Harsh Federal Report Criticizes Microsoft for Poor Security Measures and Insincere Response to Chinese Hack
In a strongly worded critique of Microsoft’s corporate security measures and transparency, a review board appointed by the Biden administration issued a report on Tuesday, highlighting a series of missteps by the tech giant that allowed state-backed Chinese cyber operatives to breach the email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo.
Established by executive order in 2021, the Cyber Safety Review Board condemned what it described as Microsoft’s inadequate cybersecurity practices, a permissive corporate culture, and a lack of transparency regarding its awareness of the targeted breach, which affected multiple U.S. agencies dealing with China.
The report emphasized the urgent need for an overhaul of Microsoft’s security culture, given the company’s widespread usage and pivotal role in the global technology landscape. Microsoft’s products, the report stated, are integral to essential services supporting national security, economic foundations, as well as public health and safety.
Attributing the success of the breach to a series of avoidable errors, the panel asserted that the intrusion was preventable and should never have occurred. Moreover, it criticized Microsoft for its failure to determine how the hackers gained access.
The review board issued comprehensive recommendations, urging Microsoft to suspend the addition of new features to its cloud computing environment until significant security enhancements are implemented. It called for rapid cultural change within the company, including the public disclosure of a plan outlining specific timelines for fundamental security-focused reforms across all products.
In response, Microsoft acknowledged the board’s investigation and pledged to strengthen its systems against cyber threats while enhancing detection and defense mechanisms.
The report detailed how state-backed Chinese hackers compromised Microsoft Exchange Online email accounts of numerous organizations and individuals worldwide, including the U.S. ambassador to China and several foreign government entities. It criticized Microsoft for inaccurate public statements about the incident and expressed concern over a separate hack attributed to state-backed Russian hackers.
Highlighting the need for a new culture prioritizing enterprise security investments and rigorous risk management, the review board underscored the persistent threat posed by well-resourced nation-state actors.
Microsoft acknowledged the ongoing threat posed by such actors and emphasized its commitment to implementing robust security measures and addressing legacy infrastructure vulnerabilities in its networks.
