Government cybersecurity panel to probe Microsoft
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
A federal cybersecurity investigatory panel will probe cloud service providers' security practices and how the government can safely use cloud technologies, Homeland Security Secretary Alejandro Mayorkas announced Friday.
Why it matters: The Cyber Safety Review Board's investigation will include a review of last month's suspected Chinese breach of federal Microsoft email accounts.
The big picture: Anxieties over Microsoft's cybersecurity practices have been boiling over in Washington following last month's breach — the second such incident in which Chinese hackers have used Microsoft's systems to target key government systems.
- In last month's breach, suspected Chinese hackers are believed to have gained access to the inboxes belonging to Commerce Secretary Gina Raimondo and top State Department officials.
Zoom out: The Department of Homeland Security created the Cyber Safety Review Board early last year to study some of the country's most consequential cyberattacks and data breaches and provide recommendations for avoiding future problems.
- Previous investigations focused on the widespread Log4j vulnerability and a string of hacks conducted by the Lapsus$ hacking group.
Details: The latest investigation is intended to study how the government and cloud service providers approach identity management in the cloud, according to a press release.
- The board considered studying the Microsoft incident "immediately upon learning" about it in July, the press release noted.
- The board's investigation should result in a list of recommendations for tightening the security of government cloud systems.
What they're saying: "Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure," Mayorkas said in a statement.
- "In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one."
Yes, but: The board doesn't have the power to compel companies to participate in its reviews, and its investigation won't hold any regulatory weight.
- Typically, such investigations instead provide recommendations for new laws or regulations.
- Microsoft did not immediately respond to a request for comment.
Sign up for Axios' cybersecurity newsletter Codebook here
