Microsoft answered Congress' questions on security. Now the White House needs to act

Feature Microsoft president Brad Smith struck a conciliatory tone regarding his IT giant's repeated computer security failings during a congressional hearing on Thursday - while also claiming the Windows maker is above the rule of law, at least in China.

He answered nearly three hours of questions from US House reps about Microsoft's infosec shortcomings. Now it's time for the White House and Congress to do their job and ensure we don't learn about yet another Redmond blunder exploited by a foreign government six months from now.

And the US government has several tools at its disposal, from executive orders to federal spending, to avoid another Microsoft-connected security breach.

Smith kicked off his testimony before Congress this week by accepting "responsibility for each and every one of the issues" cited in a recent Homeland Security report that blasted Microsoft for a series of "avoidable errors." These errors, the investigation found, allowed Beijing-backed cyberspies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

That theft was enabled by China stealing a cryptographic key from a crash dump file that had been left on Microsoft's internal internet-connected corporate network; the key should not have made it out of the mega-corp's isolated production environment.

Despite this major security intrusion by China, Smith defended Microsoft's business in the Middle Kingdom. National intelligence laws in China can be used to force companies operating there to provide snooping services for the government, or hand over proprietary code if pressured to do so. But Microsoft doesn't have to comply with that, Smith claimed, to some unbelieving members of Congress.

Mea culpa, then deflect

He gets an A for presentation, but a D for content. Smith issued a mea culpa, but also deflected some of the lawmakers' tough questions about China, and why Microsoft isn't doing a very important job (securing its code, which in this case is also a national security issue) that the government is paying it millions of dollars to do.

Smith also said he hadn't read a ProPublica report that came out ahead of the Homeland Security subcommittee hearing and was the subject of several questions to the executive. That investigative report cited a now-ex-Microsoft whistle-blowing engineer who claimed he had repeatedly warned bosses as far back as 2017 about an authentication flaw that left Microsoft users and their work accounts vulnerable to compromise.

That flaw, which we're told involves exploiting weaknesses with Microsoft's Active Directory Federation Service and SAML, was allegedly used by the Russian government snoops behind the SolarWinds backdoor.

According to the whistle-blower, the Kremlin spies used the SAML-based authentication flaw to gain full access to organizations' files and messages after sneaking into those victims' IT networks via the backdoored SolarWinds software. In other words, this was a post-exploitation vulnerability.

It was further alleged Microsoft refused to fix this years-old problem because in doing so, the corporation would have to admit that its Active Directory software was faulty, which could have cost it billions of dollars as the biz was vying for a massive IT contract with the US federal government at the time.

In the wake of the Exchange Online intrusion, all of Microsoft's pledges to do better on security, and overhaul its entire security culture, are either voluntary or - with ideas like tying top exec pay to security performance - are going to be really hard to measure.

"If it was any other vendor, if anything like this happened with us, where we had such a gaping security hole that foreign governments could come into our cloud environment it would not only destroy our product in the marketplace because we have no credibility, but the government would just kick us out," Trellix CTO Karan Sondhi told The Register.

The repeated intrusions by both Russian and Chinese cyber-spies highlight the national security risks of Uncle Sam's increasing reliance on a single technology vendor, Sondhi told us.

Specific to Microsoft and America: The US government uses everything from the super-corp's cloud infrastructure to its operating system and productivity tools, and then also adds on Redmond's security products, which Trellix and other infosec vendors say discourages competition in the marketplace.

"We're just saying to the government: Have an independent evaluation of security tooling," Sondhi said. "Measure the security tools' effectiveness, independent of the bundle that Microsoft offers, and pick your favorite. If it's us, great. If it's CrowdStrike, more power to you. If it's Sentinel One, great."

Microsoft, he added, "should be fixing vulnerabilities in their products. They should be squarely focused on that instead of trying to sell you security tools."

When asked during the congressional hearing about Microsoft's bundling practices, which may dissuade the government and other customers from selecting a third-party vendor for security, Smith responded: "I'm not aware of any so-called practices that limit what our customers can do in terms of cybersecurity protection."

No real incentive to change

As long as federal dollars keep pouring into Microsoft's coffers, there's no real incentive to change. US government data showed at least $498 million of payments to Microsoft in 2023 alone.

In a May 29 letter to US Department of Defense CIO John Sherman, Senators Ron Wyden (D-OR) and Eric Schmitt (R-MO) questioned why the Pentagon is "doubling down" on its investment in Microsoft products despite the IT giant's serious failings.

This, after the Department of Homeland Security's Cyber Safety Review Board's slammed Microsoft's "cascade" of security snafus that made China's digital intrusion into government inboxes possible.

"What should the government do? Probably not give a $10 billion DoD contract to Microsoft for a commercial, off-the-shelf product," said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology and a senior advisor to the Cyberspace Solarium Commission.

"You have one entity responsible for national security saying here's an entity that poses a risk, and then you have DoD, another entity responsible for national security, doubling down on Microsoft," Simpson told The Register. "We've got to have that conversation, and it needs to be with the White House."

The first thing that needs to happen, according to Simpson, is triage, which needs to come from a White House Executive Order. Later, there's long-term care, which comes from Congress.

While the administration doesn't control the government's purse strings, it could put a pause on future Microsoft integrations while the government explores other vendors' security products, he explained. "That could be done with an executive order," Simpson noted.

The White House Office of the National Cyber Director declined to comment for this story.

The long-term care, on the other hand, involves Congressional action to codify best security practices and even simpler ones, such as requiring Microsoft products to be interoperable with those from its peers.

"The two ends of the continuum are a decoupling of Microsoft, and at the other end doing nothing," Simpson said. "And there's a range of options in between."

Time for Biden administration to 'walk the talk'

Under President Joe Biden's leadership, the administration has touted its commitment to shoring up the nation's networks. This included releasing the National Cybersecurity Strategy in March 2023.

Part of the strategy centers around holding software makers liable for security flaws in their products, thus shifting IT defense away from the end users of technology and onto the providers. It also says the administration will work with Congress and the private sector to develop legislation around secure software and services.

Plus, this is the focus of the US Cybersecurity and Infrastructure Security Agency's secure by design pledge, signed by nearly 70 software companies - including Microsoft - at last month's RSA Conference.

Another piece of the strategy involves investing in longer-term security practices at the government and enterprise level, rather than relying on short-term fixes, such as patches and more temporary solutions to problems.

"You can't accomplish both of those things with minimum regulation," Simpson said. "The best way to do that is to fully leverage the government as the largest consumer in the world. It's about purchasing power. If they don't change procurement practices, shame on them. They have to walk the talk of their strategy." ®

Search
About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Jul 13
Game dev accuses Intel of selling 'defective' Raptor Lake CPUs

High-end processor instability headaches, failures pushed one studio to switch to AMD

Jul 12
White House urged to double check Microsoft isn't funneling AI to China via G42 deal

Windows maker insisted everything will be locked down and secure - which given its reputation, uh-oh!

Jul 12
PowerToys bring fun tweaks to Windows 10 and 11

Friday FOSS Fest Mac migrants (if any exist) will find Powertoys Run strangely familiar

Jul 12
New Outlook set for GA despite missing some key features

Classic Outlook for Windows shuffles a little closer to the end of the road

Jul 12
Google can totally explain why Chromium browsers quietly tell only its websites about your CPU, GPU usage

OK, now tell us why this isn't an EU DMA violation - asking for a friend in Brussels

Jul 12
SAP's bid to woo open source community meets muted response

German software giant says open source is a 'catalyst for innovation' but is unlikely to release proprietary code

Jul 12
Stop installing that software - you may have just died

On Call They're called role-playing games for a reason ...