Microsoft President Brad Smith faced serious scrutiny from lawmakers during testimony before the House Homeland Security Committee on Thursday afternoon over the company’s cybersecurity posture that left it vulnerable to last summer’s Microsoft Exchange Online intrusion.
Thursday’s hearing came after the Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) released findings in April following its independent review of the China-based hack, which it attributed to “a cascade of security failures at Microsoft” and an “inadequate” security culture at the company.
In its report, the CSRB concludes that the intrusion – which compromised the email accounts of several U.S. government officials, including Commerce Secretary Gina Raimondo – “was preventable and should never have occurred.”
“I think the most important thing for me to say, the most important thing for me to write in my written testimony, is that we accept responsibility for each and every finding in the CSRB report,” Smith told lawmakers.
Smith said that Microsoft has mapped out the 16 applicable recommendations from the CSRB report and has about 34,000 full-time engineers working on this project.
While several lawmakers were encouraged by Microsoft’s progress, many questioned why the company waited so long to update its blog post regarding the hack.
Following last summer’s hack, Microsoft said in a Sept. 6 blog post that the hackers leveraged a stolen signing key used by the company to authenticate customers – allowing the hackers to masquerade as Federal users of Microsoft’s email services and access officials’ inboxes.
However, the CSRB report slams Microsoft’s “decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not.”
The CSRB says that even after Microsoft discovered its initial Sept. 6 blog post contained inaccurate statements, it did not update that post until March 12, 2024. This came as the CSRB was concluding its review and only after the board’s “repeated questioning about Microsoft’s plans to issue a correction.”
Smith said Microsoft hesitated to update the blog post because it didn’t find the new information to be “useful or actionable.” However, Rep. Clay Higgins, R-La., responded by saying, “That answer does not encourage trust.”
“Microsoft had a major thing happen and the means by which you communicate with your customers was not updated for six months, so I’m just going to say I don’t really accept that answer,” Rep. Higgins said.
Rep. Bennie Thompson, D-Miss., the ranking member of the committee, also questioned the company’s lack of transparency surrounding the stolen signing key.
“While Microsoft did cooperate with the CSRB investigation, the board found the company was slow to be fully transparent with the public, most notably about how the threat actor obtained the signing key,” Rep. Thompson said. “To this day, we still do not know how the threat actor accessed that signing key.”
Despite the hack and communication missteps, Smith told the lawmakers that the Federal government should still continue to use Microsoft as a security vendor.
“We are going to work harder than anybody else to earn the trust of our government and other allied governments every day,” Smith pledged. “We are making the changes that we need to make. We are learning the lessons that need to be learned. We’re holding ourselves accountable. We will be transparent.”
