Latest suspected China hack puts Microsoft on D.C. hot seat

Anxiety over Microsoft's cybersecurity strategies is growing in Washington this week as details continue to emerge about the extent of a suspected Chinese espionage campaign.

Driving the news: Late Tuesday evening, Microsoft disclosed that a China-based hacking group had gained access to email accounts tied to 25 organizations, including U.S. government agencies.

• Since then, the U.S. State Department and the Commerce Department have confirmed that their offices were targeted. Commerce Secretary Gina Raimondo's inbox was also reportedly breached, according to the Washington Post.
• Hackers had access to some email inboxes for as long as a month before the State Department notified Microsoft about some anomalous activity on its networks.
• No classified systems or data were affected during the breach, a senior Cybersecurity and Infrastructure Security Agency official told reporters, but questions remain over exactly how hackers were able to steal the cryptographic key that gave them access to dozens of Microsoft accounts.

Why it matters: This isn't the first major cyber espionage campaign to exploit flaws in Microsoft's technology since President Joe Biden came into office — it follows a 2021 Chinese espionage campaign targeting Exchange servers.

What they're saying: "There's definitely a level of frustration," Mark Montgomery, executive director of the Cyberspace Solarium Commission 2.0, told Axios.

• "The more that these incidents happen, the more Microsoft can't just fall back on, 'Well, you don't have to worry about us, we have an inherently secure system,' because they don't," he added.

The big picture: Those frustrations are threatening to rock what's so far been a pretty cooperative relationship between Microsoft and the Biden administration's cybersecurity offices.

• A source familiar with the investigation told Axios that while Microsoft was quick to control the "immediate incident," officials still have "significant questions regarding how this occurred that the U.S. government is pressing Microsoft to answer."
• One of those questions is whether Microsoft was complying with federal cyber requirements for government cloud providers, the source added. Another is whether it's time to update the already "strict" cybersecurity requirements, per the source.

Zoom out: So far, Microsoft has been an instrumental partner in the Biden administration's cybersecurity agenda, which has focused heavily on fostering private-sector partnerships.

• Microsoft was one of the first industry partners in a relatively new federal information-sharing program known as the Joint Cyber Defense Collaborative.
• The company was also heralded in the early days of the war in Ukraine for being the first to uncover wiper malware targeting Ukrainian government networks.

The other side: "We're closely engaged with the administration cybersecurity officials — and with cybersecurity officials around the world — regarding all the cybersecurity challenges we face globally," a Microsoft spokesperson told Axios. "We are proud of the partnerships that allow Microsoft to contribute to our shared security and are always looking at ways we can help improve the cyber ecosystem."

Between the lines: The latest espionage campaign is reminding officials of two main concerns they've had about Microsoft's power in the industry.

• First is Microsoft's wide-reaching presence in U.S. systems as a top government contractor. Some reports estimate that the company accounts for 85% of the public sector's office productivity software alone. It might be time to hold the company and others to higher security standards, Andrew Grotto, former senior director of cyber policy in both the Obama and Trump White Houses, told Axios.
• The second is a yearslong back-and-forth between the U.S. and Microsoft about how much free access customers should have to their networks' audit logs. Currently, customers have to pay an additional fee to gain access to their full logs due to cloud storage costs, and not all federal agencies or targeted organizations pay for this information.
• "We are evaluating feedback and are open to other models," the Microsoft spokesperson said regarding the log storage limits. "We are actively engaged with CISA and other agencies on this."

Yes, but: Experts who work closely with the Biden administration said it's unclear how many resources officials will be willing to dedicate to those concerns — especially as they juggle other national security priorities.

• "People still think the government is more powerful than these companies, and it might be, but it's less focused," Trey Herr, director of the Atlantic Council's Cyber Statecraft Initiative and a former Microsoft security strategist, told Axios.

Sign up for Axios’ cybersecurity newsletter Codebook here