This week, the Cybersecurity and Infrastructure Security Agency took swift action with an emergency directive aimed at mitigating the repercussions on federal entities following a breach of Microsoft, which has been attributed to a hacking collective associated with Chinese foreign intelligence services.
This information comes from three officials in the know.
Adding to Microsoft's challenges, a recent disclosure from a report on Tuesday by a review board established by the Biden administration unveiled considerable security shortcomings within the tech giant.
The Cyber Safety Review Board, established through an executive order in 2021, has highlighted a series of missteps by Microsoft that enabled cyber operatives backed by the Chinese state to infiltrate the email accounts of high-ranking U.S. officials, including Commerce Secretary Gina Raimondo.
This report paints a picture of Microsoft's cybersecurity efforts as deficient, pointing out a corporate environment that does not prioritise security and a noticeable lack of transparency regarding the extent of the breach.
The panel said the intrusion, discovered in June by the State Department and dating to May “was preventable and should never have occurred,” blaming its success on “a cascade of avoidable errors.” What's more, the board said, Microsoft still doesn't know how the hackers got in.
The board criticised Microsoft for its insufficient security culture and called for an urgent comprehensive reform, given the company's critical position in the global tech landscape and its role in supporting sectors vital to national security, economic stability, and public welfare.
The inclusive review process developed actionable findings and recommendations. As a result of the CSRB’s recommendations, CISA plans to convene major CSPs to develop cloud security practices aligned with the CSRB recommendations and a process for CSPs to regularly attest and demonstrate alignment.
“DHS is committed to efforts that meaningfully improve cybersecurity resilience and preparedness for our nation, and the work of the CSRB is reflective of our determination and dedication to this cause,” said CISA Director Jen Easterly.
“I am confident that the findings and recommendations from the Board’s report will catalyse action to reduce risk to the critical infrastructure Americans rely on every day.”
Among its recommendations, the board suggested that Microsoft temporarily halt the introduction of new features to its cloud services until significant security enhancements are made.
It also advocated for the company's leadership, including the CEO and board of directors, to commit to a rapid culture shift, emphasising the need for Microsoft to publicly commit to security-first reforms within a specific timeframe.
Microsoft responded to the board's findings by expressing its appreciation for the review and reaffirmed its commitment to bolstering its defences against cyber threats. The company also pledged to enhance its detection and defence mechanisms against sophisticated cyber adversaries.
The breach, executed by the Chinese hacking group identified by Microsoft as Storm-0558, compromised the email accounts of 22 organisations and over 500 individuals globally, including U.S. Ambassador to China Nicholas Burns.
The hackers had access to cloud-based email accounts for up to six weeks and downloaded approximately 60,000 emails from the State Department, among other breaches.
The report also touched on a separate security breach by Microsoft disclosed in January, attributed to Chinese state-backed hackers, raising concerns over a corporate culture at Microsoft that has historically overlooked the importance of security investments and risk management.
This Chinese-led cyber attack, initially acknowledged by Microsoft in a July blog post, is part of a pattern of behaviour by the hacking group dating back to at least 2009.
The group has previously targeted major companies like Google, Yahoo, Adobe, Dow Chemical, and Morgan Stanley. Microsoft acknowledged the sophistication of the hackers and emphasised the necessity for an enhanced security-focused engineering culture within its operations.
