The Cyber Safety Review Board (CSRB) of the DHS has some harsh words for Microsoft after wrapping up its investigation into the 2023 security breach by state-sponsored Chinese hackers. The agency does not go as far as some US politicians did in calling for Microsoft products to be divested from critical government functions, but it does call for an immediate “overhaul” of the company’s security practices.
Microsoft “corporate culture” indicted in review of security breach
The report takes Microsoft to task for gradually drifting away from security as a top priority in its corporate culture over the years. The security breach, which essentially gave the Chinese hackers the ability to walk into any Exchange Online email account and ended up impacting at least 500 people in high-ranking government and private industry positions, would have been unthinkable at one time.
The CSRB now calls Microsoft’s security culture “inadequate” in the wake of the security breach, and has told the company that it needs to begin an “overhaul” immediately. What that will likely mean, going by the points raised in the report, is a more public accounting of security features and improvements for all of the company’s products along with a slowdown of development of cloud computing services until issues in this area are addressed.
Route Chinese hackers took to obtain signing key still in question
The issues raised by the Chinese hackers are far from unique to Microsoft. Seemingly recognizing this, the CSRB has said that it will be adapting recommendations from this report to a more generalized guidance for similar cloud service providers.
Microsoft was targeted by an elite state-sponsored unit: Storm-0558, a group that is believed to have been in action for as much as 20 years now and has been racking up high-profile security breaches for at least 15. But the manner in which they pulled this one off is still very much in question, appearing to be more owed to a “cascade” of lapses on Microsoft’s part than any sort of elite hacking.
There are also still unanswered questions about the security breach. Microsoft has long maintained that an engineer account was likely compromised and that the Chinese hackers then found an Exchange signing key in a crash dump that it had access to. However, last month they unexpectedly changed that story and are now simply saying they think a compromised engineer account was involved but are unclear on any further details.
Regardless of the specific point of failure, the CSRB has put the central blame on ongoing operational and strategic decisions at the company that are directly informed by its corporate culture; specifically, cutbacks to its enterprise security and risk management. The company is also lagging behind some of its cloud peers in specific defensive measures, including failure to have an automatic key rotation system in place that would have very likely shut the Chinese hackers down.
All of this criticism, to include inaccuracy and slow reporting about the incident after the fact, is summed up by the CSRB as failure to prevent an incident that should have been preventable. While Microsoft is not yet out of the government’s good graces, the report is certainly a wake-up call for the company.