In its haste to sell Azure and catch up to Amazon in the cloud market in the 2010s, Microsoft developed a “won’t fix” culture of handling security reports that attempted to shove as many issues off to the next product version as possible. That led to the security flaw that opened the door for the SolarWinds attack going unaddressed for years, according to former high-level security team member Andrew Harris.
Harris has opened up to reporters at ProPublica about the “Golden SAML” issue that allowed Russian hackers to eventually make their way into high-level US government accounts, but had previously dropped public hints on LinkedIn during his employment with Microsoft and lambasted the company on social media after the SolarWinds attack came to light. The new element of the story is the depth of Microsoft’s internal knowledge of the issue, which apparently dates back to 2016, and knowing refusal to fix it by product managers that felt it would scare off lucrative government contracting business.
Nadella regime stressed Azure feature development and sales over security
When CEO Satya Nadella took over in 2014, he made cloud computing the company’s top priority. The goal was to catch and pass Amazon, which at the time had a huge head start. That is something the company eventually accomplished, but if Harris’ story is to be believed it was at the cost of being reckless in addressing security flaws.
Harris paints a picture of a corporate culture where Azure sales and feature innovation were stressed over all to product managers, and the many security flaws that were reported as part of this rapid development were pushed to “won’t fix” status as often as possible; that meant either finding reasons to dismiss them outright, or to at least delay addressing them to the next product version.
One of those security flaws was the Active Directory issue the Russians ended up finding and exploiting, despite Harris making it a personal pet project from his internal discovery of it in 2016. This contradicts testimony that Microsoft president Brad Smith previously made before Congress in 2021, in which he said the company’s first knowledge of the issue came from an outside security firm’s report on a theoretical attack in 2017. Smith is fresh off of a new round of testimony conducted earlier this month, this time addressing the Outlook email issue that allowed Chinese hackers to get into government accounts about a year ago.
Security flaw went unaddressed for years despite internal acknowledgment of its seriousness
Harris came upon the security flaw in 2016 while investigating a breach of a big-name Microsoft client. He says that he was able to privately help some organizations that he had a prior relationship with address it, such as the NYPD, but it was off-limits to let the federal government know about it. Project managers thought that it would sour Microsoft’s attempt at getting federal contracts that would ultimately be worth billions of dollars to the company.
Microsoft may ultimately end up losing government business due to the issue, if this story proves out. A number of voices in high levels of government began discussing the possibility of cutting the company out of sensitive operations in 2023 after two separate incidents that allowed spies to access federal accounts, and the Pentagon is presently considering whether to expand its use of Microsoft products as part of its mandated implementation of a zero trust protocol across its systems.