Anxiety over Microsoft's cybersecurity strategies is growing in Washington this week as details continue to emerge about the extent of a suspected Chinese espionage campaign.

Driving the news: Late Tuesday evening, Microsoft disclosed that a China-based hacking group had gained access to email accounts tied to 25 organizations, including U.S. government agencies.

• Since then, the U.S. State Department and the Commerce Department have confirmed that their offices were targeted. Commerce Secretary Gina Raimondo's inbox was also reportedly breached, according to the Washington Post.
• Hackers had access to some email inboxes for as long as a month before the State Department notified Microsoft about some anomalous activity on its networks.
• No classified systems or data were affected during the breach, a senior Cybersecurity and Infrastructure Security Agency official told reporters, but questions remain over exactly how hackers were able to steal the cryptographic key that gave them access to dozens of Microsoft accounts.

Why it matters: This isn't the first major cyber espionage campaign to exploit flaws in Microsoft's technology since President Joe Biden came into office — it follows a 2021 Chinese espionage campaign targeting Exchange servers.

What they're saying: "There's definitely a level of frustration," Mark Montgomery, executive director of the Cyberspace Solarium Commission 2.0, told Axios.

• "The more that these incidents happen, the more Microsoft can't just fall back on, 'Well, you don't have to worry about us, we have an inherently secure system,' because they don't," he added.

The big picture: Those frustrations are threatening to rock what's so far been a pretty cooperative relationship between Microsoft and the Biden administration's cybersecurity offices.

• A source familiar with the investigation told Axios that while Microsoft was quick to control the "immediate incident," officials still have "significant questions regarding how this occurred that the U.S. government is pressing Microsoft to answer."
• One of those questions is whether Microsoft was complying with federal cyber requirements for government cloud providers, the source added. Another is whether it's time to update the already "strict" cybersecurity requirements, per the source.

Zoom out: So far, Microsoft has been an instrumental partner in the Biden administration's cybersecurity agenda, which has focused heavily on fostering private-sector partnerships.

• Microsoft was one of the first industry partners in a relatively new federal information-sharing program known as the Joint Cyber Defense Collaborative.
• The company was also heralded in the early days of the war in Ukraine for being the first to uncover wiper malware targeting Ukrainian government networks.

The other side: "We're closely engaged with the administration cybersecurity officials — and with cybersecurity officials around the world — regarding all the cybersecurity challenges we face globally," a Microsoft spokesperson told Axios. "We are proud of the partnerships that allow Microsoft to contribute to our shared security and are always looking at ways we can help improve the cyber ecosystem."

Between the lines: The latest espionage campaign is reminding officials of two main concerns they've had about Microsoft's power in the industry.

• First is Microsoft's wide-reaching presence in U.S. systems as a top government contractor. Some reports estimate that the company accounts for 85% of the public sector's office productivity software alone. It might be time to hold the company and others to higher security standards, Andrew Grotto, former senior director of cyber policy in both the Obama and Trump White Houses, told Axios.
• The second is a yearslong back-and-forth between the U.S. and Microsoft about how much free access customers should have to their networks' audit logs. Currently, customers have to pay an additional fee to gain access to their full logs due to cloud storage costs, and not all federal agencies or targeted organizations pay for this information.
• "We are evaluating feedback and are open to other models," the Microsoft spokesperson said regarding the log storage limits. "We are actively engaged with CISA and other agencies on this."

Yes, but: Experts who work closely with the Biden administration said it's unclear how many resources officials will be willing to dedicate to those concerns — especially as they juggle other national security priorities.

• "People still think the government is more powerful than these companies, and it might be, but it's less focused," Trey Herr, director of the Atlantic Council's Cyber Statecraft Initiative and a former Microsoft security strategist, told Axios.

The Biden administration released its roadmap for implementing its wide-reaching national cybersecurity strategy, providing the clearest picture yet of the concrete results that could come from it.

Why it matters: The plan from the Office of the National Cyber Director (ONCD) puts specific projects behind what was mostly an ambitious policy document, including details about the cyber-focused legislative and regulatory proposals the administration plans to push over the next few years.

Details: The implementation plan released Thursday lays out 69 initiatives the administration is pursuing across various federal offices.

