To review this article, select My Profile and then View Saved Stories.
Éric Geller
When Microsoft revealed in January that hackers from foreign governments had breached its systems, the news sparked a new wave of recriminations about the security posture of the world’s largest tech company.
Despite the angst of policymakers, security experts, and competitors, Microsoft has suffered no consequences for its recent, embarrassing failure. The U. S. government has continued to buy and use Microsoft products, and more sensible officials have refused to publicly rebuke the tech giant. A reminder of how Microsoft is now virtually out of any government responsibility, even as the Biden administration pledges to force tough tech corporations to take on more responsibilities in America’s cyber defense.
That’s unlikely to change, even in the wake of a new report from the Cybersecurity Review Board (CSRB), an organization of government and industry experts, criticizing Microsoft for failing to save it from one of the worst hacking incidents in the company’s recent history. The report states that “Microsoft’s security culture is insufficient and demands an overhaul. “
Microsoft’s near-untouchable position is the result of several intertwined factors. It is by far the largest generator provider to the U. S. government, powering computers, drafting documents, and communicating via email from the Pentagon to the State Department to the FBI. spouse in government cyber defense initiatives, with almost unprecedented knowledge of hackers’ activities and abundant features to disrupt their operations. And its executives and lobbyists have tirelessly touted the company as a leading force for a safer virtual world.
These enviable benefits are partly why senior government officials have refused to criticize Microsoft, even as hackers linked to the Russian and Chinese governments have continually hacked into the company’s computer systems, according to cybersecurity experts, lawmakers, former government officials and workers at Microsoft’s competitors.
The other people — some of whom requested anonymity to speak candidly about the U. S. government and the undisputed giant of its industry — say the government’s relations with Microsoft are crippling Washington’s ability to defend itself against primary cyberattacks that jeopardize sensitive knowledge and threaten important services. According to what they say, Microsoft has been under scrutiny.
Microsoft has a long history of security breaches, but the last few years have been bad for the company.
In 2021, Chinese government hackers discovered and used flaws in Microsoft’s email servers to hack into the company’s consumers and then went public to unleash a frenzy of attacks. In 2023, China broke into the email accounts of 22 federal agencies, spying on senior officials. State Department officials and Commerce Secretary Gina Raimondo anticipate several trips via the U. S. delegation to Beijing. Three months ago, Microsoft revealed that Russian government hackers had used an undeniable trick to access the emails of some of Microsoft’s most sensible executives, cyber experts, and lawyers. Last month, the company said the attack also compromised some of its source code and “secrets” shared between workers and consumers. On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) demonstrated that among the consumers were federal agencies and issued an emergency directive warning agencies whose emails were exposed to look for symptoms that Russian hackers were looking to use login credentials in those emails.
David Cox
Kate Knibbs
Grey Jaina
Cameron Dell
These incidents occurred when security experts criticized Microsoft for failing to temporarily and adequately fix flaws in its products. As the largest generation vendor to the US government so far, Microsoft’s vulnerabilities make up the largest percentage of newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make mandatory innovations in cybersecurity to keep up with changing challenges.
Microsoft has not “adapted its security investment point and mindset to the threat,” says a leading cyber policy expert. “That’s a huge difference between who has the resources and the in-house engineering capability that Microsoft has. “
The Department of Homeland Security’s CSRB backed up this view in its new 2023 China intrusion report, saying Microsoft had “a corporate culture that deprioritized investments in enterprise security and rigorous threat management. “The report also criticizes Microsoft for publishing erroneous data about the conceivable reasons for the latest Chinese intrusion.
The recent breaches reveal Microsoft’s inability to implement critical security defenses, according to several experts.
Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, highlights the Russians’ ability to move from a control environment to a production environment. “This will never happen,” he says. Another cyber expert who works at a Microsoft competitor pointed to China’s ability to spy on the communications of multiple companies through a single intrusion, echoing the CSRB report, which criticized Microsoft’s authentication formula for allowing broad access with a single login key.
“You don’t hear other cloud service providers talking about those kinds of breaches,” Meyers says.
According to the CSRB report, Microsoft “has sufficiently prioritized restructuring its existing infrastructure to address the existing risk landscape. “
In reaction to the written questions, Microsoft told WIRED that it is its security to respond aggressively to recent incidents.
“We are committed to adapting to the evolving risk landscape and building partnerships between industry and government to protect us from global and developing risks,” said Steve Faehl, director of leadership generation for Microsoft’s Federal Security business.
As part of its Secure Future initiative unveiled in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuse of worker accounts, started looking for more types of sensitive data in network traffic, and reduced access granted through individual authentication keys. and created new authorization needs for workers to create corporate accounts.
