Senator calls for probe in Microsoft breach
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Annelise Capossela/Axios
A top cybersecurity-focused senator is calling for the U.S. government to "hold Microsoft responsible for its negligent cybersecurity practices" after a recent cloud breach.
Driving the news: Sen. Ron Wyden (D-Ore.) sent a letter Thursday to the heads of the Justice Department, the Federal Trade Commission and CISA asking them to launch new inquiries into Microsoft's cybersecurity practices.
Why it matters: This marks the first lawmaker request to investigate Microsoft's cybersecurity strategies since the breaches were discovered earlier this month.
- Microsoft has been in the D.C. hot seat since the recent disclosure, given this isn't the first time suspected Chinese hackers have used Microsoft's tech to spy on government officials.
What they're saying: "Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident," Wyden writes in the letter.
Catch up quick: Earlier this month, Microsoft disclosed that a China-based hacking group had gained access to email accounts belonging to several government agencies.
- Reports have now suggested that those accounts included ones belonging to Commerce Secretary Gina Raimondo, the U.S. ambassador to China and a top State Department official.
- But questions still surround how the breach happened. Microsoft has said the hackers acquired an obscure account signing key, which they then used to forge identity authentication on user accounts. It's unclear how the hackers obtained that key.
Details: Wyden alleges that Microsoft likely failed to store "high-value encryption keys" in a recommended hardware storage vault that would have prevented the hackers from stealing it.
- Wyden also argues that Microsoft should not have had an encryption key that would allow people to authenticate other accounts in the first place.
Of note: The senator also placed some blame on the federal government for not detecting these alleged poor storage practices during federal procurement cybersecurity reviews.
Between the lines: Wyden is calling on several regulators to act.
- He's asking CISA director Jen Easterly to direct the Cyber Safety Review Board to investigate the July hacks and Microsoft's security practices around encryption keys.
- He's also calling on Attorney General Merrick Garland to examine whether "Microsoft’s negligent practices violated federal law."
- And he's urging FTC chair Lina Khan to investigate Microsoft's privacy and data security practices related to this incident.
The other side: "This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks," a Microsoft spokesperson said in a statement.
- "We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."
Sign up for Axios’ cybersecurity newsletter Codebook here
