May 3, 2024 - Technology

Microsoft cracks down on security after attacks

A logo hangs on the Microsoft stand at Hannover Messe 2024.

Photo: Julian Stratenschulte/dpa via Getty Images.

Microsoft is overhauling its entire production line to prioritize cybersecurity and incorporate recommendations from a recent government investigation, the company's top security executive said Friday.

Why it matters: Microsoft has come under fire in recent months after a wave of nation-state attacks targeted the company's products, resulting in Chinese and Russian spies accessing email inboxes tied to a cabinet secretary and senior Microsoft executives.

  • These incidents started through relatively unsophisticated ways that a government board has said could've been prevented.

What they're saying: "Microsoft plays a central role in the world's digital ecosystem, and this comes with a critical responsibility to earn and maintain trust," Charlie Bell, executive vice president of Microsoft Security, wrote in a blog post Friday. "We must and will do more."

Zoom in: Bell said that Microsoft's internal production cycles will now run on three principles: secure-by-design, secure-by-default and secure operations.

  • All Microsoft user accounts will soon have multi-factor authentication by default.
  • Microsoft will retain all security logs for at least two years and make six months of relevant logs available to customers.
  • And the company is adding new deputy CISO positions who will oversee the implementation of the dozens of new changes and work closely with engineering teams.
  • Microsoft's threat intelligence offices will also now fall under the CISO's office, rather than operate as a separate unit.

Driving the news: Microsoft CEO Satya Nadella also sent a memo to employees Friday detailing the new approach, according to The Verge.

  • "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security," Nadella wrote in the memo.
  • "In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems," he added.

Catch up quick: Microsoft unveiled the initial plans for this security overhaul in November as the government's Cyber Safety Review Board was conducting its investigation into how last summer's China-backed hack happened.

  • Nadella teased these changes during last week's quarterly earning call, telling analysts that Microsoft is "doubling down" on cybersecurity.

The intrigue: Microsoft's commitments and internal statements have landed with at least one top cyber official: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency.

  • "Having the CEO himself actually make the statement, I was really pleased to see that," Easterly told Axios on the sidelines of the Silverado Annual Summit in Napa on Friday.
  • Nadella "signaling to the other security engineers... that this is the preeminent consideration for product development, I just think that is incredibly important," Easterly added.

The big picture: The Biden administration has been pushing all companies to prioritize cybersecurity throughout their organizations, not just Microsoft.

Flashback: Microsoft also embarked on a similar journey to prioritize cybersecurity in the company's products back in 2002.

What's next: Government officials will be watching closely to see how well Microsoft's new principles are implemented.

  • "Of course, the proof will be in the pudding," Easterly said.
Go deeper