Microsoft has also redeployed “thousands of engineers” to its products and has begun calling in senior executives for prestigious updates at least twice a week, Faehl says.
The new initiative represents “Microsoft’s roadmap and commitments to address much of what the CSRB report calls priorities,” Faehl says. Still, Microsoft isn’t satisfied with its security culture being broken, as the CSRB report argues. “We strongly disagree with that characterization,” Faehl says, “although we agree that we haven’t been the best and that we have work to do. “
Microsoft has generated specific hostility from the cybersecurity network by charging its customers more for greater security protections, such as risk monitoring, antivirus, and user management. In January 2023, the company announced that its security department had surpassed $20 billion in annual revenue.
“Microsoft now sees cybersecurity as meant to make a profit,” says Juan Andres Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “dependence” on those profits “severely skewed its product. “design decisions. “
David Cox
Kate Knibbs
Grey Jaina
Cameron Dell
These tensions exploded openly in early 2021 as Congress and the new Biden administration battled SolarWinds’ extensive hacking campaign in Russia.
After hacking into government networks through SolarWinds software, Moscow agents tricked Microsoft’s cloud platform into granting them broad access. Because most agencies didn’t pay for Microsoft’s premium level of service, they didn’t have the network logs needed to stumble upon those intrusions. Lawmakers were outraged that Microsoft would brand the government extra for such a fundamental feature, and Biden administration officials spent the next two-and-a-half years privately urging Microsoft to make registration data public for all customers. Microsoft, after all, agreed to do so last year. In July, eight days after announcing another first hack, he found out about it through a company that paid for log data.
Microsoft may not say whether it plans to release other premium security features to all of its customers. “We continue to integrate the security of our products and facilities for the benefit of our customers,” says Faehl.
When asked about experts’ arguments that Microsoft’s strategy of cashing in on cybersecurity is incompatible with a security-first mindset, Faehl said, “We agree with that characterization. “
Microsoft’s dominance has raised fears that it represents a single point of failure, concentrating U. S. technology dependency in such a way that hackers can easily sabotage critical aspects by attacking a company’s products.
Few installations better illustrate Microsoft’s overwhelming reliance on governance (and a domain in which some experts would use a more varied technique would be more secure) than email. A FORMER U. S. cybersecurity official who works at one of Microsoft’s competing companies predicts that an attack that would cripple Microsoft’s messaging platform will drastically diminish the government’s ability to function.
Warnings about a Microsoft “monoculture” date back two decades, but the concept is now getting new attention from policymakers.
“The government’s reliance on EE. UU. de Microsoft poses a serious risk to U. S. national security,” said U. S. Senator Ron Wyden. “The government is well stuck with the company’s products, despite serious violations of U. S. government systems. through foreign hackers caused by the company. “negligence. “
On Monday, Wyden announced a bill that would set a four-year deadline for the federal government to block the purchase of collaboration technologies like Microsoft Office that critics say don’t integrate well with competing services.
According to experts, reducing the government’s reliance on a single vendor would not only provide advantages to the government, but also extend the threat of attack to more companies, relieving some of the pressure that Microsoft bears in the face of such a gigantic portfolio of systems. behind Microsoft’s back makes it a magnet for cybercriminals and government hackers, which partly explains its huge number of breaches.
Microsoft’s reliance on the government also reinforces a sense of familiarity with its products that cements its position in federal networks. While some companies are exploring options for Microsoft, most are sticking to what they know, largely because it’s easier than switching to an alternative platform, says the former cybersecurity manager.
David Cox
Kate Knibbs
Grey Jaina
Cameron Dell
Microsoft denies making it difficult for consumers to transfer or incorporate competing products. “Our competition hosts subjective court cases about ‘compatibility,'” Faehl says, but “we hear this more from vendors of certain third-party products. “than consumers looking to use them.
Either way, experts say, the result is clear: The government is dependent on Microsoft, depriving it of the leverage to combat the company’s practices.
Microsoft relies solely on its market dominance to thwart government surveillance. Since its antitrust battles with the government in the 1990s, the company has developed a complicated public policy strategy that combines serious calls for the protection of cyberspace with widespread participation in government initiatives.
“Microsoft is the most adept tech company on these issues,” says Andrew Grotto, a former senior White House cybersecurity official who now directs Stanford University’s Geopolitics, Technology and Governance Program and is a representative of some of Microsoft’s programs. competitors. ” They learned this lesson 25 years ago and have been applying it ever since. “
Microsoft’s risk intelligence team, which knows more about malicious cyber activity than virtually any other company and top government, publishes cyber risk studies and collaborates with law enforcement on operations to dismantle hacker infrastructure. The company is also helping to fund teams like the CyberPeace Institute, which advocates for a more secure network and is helping to protect non-governmental organizations from hackers. And it has positioned itself as a useful partner for policymakers who need to address cybersecurity issues but don’t know where to start, and rarely offers lawmakers bills.
