- Microsoft's security systems are inadequate and need a “complete overhaul,” a government report has found.
- A DHS investigation found a security flaw in Microsoft's systems that allowed Chinese hackers to break into the company's network last summer.
- Microsoft needs to seriously improve its systems for national security, the report says.
Microsoft's security culture needs improvement, the government-backed Cybersecurity Commission says in a new report.
And the tech giant's poor security allowed a group of Chinese-linked hackers to infiltrate its network last summer, including the emails of senior U.S. officials, an avoidable attack. , the report states.
The U.S. Department of Homeland Security released the Cyber Security Review Board (CSRB) report on Tuesday. In it, Bode details the “cascading” of “preventable errors” in Microsoft's security systems.
Specifically, the hackers (a Chinese government-affiliated spy group called Storm-0558) exploited several flaws in Microsoft's authentication system and were able to “sign into basically any Exchange Online account anywhere in the world. “We have made it possible,” the board said. ”
Because Microsoft did not properly protect signing keys, hackers gained access to the email accounts of senior U.S. diplomats, including Secretary of Commerce Gina Raimondo, U.S. Ambassador to the People's Republic of China R. Nicholas Burns, and Congressman Don Bacon. the report says.
The report also accuses Microsoft of not independently detecting compromised accounts and only becoming aware of the problem when customers reported it.
“The committee finds that this intrusion was preventable and should never have occurred,” the Cyber Security Review Board said in its report. “The Board also believes that Microsoft's security culture is inadequate and requires thorough review, especially given the company's centrality in the technology ecosystem and the level of trust that customers place in the company to protect their data and operations. We concluded that a complete review is necessary.”
“Recent events demonstrate the need to introduce a new culture of engineering security into our networks,” a Microsoft spokesperson said in a statement to Business Insider.
“While no organization is immune to cyberattacks from resource-rich adversaries, we mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and conduct security benchmarks.” said a Microsoft spokesperson.
The committee also reprimanded Microsoft, which announced in September 2023 that it had discovered the root cause of the attack. But two months later, the company admitted to its board that it had been incorrect about the cause and did not update the announcement to reflect that inaccuracy until March 2024, the report said.
The CSRB concluded that because Microsoft's systems are essential to national security and the global economy, the company must quickly and significantly remediate its security vulnerabilities.
