Microsoft says new protocols address whistleblower concerns
Add Axios as your preferred source to
see more of our stories on Google.
Brad Smith, vice chair and president at Microsoft, being sworn in at the House Homeland Security Committee hearing on June 13. Photo: Tierney L. Cross/Bloomberg via Getty Images
Microsoft president Brad Smith told lawmakers Thursday that the company's new internal security plans will address problems raised by a whistleblower in a new ProPublica investigation.
Why it matters: The investigation raised serious concerns over whether Microsoft ignored evidence of a critical security vulnerability that Russian hackers exploited years later in the infamous SolarWinds incident.
Driving the news: A former Microsoft employee told ProPublica that he had discovered evidence of the flaw well before Smith had previously told lawmakers the company had noticed the issue.
- Andrew Harris, who left Microsoft in 2020, says he alerted the company to the flaw years before the SolarWinds incident, but several teams ignored his findings, according to the report.
- Smith testified before the House Homeland Security Committee on Thursday about its response to a Chinese hack of its customers last summer.
Catch up quick: Microsoft started implementing its new Secure Future Initiative in November in response to last July's China hack, which exposed several government agencies' internal emails.
- The initiative includes adding deputy CISO positions to oversee the implementation of dozens of new changes, restructuring who certain cyber teams report to and building basic security features into all products.
- Cybersecurity will now be considered in every Microsoft employee bi-annual review and considered in annual bonuses and compensation, per Smith's remarks.
Between the lines: Smith argues that the Secure Future Initiative is designed to make it easier for employees to voice concerns about the cybersecurity issues they uncover.
- In response to questions from committee ranking member Bennie Thompson (D-Miss.), Smith said the new deputy CISO roles will help to ensure that security is integrated throughout every piece of product development.
- "The job of these individuals is to constantly monitor and assess and pick up feedback and apply a principled approach to address these things," Smith said.
- Smith added that the initiative is aimed at empowering "every employee to be able to speak up."
Yes, but: Smith admitted during the hearing he hadn't yet read the ProPublica story, noting he had spent the morning at White House meetings.
- "This is the classic 'Let's have an article publish the morning of a hearing so we can spend the hearing talking about it,' and then by a week from now I'll actually have a chance to go back and learn about everything in it," Smith told lawmakers.
