Aug 11, 2023 - Technology

Government cybersecurity panel to probe Microsoft

Illustration of a robber's hand taking away a block of the Microsoft logo.

Illustration: Aïda Amer/Axios

A federal cybersecurity investigatory panel will probe cloud service providers' security practices and how the government can safely use cloud technologies, Homeland Security Secretary Alejandro Mayorkas announced Friday.

Why it matters: The Cyber Safety Review Board's investigation will include a review of last month's suspected Chinese breach of federal Microsoft email accounts.

The big picture: Anxieties over Microsoft's cybersecurity practices have been boiling over in Washington following last month's breach — the second such incident in which Chinese hackers have used Microsoft's systems to target key government systems.

Zoom out: The Department of Homeland Security created the Cyber Safety Review Board early last year to study some of the country's most consequential cyberattacks and data breaches and provide recommendations for avoiding future problems.

Details: The latest investigation is intended to study how the government and cloud service providers approach identity management in the cloud, according to a press release.

  • The board considered studying the Microsoft incident "immediately upon learning" about it in July, the press release noted.
  • The board's investigation should result in a list of recommendations for tightening the security of government cloud systems.

What they're saying: "Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure," Mayorkas said in a statement.

  • "In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one."

Yes, but: The board doesn't have the power to compel companies to participate in its reviews, and its investigation won't hold any regulatory weight.

  • Typically, such investigations instead provide recommendations for new laws or regulations.
  • Microsoft did not immediately respond to a request for comment.

Sign up for Axios' cybersecurity newsletter Codebook here

Go deeper