as the first investigation carried out by the board, according to the executive order that created it. But that probe never happened. Instead, the board investigated the Log4j software vulnerability and later, the Lapsus$ hacking group, which breached major US companies. The board’s report on Lapsus$ was released on Thursday. 

Wyden said he has been rebuffed in getting CISA and the Department of Homeland Security to direct the board to study the SolarWinds breach.

 

 

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.