Microsoft takes its apology tour around Washington
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Annelise Capossela/Axios
Microsoft brought more humility than ever to a highly anticipated congressional hearing Thursday about its recent security failures.
Why it matters: The shifting strategy underscores just how seriously Microsoft is taking the criticism that competitors and government officials have raised against it — and how much trust the company has lost among many of its federal government customers.
- The tech giant has historically stonewalled criticism that competitors and some lawmakers have raised about the company's security practices.
Between the lines: Microsoft faced one of its toughest tests in Washington Thursday at a House Homeland Security Committee hearing about last summer's China hack.
- Lawmakers spent nearly three hours grilling Microsoft president Brad Smith about the company's security failures, its new internal security protocols and its continued presence in China.
- The hearing came the same day as a new ProPublica investigation detailing how a whistleblower discovered a critical security flaw years before Russian hackers exploited it in the SolarWinds incident.
- Meanwhile, competitors have been lining up to take jabs at Microsoft's failings in hopes of winning over some of its government customers.
- One lawmaker even told Smith during the hearing that Pentagon officials and other agencies have become wary of using Microsoft Teams over security concerns.
What they're saying: "I came here today and we acted as a company with a real spirit, I hope you'll see, of humility, of accepting responsibility, of avoiding being defensive or defiant," Smith told lawmakers at the hearing.
- "We're trying to focus on culture change," he added. "Culture change requires constant role modeling and practice."
Zoom in: As part of his strategy, Smith repeatedly told lawmakers that the company has learned from its faults and that it respects the criticism many have lobbied.
- In response to a question about why it took the high-profile China hack to get Microsoft to expand customers' access to their activity logs, Smith had regrets.
- "I wish we had moved faster and had gone further," he said. "I think there was a real focus on the real costs with keeping and retaining logs, but we should have recognized sooner."
- And Smith used the security pushback over the company's recently announced Recall feature as an example, saying this is one instance in which security should have been weighed during the product development.
The big picture: Historically, Microsoft has been able to brush off criticism or suspicions about its alleged cybersecurity faults.
- Competitors have spent years trying to bring attention to Microsoft's role in the SolarWinds incident, for instance, but that work hardly ever stuck.
Yes, but: One area where Smith didn't show humility was in discussing the competing security vendors who have been using Microsoft's security failures in their sales pitches.
- "It's fine, go tell people that you have something better, but we have to have a higher cause here," Smith said. "We are not the adversaries with each other, even though we might compete with each other."
What we're watching: It remains to be seen how effective Smith's strategy was at regaining trust with government officials who decide when to buy Microsoft's products.
