A new report claims Microsoft has a corporate culture that ‘deprioritised’ enterprise security and that its failures caused the massive hack of government emails last year.
A new report has criticised Microsoft’s security measures, as it claims the massive breach of US government emails last year was “preventable”.
The US Cyber Safety Review Board (CSRB) report relates to a massive hack last year, which saw the emails of various US government agencies breached by a China-linked hacking group. Some reports suggest hundreds of thousands of emails may have been compromised by this hack.
The hackers managed to gain access to these emails by compromising the Microsoft Exchange Online mailboxes of various organisations. The US report claims that this hacking group – called Storm-0558 – struck the “espionage equivalent of gold” when it compromised Microsoft’s cloud environment.
The report contains various criticisms of Microsoft’s security practices, as it claims the intrusion was preventable and “should never have occurred”. The report claims that a “cascade” of avoidable errors on Microsoft’s part allowed the intrusion to succeed.
The board also noted that Microsoft failed to detect the compromise on its own and relied on a customer to reach out and identify the anomalies. The report also claims Microsoft issued “inaccurate public statements” about the incident, such as claiming to have determined the root cause of the incident “when in fact, it still has not”.
“The board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritised both enterprise security investments and rigorous risk management,” the report said.
“The board issues recommendations to Microsoft to ensure this critical company, which sits at the centre of the technology ecosystem, is prioritising security for the benefit of its more than 1bn customers.”
As a result of this report – which included data from interviews with 20 organisations and experts – the US Cybersecurity and Infrastructure Security Agency (CISA) plans to convene cloud service providers such as Microsoft to develop cloud security practices to prevent similar incidents in the future.
The recommended security practices include implementing modern control mechanisms, emerging digital identity standards and more effective victim notification mechanisms.
“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said CSRB chair Robert Silvers. “It is imperative that cloud service providers prioritise security and build it in by design.”
Meanwhile, the UK and the US recently claimed that several cyberattacks targeting government entities and critical infrastructure were orchestrated by Chinese “state-sponsored” organisations and individuals.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.