A review panel appointed by the Biden administration criticized Microsoft over a Chinese hacking attack last year. In a scathing indictment of Microsoft's security and transparency, the report said a “series of mistakes” by the tech giant allowed state-backed Chinese internet operators to break into the email accounts of senior US officials including Commerce Secretary Gina Raimondo.
According to a report by the AP, the Cyber Safety Review Board, created in 2021 by executive order, describes poor cybersecurity practices, a lax company culture, and a lack of honesty about the company's knowledge of the targeted hacking breach.
The report is said to have concluded that “Microsoft's security culture was inadequate and required a comprehensive overhaul” given the company's reach and critical role in the global technology ecosystem. Microsoft products support “essential services that support national security, the foundations of our economy, and public health and safety.”
Report: A series of avoidable mistakes led to the Chinese hack The committee said in its report that the hack “could have been prevented and should never have happened,” and blamed its success on “a series of mistakes that could have been avoided.” The board also said that Microsoft still does not know how the hackers got in.
In its recommendations, the committee urged Microsoft to suspend adding features to its cloud computing environment until “significant security improvements are made.” It also asked Microsoft CEO Satya Nadella and the board to bring about “rapid cultural change,” including publicly sharing a plan with specific timelines to make fundamental security-focused reforms across the company and its full suite of products.
What Microsoft said in the report
In response to the report, Microsoft said in a statement that it appreciated the board's investigation and would continue to “harden all of our systems against attack and implement more robust sensors and logs to help us detect and repel our adversaries' cyber armies.”
As a reminder, Chinese state-backed hackers compromised the Microsoft Exchange Online email of 22 organizations and more than 500 individuals around the world, including the US Ambassador to China, Nicholas Burns. The 34-page report claimed that the attack affected several US agencies that do business with China. The hackers reportedly had access to some cloud email inboxes for at least six weeks and downloaded more than 60,000 emails from the State Department alone. The Chinese hack was initially revealed in July 2023 by Microsoft in a blog post and was carried out by a group the company calls Storm-0558.
Microsoft noted in its statement that the hackers involved are “nation-state threat actors who are well-resourced and operate continuously and without meaningful deterrence.”
According to a report by the AP, the Cyber Safety Review Board, created in 2021 by executive order, describes poor cybersecurity practices, a lax company culture, and a lack of honesty about the company's knowledge of the targeted hacking breach.
The report is said to have concluded that “Microsoft's security culture was inadequate and required a comprehensive overhaul” given the company's reach and critical role in the global technology ecosystem. Microsoft products support “essential services that support national security, the foundations of our economy, and public health and safety.”
Report: A series of avoidable mistakes led to the Chinese hack The committee said in its report that the hack “could have been prevented and should never have happened,” and blamed its success on “a series of mistakes that could have been avoided.” The board also said that Microsoft still does not know how the hackers got in.
In its recommendations, the committee urged Microsoft to suspend adding features to its cloud computing environment until “significant security improvements are made.” It also asked Microsoft CEO Satya Nadella and the board to bring about “rapid cultural change,” including publicly sharing a plan with specific timelines to make fundamental security-focused reforms across the company and its full suite of products.
What Microsoft said in the report
In response to the report, Microsoft said in a statement that it appreciated the board's investigation and would continue to “harden all of our systems against attack and implement more robust sensors and logs to help us detect and repel our adversaries' cyber armies.”
As a reminder, Chinese state-backed hackers compromised the Microsoft Exchange Online email of 22 organizations and more than 500 individuals around the world, including the US Ambassador to China, Nicholas Burns. The 34-page report claimed that the attack affected several US agencies that do business with China. The hackers reportedly had access to some cloud email inboxes for at least six weeks and downloaded more than 60,000 emails from the State Department alone. The Chinese hack was initially revealed in July 2023 by Microsoft in a blog post and was carried out by a group the company calls Storm-0558.
broadens
Microsoft noted in its statement that the hackers involved are “nation-state threat actors who are well-resourced and operate continuously and without meaningful deterrence.”
