Microsoft needs a security overhaul, according to a new report from cybersecurity insiders.
This comes after multiple breaches of Microsoft's systems by foreign hackers in recent years, allowing them to gain access to sensitive federal email systems.
“Last year, when the People's Republic of China government-affiliated hacking group known as Storm-0558 infiltrated Microsoft's cloud environment, it cost a fortune in espionage,” the Cyber Security Review Board said in its report. It is stated inside. “The attackers gained access to the official email accounts of numerous U.S. government officials who manage relations between our country and the People's Republic of China.”
Related: Microsoft says Chinese hackers have compromised emails including those of U.S. government agencies
These breaches have raised concerns about whether tech giants have adequate defenses against cybersecurity threats. Recent failures have also brought further scrutiny to Microsoft's close relationship with the U.S. government, raising questions about whether these contracts should be subject to greater scrutiny.
Eric Geller, a journalist covering cybersecurity and technology, covered questions surrounding Microsoft's security in detail for WIRED. He told KUOW's Soundside that Microsoft is making deep inroads into federal government operations, from email to word processing.
“They just have a lot of data about what's going on in government networks,” Geller said. “Microsoft controls the keys to the kingdom in terms of all user accounts, who has access to what, and what information the average employee has access to. All of this is done through Microsoft services. It is managed.”
Related: State-sponsored Russian hackers accessed Microsoft executives' emails, company says
In response to questions from KUOW, Microsoft sent a lengthy statement outlining its Secure Future Initiative, announced in November to “address this new era of security where the speed, scale, and sophistication of threats rapidly increase.” said.
“And this is just the beginning,” Brett Arsenault, Microsoft's corporate vice president and chief cybersecurity advisor, said in a statement. “We are committed to transparently sharing our learnings and future milestones as part of our efforts to harden all of our systems against attacks.”
Arsenault said that among the company's efforts, Microsoft is actively removing unused or outdated users. Require and automate multi-factor authentication for users, including those involved in development, testing, demo, and production. Improves Microsoft's proprietary multi-factor authentication process. Implementing policies to reduce the possibility of identity theft, such as requiring video calls between managers and employees or vendors.
Related: Congress, AI, and Microsoft's big bet
For Quentin Hodgson, a senior researcher specializing in cybersecurity at the nonpartisan research institute Randland, engineering fixes are key here. He said there were clear engineering issues that contributed to the data breach.
“It never ceases to amaze me how surprised we seem to be at the hacking that's happening right now,” Hodgson said. “And that always leads to disruption of immediate activity. But the challenge is how to sustain that effort over time.”
The Cyber Safety Review Board said in its report that Microsoft fully cooperated with the review and “did its best to answer all of our questions.”
Related: Microsoft joins petition calling for government regulation of AI tools like ChatGPT
But Geller still has questions about what drives Microsoft's decision-making and how the company's leaders choose to address its own vulnerabilities.
“One of the biggest themes I heard was that Microsoft is prioritizing profits over security,” he said. “They charge a lot of money for security features, but if you're a normal person on the street and I tell you what this feature is, it should be built in, it should be free. It will automatically turn on.
Click the play button above to listen to the entire conversation with journalist Eric Geller and senior researcher Quentin Hodgson.
