Those who study cybersecurity matters have been focused on a troubling and increasingly evident reality: Microsoft has a security problem.
Four years ago, when I was serving as national security advisor, Microsoft was at the center of one of the most significant cybersecurity breaches in U.S. government history, known as the SolarWinds hack. The Russia-backed hackers gained access to the communications of private individuals and public and private organizations, including government agencies like the Department of Homeland Security.
The hackers also penetrated Microsoft’s systems and, according to media reports, used that access to further the attack. In response to the SolarWinds hack, Microsoft Vice Chair Brad Smith placed blame on the federal government, saying “we need a more effective national and global strategy to protect against cyberattacks.”
The Biden administration talked a big game about reforms to our federal cyber infrastructure in light of the SolarWinds hack. Biden aides called SolarWinds a “top priority” for the incoming administration. In April 2021, President Biden sanctioned Russian officials for the hack and announced new cybersecurity standards that would, in the words of Deputy National Security Adviser Anne Neuberger, allow federal agencies to tell vendors “here’s a set of things you need to comply with in order to do business with us.”
Notwithstanding the administration’s concerns, Chinese-backed hackers used vulnerabilities in Microsoft’s email systems to gain access to sensitive federal communications last summer, including the emails of Secretary of Commerce Gina Raimondo. Last month, the Cyber Safety Review Board released a report on China’s hack, outlining a “cascade” of “avoidable errors” by Microsoft that made it possible. The board highlighted that the hack was “preventable” and identified a “series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management.”
Just a few months later, Russian hackers again breached Microsoft’s systems, gaining access to executives’ emails and ultimately some of the company’s source code. This raises serious concerns about the risk to sensitive federal communications, and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all federal agencies requiring them to “analyze potentially affected emails, reset any compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.” The scale of this intrusion is still unknown.
As the story of Microsoft’s failures spread in the media, Sen. Rick Scott (R-Fla.) sent a letter to CISA Director Jen Easterly asking, among other questions, “what standards or benchmarks has CISA set for contractors to improve cybersecurity protocols and how often are these standards and benchmarks being evaluated?” Sen. Ron Wyden (D-Ore.) placed fault with federal agencies, saying they “also share blame, for showering Microsoft with billions of dollars in government contracts, without demanding the company meet minimum cyber security standards.”
Meanwhile, Homeland Security Committee Chairman Rep. Mark Green (R-Tenn.) and Ranking Member Rep. Bennie Thompson (D-Miss.) requested Microsoft Vice Chair and President Brad Smith appear before a full committee hearing titled “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”
And yet the Biden administration has been silent. The president, Homeland Security Secretary Alejandro Mayorkas and leaders of our intelligence agencies have refused to comment on the cascade of avoidable errors by one of the federal government’s largest cybersecurity contractors. President Biden even appeared alongside Microsoft executives last month in Wisconsin to promote the company and highlight a new economic development project.
There are certainly other companies with less-than-stellar cybersecurity reputations, but because of its ubiquitous presence in our lives, Microsoft’s problems have become all of our concern. I have a long record of opposing the over-regulation of our big tech companies, but in this case the Biden administration should work with Microsoft to develop an enforceable performance improvement plan, perhaps to be overseen by a federal monitor.
Cybersecurity is a key component of our national security. We simply cannot afford to have one of our key tech companies become a hackers’ superhighway going in and out of America’s digital world.
Amb. Robert C. O’Brien (ret.) was the U.S. National Security Advisor from 2019-2021.