• Legislative proposals include those seeking to codify the Cyber Safety Review Board, which studies significant cyber incidents, and others from the U.S. Department of Justice that would "enhance the U.S. government's capacity to disrupt and deter cybercrime."
• ONCD will also spearhead the administration's study of a new liability framework that would hold software companies accountable for poor security designs.
• CISA, alongside ONCD, plans to update the country's national cyber incident response plan by the first quarter of the 2025 fiscal year.

Yes, but: Some of the initiatives laid out in the plan are already underway or were previously announced by certain agencies, including the Treasury Department's review of a possible federal cyber insurance offering and the White House National Security Council's work on a cybersecurity-focused consumer product label.

What they're saying: "The implementation plan does not capture all of the cybersecurity activities in the federal government, nor does it intend to," acting national cyber director Kemba Walden told reporters during a press briefing.

• "What it does do is capture key initiatives that we must get done in the near term on the path to achieving the president's vision," she added.

The big picture: The implementation plan comes as pressure mounts for Biden to nominate a permanent national cyber director.

• Chris Inglis, the first director, left his post in February, and Walden has been operating in an acting capacity since.
• Walden has reportedly been told that she will not receive the nomination, despite endorsements from lawmakers and former officials, including Inglis, in recent months, according to a report in The Record this week.

Between the lines: The plan also makes it clear which federal office is overseeing each initiative and lays out deadlines for when those projects should be completed.

• Throughout the administration, experts have said it's often unclear which cybersecurity office does which job.

TikTok's popularity shows no signs of waning, even as some users voice concerns about the app's potential privacy and security threats, Axios' Ivana Saric writes.

Why it matters: About 40% of U.S. adults who still use TikTok say they think the platform is a threat to the country, according to a recent Pew Research Center survey.

• For many consumers, especially younger ones, "the fear of missing out and the connection that the app, like TikTok, provides outweigh the security risks or the privacy risks," Laura Bright, an associate professor of media analytics at the University of Texas at Austin, told Axios.
• TikTok has been mired in controversy around the world. In the U.S., lawmakers are trying to ban the app, citing security concerns.

Critics argue TikTok could put U.S. customer data at risk because Chinese law requires China's companies to share information with the government.

• TikTok maintains that it operates independently and protects U.S. data through an alliance with Oracle, which firewalls the data from overseas access.

Driving the news: 59% of Americans polled by Pew Research believe that the social media behemoth poses a major or minor threat to U.S. national security.

• Concerns about the threat increase among successive age groups.
• 65% of people who believe the app poses a major or minor threat to national security are not on TikTok. Those users also tend to be older and more politically conservative.
• Among TikTok users, 51% say they are "somewhat" or "very" concerned about how the app uses the data it collects.

Go deeper

@ D.C.

🗳️ Secretaries of state say they're already preparing for AI-fueled election disinformation during the 2024 presidential campaign. (CyberScoop)

📞 The Federal Communications Commission is proposing new rules requiring wireless providers to "adopt secure methods of authenticating a customer" when they swap SIM cards. (The Verge)

🚰 A U.S. appeals court temporarily blocked the Environmental Protection Agency's plans to implement a new cybersecurity assessment for public water systems. (Reuters)

@ Industry

🐦 Twitter has asked a federal court to terminate a Federal Trade Commission order governing the company's data security practices. (Politico)

💰 Payroll services provider UKG agreed to settle a class action lawsuit over a 2021 cyberattack. (Wall Street Journal)

@ Hackers and hacks

🚓 A New York federal court sentenced Roger Thomas Clark to 20 years in prison for his role in running notorious dark-web drug market Silk Road. (Wired)

📵 Some government services in Cornelius, North Carolina — a suburb of Charlotte — are delayed or unavailable after a cyberattack. (The Record)

🏎️ Researchers have found that Russia's foreign intelligence agency targeted diplomats at embassies in Ukraine using a fake advertisement for a used BMW 5 Series sedan. (Reuters)

I've started the treacherous task of trying to harness train my very strong-willed, confident, but adventure-curious black cat, Lola, and it's going about as well as you'd expect.

• If any readers have successfully turned their cat into a little adventure buddy, my inbox is open for any tips!