Apr 2, 2024 - Technology

Government board pins China hack on Microsoft’s 'inadequate' cybersecurity strategies

Illustration of a robber's hand taking away a block of the Microsoft logo.

Illustration: Aïda Amer/Axios

A high-profile government advisory board released a scathing report Tuesday evening concluding that a Chinese espionage campaign targeting Microsoft last summer was "preventable and should never have occurred."

Why it matters: The board's conclusion is the harshest denouncement of Microsoft's cybersecurity practices to-date following a series of high-profile breaches that's put U.S. government secrets at risk.

Catch up quick: The U.S. Cyber Safety Review Board, which is housed inside the Cybersecurity and Infrastructure Security Agency (CISA), has been investigating the breach at Microsoft since early August.

  • In July, Chinese government hackers were spotted in Microsoft's cloud networks and appeared to be accessing email inboxes across roughly 25 organizations, including the those belonging to Commerce Secretary Gina Raimondo and several State officials.
  • The incident stirred a lot of anxiety across Washington given Microsoft's dominance as the U.S. government's top cloud provider.
  • Microsoft has also been the target of several other high-profile incidents, including the 2021 Exchange hack and a recent, persistent set of attacks involving Russia's Midnight Blizzard hacking team.

Zoom in: July's breach was the result of "avoidable errors" and Microsoft's "failure to detect the compromise of its cryptographic crown jewels," the report says.

  • Board members spent the last seven months interviewing Microsoft and speaking with other cloud service providers to determine where the company may have gone wrong.
  • Several recent operational and strategic decisions at Microsoft resulted in the company deprioritizing "both enterprise security investments and rigorous risk management," the report adds.

The intrigue: Three unidentified members of the board did not participate in the investigation due to conflicting financial or employment ties, a board official told reporters Tuesday.

Yes, but: Officials told reporters during a background media call that the Chinese government team behind the Microsoft breach is likely to want to target other high-value U.S. companies.

  • "Over the years, the threat actor has demonstrated the capability and intents to compromise identity systems and cloud providers and target emails of individuals of interest to the Chinese government," a second board official told reporters.
  • The board member was granted anonymity as a condition for the briefing.

The big picture: The board's report is already fueling Microsoft's competitors and critics who have long argued that the tech companies' dominance as the U.S. government's top cloud provider and enterprise software vendor was a national security risk.

  • "Government and enterprise customers need to have the freedom to choose true best of breed technologies for their unique needs," Karan Sondhi, chief technology officer for cyber firm Trellix's public sector work, said in a statement.

The other side: Microsoft has already preemptively started changing its internal cybersecurity culture.

  • Shortly after the July breach, the company expanded access to security logs for free to help customers better detect intruders on their networks.
  • Microsoft also overhauled its entire security strategy in November, including new secure default settings for customers and speedier vulnerability response times.
  • "We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence," a Microsoft spokesperson said in a statement. "While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks."
  • Microsoft is currently reviewing the final report for additional security upgrades, the statement adds.

What's next: CISA plans to create a "baseline of strong practices for security and for transparency" that cloud service providers should follow, an agency official told reporters.

  • The agency plans to regularly look to these providers to adopt these practices and publicly share details about their progress.
Go deeper