Microsoft cracks down on security after attacks
Add Axios as your preferred source to
see more of our stories on Google.
Photo: Julian Stratenschulte/dpa via Getty Images.
Microsoft is overhauling its entire production line to prioritize cybersecurity and incorporate recommendations from a recent government investigation, the company's top security executive said Friday.
Why it matters: Microsoft has come under fire in recent months after a wave of nation-state attacks targeted the company's products, resulting in Chinese and Russian spies accessing email inboxes tied to a cabinet secretary and senior Microsoft executives.
- These incidents started through relatively unsophisticated ways that a government board has said could've been prevented.
What they're saying: "Microsoft plays a central role in the world's digital ecosystem, and this comes with a critical responsibility to earn and maintain trust," Charlie Bell, executive vice president of Microsoft Security, wrote in a blog post Friday. "We must and will do more."
Zoom in: Bell said that Microsoft's internal production cycles will now run on three principles: secure-by-design, secure-by-default and secure operations.
- All Microsoft user accounts will soon have multi-factor authentication by default.
- Microsoft will retain all security logs for at least two years and make six months of relevant logs available to customers.
- And the company is adding new deputy CISO positions who will oversee the implementation of the dozens of new changes and work closely with engineering teams.
- Microsoft's threat intelligence offices will also now fall under the CISO's office, rather than operate as a separate unit.
Driving the news: Microsoft CEO Satya Nadella also sent a memo to employees Friday detailing the new approach, according to The Verge.
- "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security," Nadella wrote in the memo.
- "In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems," he added.
Catch up quick: Microsoft unveiled the initial plans for this security overhaul in November as the government's Cyber Safety Review Board was conducting its investigation into how last summer's China-backed hack happened.
- Nadella teased these changes during last week's quarterly earning call, telling analysts that Microsoft is "doubling down" on cybersecurity.
The intrigue: Microsoft's commitments and internal statements have landed with at least one top cyber official: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency.
- "Having the CEO himself actually make the statement, I was really pleased to see that," Easterly told Axios on the sidelines of the Silverado Annual Summit in Napa on Friday.
- Nadella "signaling to the other security engineers... that this is the preeminent consideration for product development, I just think that is incredibly important," Easterly added.
The big picture: The Biden administration has been pushing all companies to prioritize cybersecurity throughout their organizations, not just Microsoft.
- CISA has reportedly been circulating a pledge for tech companies to sign promising to implement "secure-by-design" practices in their products.
Flashback: Microsoft also embarked on a similar journey to prioritize cybersecurity in the company's products back in 2002.
What's next: Government officials will be watching closely to see how well Microsoft's new principles are implemented.
- "Of course, the proof will be in the pudding," Easterly said.