Thanks to its market dominance and political acumen, Microsoft has made sure it is almost never publicly criticized, experts say.
“The government doesn’t feel comfortable talking about Microsoft because it’s completely committed to it,” says Mark Montgomery, senior director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies, a think tank.
Biden’s leadership has spoken with fanfare about employing the government’s formidable contract strength to force corporations to ensure their safety. But with Microsoft, that influence is nonexistent, experts say. “There is no realistic possibility that the government will globally cancel its contracts. “with Microsoft,” Paul Rosenzweig, a cyber representative and former DHS policy officer, said in an email.
Microsoft rejects this argument. ” The idea that the company is too dependent on Microsoft doesn’t correspond to reality,” Faehl says.
The government’s lack of influence means that federal officials never use the kind of blunt language discovered in the CSRB report when talking about Microsoft, even when they insist on speaking to reporters anonymously. The result is a remarkable show of government deference to Microsoft.
After Chinese hackers broke into government email systems and bypassed agencies that didn’t pay for Microsoft’s high-end security features, a senior CISA official stated that Microsoft’s business style “doesn’t produce the kind of security effects we’re looking for,” but they refused. to reprimand Microsoft directly, rather than just talking about issues about productive conversations with the company.
David Cox
Kate Knibbs
Grey Jaina
Cameron Dell
Indeed, despite years of Microsoft’s defiance of CISA’s significant push for corporations to be “secure by design,” CISA has steadfastly refused to criticize Microsoft’s failures. In July, CISA director Jen Easterly said she was “extremely pleased with Microsoft’s decision. “
The former cyber leader finds that the government’s softness is remarkable. “When their own emails are stolen, they don’t seem to go after the salesperson who’s provoking it. “
The White House National Security Council declined to comment on the story. In a statement, Eric Goldstein, CISA’s deputy executive director of cybersecurity, says his company “has a strong partnership with Microsoft and will continue to collaborate in many areas,” while proceeding to “bring to all tech corporations the urgency to create products that are safe by design so that consumers can have confidence in the security and integrity of the generation they use every day.
Microsoft’s Faehl says his company is “committed to security by design and security by default. “
The CSRB’s report on the Microsoft cloud breach calls for radical adjustments to the company’s security culture. According to many experts, it is time for the government to use its force and impose those adjustments.
“Typically, large, resilient corporations don’t replace their habit unless they’re incentivized to do so,” says Stanford University’s Grotto.
The CSRB report recommends strict new requirements for cloud providers like Microsoft, adding regular security reviews after federal contracts are awarded. Experts say those needs may simply replace companies’ incentives for greater security.
Microsoft realizes that its recent breaches have sparked a public relations crisis. “We look forward to and welcome a fair review,” Faehl says. “As an industry leader, we want to be guilty of protecting our products and services. “
At the same time, he said, Microsoft “wouldn’t mind having some control” over its competitors who “seek to sow fear, uncertainty and doubt about our position in order to gain merit for their own products. “
Cracking down on Microsoft would also be a way for the Biden administration to live up to the principles of its National Cybersecurity Strategy, which prioritizes shifting the burden of cybersecurity to large, well-resourced generation providers. “They’re arguing. . . “The balance wants to change,” says Grotto. “The now is, ‘Well, what does the management of this diagnosis do?'”
There are signs that management is following this advice. At a news conference with reporters Thursday about the possibility that Russian agents stole government secrets in their latest Microsoft hack, Goldstein said CISA and other agencies “are working intensively with Microsoft, consistent with the Cybersecurity Review Board’s recommendations, to drive further progress on Microsoft’s improvement plans with its broader security culture and enterprise. “
Meanwhile, experts say, the prestige quo allows Microsoft to shirk the duty of the disruptions it can solve.
“Inaction doesn’t cause any harm, at least not to those companies,” says SentinelOne’s Guerrero-Saade. “And that’s what’s going to destroy us. “
In Your Inbox: Will Knight’s Fast Forward Explores AI Advancements
He left a cryptocurrency on a USB drive and then disappeared
Real-Time Deepfake Romance Scams Are Coming
Boomergasms are on the rise
Are you going outside? Here are the best sleeping bags for every adventure.
Andy Greenberg
Cameron Dell
Éric Geller
Éric Geller
Cameron Dell
Cameron Dell
Cameron Dell
Andy Greenberg
More from WIRING
Reviews & Guides
© 2024 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products purchased through our site as part of our component partnerships with retailers. Curtains from this site may not be reproduced, distributed, transmitted, cached or otherwise used except with the prior written permission of Condé Nast. Ad Choices