Microsoft Accepts Responsibility for Cybersecurity Breach, Vows Stronger Measures

Microsoft's vice chair and president accepted responsibility for cybersecurity lapses that led to attacks by Chinese actors as part of the Storm-0558 hack.

A report from the Cyber Safety Review Board found that Microsoft was at fault for the 2023 Storm-0558 hack, which saw Microsoft email accounts including those belonging to U.S. federal agencies compromised after actors stole Microsoft account signing keys to forge authentication tokens for Outlook.

"It's especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB's report,” Brad Smith said during testimony before the House Homeland Security Committee last week.

Lawmakers questioned Smith on actions Microsoft has taken to prevent future cybersecurity threats from nation-state actors.

The CSRB’s report recommended Microsoft and other cloud service providers improve control mechanisms, adopt a minimum standard for default audit logging and develop more effective victim notification and support mechanisms.

Smith said during his testimony that the company would implement the CSRB’s recommendations and go beyond them through a company-wide Secure Future Initiative to ensure products and services are secure by design and continuously monitoring to meet future threats.

Related:Microsoft Launches AI Chatbot for Cybersecurity

“We recognize that Microsoft plays a unique and critical cybersecurity role. Not only for our customers but for this country. And not only for this country but for this nation’s allies,” Smith said. “This role reflects the wide range of products and services Microsoft provides to individuals and organizations, including cloud services that operate through data centers located in 32 countries around the world.”

Following the Storm-0558 intrusion, Microsoft has enhanced its monitoring capabilities to detect if any signing keys are improperly exposed in development and testing environments. The Chinese hackers exploited a vulnerability in Microsoft’s debug environment that contained the signing key, which they then compromised.

During his testimony, Smith said cyberattacks by nation-state actors have increased in the wake of geopolitical conflicts like the war in Ukraine and that adversaries like Russia and China are collaborating closely.

“In the 28 months since that war began and as tensions have grown elsewhere, we have seen more prolific, well-resourced and sophisticated cyberattacks by four countries – Russia, China, Iran and North Korea,” Smith said. “By any measure, lawless and aggressive cyber activity has reached an extraordinary level. During the past year, Microsoft detected 47 million phishing attacks against our network and employees. But this is modest compared to the 345 million cyber attacks we detect against our customers every day. Too often these actions take place without effective reprisals or deterrence, reflecting in part the degree to which international law and norms of conduct are incomplete or lack meaningful enforcement.”

Related:Microsoft Launches Generative AI, Data Solutions at NRF 2024

Following the Storm-0558 hack, Smith said Microsoft acknowledges it could have done better and apologized to those who have been impacted.

“We accept responsibility for the past and are applying what we’ve learned to help build a more secure future,” he said. “We are pursuing new strategies, investing more resources and fostering a stronger cybersecurity culture.”

Smith told lawmakers the company has now hired 34,000 full-time engineers in what he described as “the single largest cybersecurity engineering project in the history of digital technology.”

He called on the U.S. government to also make improvements to cyber defense following the incident, including calling on Congress to assess imposing stronger punishments against nation-states behind attacks.

“Today, public attribution remains inconsistent and much of the malicious cyber activity remains in the shadows,” Smith said. “Deter nation-state threat actors by imposing appropriate punishment so that the actions of nation-state actors are not without a cost. To accomplish this Congress should assess whether additional steps are needed to strengthen countermeasures against nation-state threat.”

The Microsoft president also called for the government to adopt the CSRB’s recommendation for an alert system that would notify victims of breaches.

“Microsoft stands ready to contribute,” Smith said after suggesting such a system would require the government to form partnerships with the private sector partnership.