These incidents come as security experts increasingly criticize Microsoft for not quickly and adequately fixing flaws in its products. By far the largest technology provider to the U.S. government, Microsoft's vulnerabilities account for the largest share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the cybersecurity improvements needed to meet evolving challenges.
One prominent cyber policy expert says Microsoft “has not adapted its level of security investment or mindset to match the threat.” “This is a huge failure by someone with Microsoft's resources and in-house engineering capabilities.”
The Department of Homeland Security's CSRB supports this view in a new report on the 2023 Chinese intrusion, finding that Microsoft exhibits a “corporate culture that prioritizes both corporate security investments and rigorous risk management.” said. The report also criticized Microsoft for publishing inaccurate information about the possible causes of recent Chinese intrusions.
According to multiple experts, recent breaches reveal Microsoft's failure to implement basic security defenses.
Adam Myers, senior vice president of intelligence at security firm CrowdStrike, points to the Russians' ability to jump from test to production environments. “That should never happen,” he says. Another cyber expert working for a Microsoft competitor highlighted China's ability to intercept communications of multiple agencies with a single intrusion and criticized Microsoft's authentication system, which allows broad access with a single sign-in key. I echoed the CSRB report.
“We have not heard of this type of breach from any other cloud service provider,” Myers said.
According to the CSRB report, Microsoft “is not prioritizing the rebuilding of legacy infrastructure sufficiently to address the current threat landscape.”
Microsoft told WIRED in response to written questions that it is actively improving security in response to recent incidents.
Steve Faehl, Chief Technology Officer, Federal Security Business, Microsoft. “We are committed to adapting to the evolving threat landscape and collaborating across industry and government to defend against growing and more sophisticated global threats.”
Faehl said that as part of the Secure Future Initiative launched in November, Microsoft is improving its ability to automatically detect and block abuse of employee accounts and increasing the ability to detect and block more types of sensitive information in network traffic. We launched a scan, reduced the access allowed by individual authentication keys, and also created new authentication requirements for employees seeking to create corporate accounts.
Microsoft has also redeployed “thousands of engineers” to improve its products and has begun convening senior executives at least twice a week to update them on the situation, Fehr said. .
This new initiative represents Microsoft's “roadmap and commitment to answering many of the priorities identified in the CSRB report,” Faehl said. Still, Microsoft has not accepted that its security culture is broken, as the CSRB report alleges. “We totally disagree with this characterization,” Fehr says. “However, I agree that we are not perfect yet and that there is work to be done.”
Security income “addiction”
Microsoft has drawn particular backlash from the cybersecurity community because it charges customers extra for enhanced security protections such as threat monitoring, antivirus, and user access management. In January 2023, the company touted its security division's annual revenue as exceeding $20 billion.
“Microsoft has come to see cybersecurity as something that generates revenue for the company,” said Juan Andrés Guerrero Saad, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft's “reliance” on this revenue “significantly distorts product design decisions.”
