All News

Microsoft faces US government criticism over cybersecurity practices and breach aftermath

US government report criticizes Microsoft's "inadequate" security culture following a cyberattack, demands enhanced logging without extra charge.

By Mackenzie Crow

4/3, 15:59 EDT
Microsoft Corporation

Key Takeaway

  • US government criticizes Microsoft for "inadequate" security culture following a breach by Chinese hackers, affecting US officials and global users.
  • Critique includes Microsoft's practice of charging extra for essential enhanced logging capabilities, likened to charging more for airbags.
  • In response to the breach and criticism, Microsoft expands cloud logging at no extra cost and launches Secure Future Initiative to overhaul cybersecurity practices.

Security Culture Critique

The US government released a report on Tuesday, sharply criticizing Microsoft Corp. for what it described as an "inadequate" security culture. This critique came in the wake of a cyberattack last year, which allowed hackers to access the emails of US officials, an incident the report stated "should’ve never happened." The Department of Homeland Security’s Cyber Safety Review Board highlighted a series of security failures at Microsoft, attributing these to a Chinese state-sponsored hacking group, Storm-0558. This group managed to compromise the Microsoft Exchange online mailboxes of 22 organizations and over 500 individuals globally, including US Commerce Secretary Gina Raimondo. The report underscored the critical role of audit logging in identifying cyberattacks, pointing out that the State Department only detected the breach due to having purchased a premium license for enhanced logging capabilities.

Enhanced Logging Controversy

The government's report also criticized Microsoft for its practice of charging extra for enhanced or premium logging, likening it to carmakers charging more for airbags. This feature, crucial for tracing system activity over time, is essential for investigating cyberattacks. Despite the importance of this feature, the report noted that the UK victims of the breach lacked enhanced logging capabilities, which hampered investigators' efforts to verify Microsoft's claims of earlier threat activity. In response to the breach, Microsoft announced in July 2023 that it would expand cloud logging capabilities for all customers worldwide at no additional cost and introduced additional logging capabilities for government agencies in February.

Microsoft's Response and Overhaul

Following the criticism, Microsoft declined to comment on its logging practices but has taken steps to address its cybersecurity posture. The company announced the Secure Future Initiative last fall, aiming to overhaul its cybersecurity practices. The Cyber Safety Review Board acknowledged this effort but emphasized the need for direct oversight by Microsoft’s CEO and board of directors. The board also called for holding senior leaders accountable for implementing necessary changes with urgency.

Broader Cybersecurity and Privacy Concerns

The report's focus on Microsoft's security practices comes amid broader concerns over cybersecurity and privacy within the tech industry. For instance, Google agreed to delete millions of records of users' browsing activities as part of a settlement over allegations it tracked people without their knowledge, even in "incognito" mode. This settlement, while not including a payment from Google, represents a significant step towards transparency in how tech companies collect and use data. Additionally, the Treasury Department warned that artificial intelligence is making financial fraud more sophisticated, highlighting the evolving challenges in cybersecurity and fraud prevention.

Street Views

  • Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (Neutral on Microsoft's security practices):

    "We need to ensure that we’re coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves."