Microsoft Acknowledges Security Vulnerabilities Let China View Emails from the US Government
In the summer of 2023, Microsoft President Brad Smith acknowledged that the company's security procedures had allowed Chinese state hackers to access the emails of US government leaders.
Smith stated that the tech company takes full responsibility for all the problems listed in a Cyber Safety Review Board (CSRB) report "without equivocation or hesitation" in testimony before the US House Committee on Homeland Security on June 13, 2024.
Microsoft was held accountable for a "cascade of security failures" that allowed Chinese threat actor Storm-0558 to access the email accounts of 25 companies, including US government personnel, according to the CSRB report, which was released in April 2024.
Storm-0558 used a Microsoft encryption key that they had obtained to execute the espionage assault. This key, along with another weakness in Microsoft's authentication mechanism, gave them complete access to virtually every Exchange Online account in the globe.
In addition to numerous mistakes that let the attackers succeed, the CSRB investigation discovered weaknesses in Microsoft's mergers and acquisitions (M&A) security compromise assessment and remediation procedure. It also discovered an insufficient security culture at the company.
In order to stop this kind of breach from happening again, the research also provided Microsoft and all other cloud service providers with 25 cybersecurity recommendations.
The "Unique and Critical" Cybersecurity Role of Microsoft
Smith acknowledged Microsoft's "unique and critical cybersecurity role" for its customers as well as for the US and its allies in his opening remarks before the Congress committee.
"This position is a reflection of the extensive array of goods and services Microsoft offers to people and businesses, including cloud services that run on data centers spread throughout 32 nations. It also represents the extensive cybersecurity work we do on a daily basis, including work with and in close coordination with the governments of the US and many allies, according to Smith.
He pointed out that a more hazardous cyberworld has been created by the escalating and increasing geopolitical conflicts, such as the war between Russia and Ukraine. In particular, in the 28 months since the start of the conflict, North Korea, China, Iran, and Russia have launched more frequent, well-funded, and sophisticated cyberattacks.
Lawless and aggressive cyber activity has, by all measures, reached an unprecedented level, stated Smith. Microsoft found 47 million phishing attempts against our network and personnel over the course of the previous year. However, this pales in comparison to the 345 million cyberattacks that we identify daily against our clientele.
Additionally, he emphasized that Microsoft regrets and offers its sincere apologies to everyone affected by the Storm-0558 assault, especially public servants.
Dedicated to Boosting Cybersecurity Defenses
According to Smith, Microsoft will increase its cybersecurity protection across the board by using the CSRB findings as a starting point and opportunity.
The IT behemoth is moving forward to execute each of the 16 suggestions that are relevant to Microsoft specifically.
According to Smith, the company is now moving from its consumer and business identification systems to a new hardened key management system that generates and stores keys using hardware security modules.
Additionally, it is distributing proprietary data together with matching detecting signals to every location where tokens are verified.
Smith continued, saying that Microsoft's senior leadership team has evaluated the company's security culture in light of the CSRB findings and has given staff members a "north star" to follow, meaning that security should be the company's top priority. This entails giving it precedence over the release of new features or continuing support for outdated platforms.
In order to support this cultural shift, Microsoft has added 1600 additional security engineers for the current fiscal year and plans to add another 800 roles in the upcoming fiscal year.
Smith said that in order to increase control of the different engineering teams and guarantee that security is "baked into" technical decision-making and procedures, Microsoft established the Office of the CISO, which is staffed by senior-level Deputy CISOs.
In his testimony, Smith also discussed Microsoft's Secure Future Initiative (SFI), which went live in November 2023. The goal of this program is to change how Microsoft develops, tests, and uses its products and services such that security by design and default are inherent.
All things considered, we acknowledge our responsibility for the past and are using the lessons we've learned to create a more secure future. We are putting more money into our efforts, trying out new tactics, and building a better cybersecurity culture," Smith said.
Microsoft Postpones Activating the Windows Recall Feature
Following criticism from its Windows Insider Community, Microsoft said shortly after Smith's testimony on June 13 that it will postpone the scheduled release of its Recall AI functionality for Copilot and Windows PCs.
In a blog post, the firm said that Recall will now be made available as a preview in the Windows Insider Program (WIP) in the upcoming weeks, instead of being made widely accessible for Copilot+ PCs on June 18, 2024.
This will give time to evaluate the AI-powered feature's security one more time.
This comes after serious privacy issues with Recall, which will be used to continuously record users' devices—including private data—so that users may go back and review their past actions.
.jpg)
0 Comments