US members of Congress on Thursday pressed Microsoft to explain “a series of avoidable errors” that allowed a Chinese hacking group to compromise the emails of senior US officials.
Microsoft President Brad Smith spent more than three hours answering questions from members of the House Homeland Security Committee in Washington, assuring them that cybersecurity is increasingly ingrained in the company’s culture. technology.
“Microsoft accepts responsibility for each of the issues cited” in the U.S. government’s scathing report on the breach “without equivocation or hesitation,” Smith told the committee.
The Cyber Security Review Board (CSRB), led by the US Department of Homeland Security, conducted a seven-month investigation into last year’s incident involving a cyber espionage attacker. associated with China Storm-0558.
“Microsoft has a tremendous footprint in both government and critical infrastructure networks,” U.S. Congressman and committee member Bennie Thompson told Smith as the hearing opened.
“Our shared concern is that the security issues raised in (the report) are resolved expeditiously.”
The activity was first detected by the US State Department in June 2023, and included hacks into the official and personal mailboxes of Commerce Secretary Gina Raimondo and US Ambassador to China Nicholas Burns .
Microsoft’s core business is providing cloud computing services, such as Azure or Office360, that store sensitive data and power business and government across key sectors of the world. economy.
The report criticized Microsoft’s corporate culture as “at odds with… the level of trust customers have in the company.”
The review identified a series of strategic and operational decisions by Microsoft that paved the way for the breach, including the failure to identify a new employee’s compromised laptop following the injury. company acquisition in 2021.
It also found that Microsoft failed to meet safety standards commonly found in competing cloud companies, including Google, Amazon and Oracle.
“The Board finds that this intrusion could have been prevented and should never have occurred,” the review said, pointing out “a series of avoidable errors by Microsoft that allowed the intrusion to occur.” This import was successful”.
– ‘Lasting change’ –
The report also recommends that Microsoft develop and publish a plan with timelines for enacting broad-based security reforms across its products and operations.
“The real challenge is how do you achieve lasting and effective cultural change,” Smith said, noting that Microsoft has nearly 226,000 employees.
Smith said Microsoft has about 34,000 engineers working full-time to address security shortcomings in “the largest engineering project focused on cybersecurity in the history of digital technology.”
According to Smith, Microsoft’s board on Wednesday approved a change that will tie cybersecurity achievements to annual bonuses for senior executives and make it part of evaluations. every year for every employee.
Smith told the committee that Microsoft detects about 300 million cyberattacks against its customers every day, most of which come from China, Iran, South Korea, Russia or ransomware operations.
“We are dealing with four formidable adversaries in China, Russia, North Korea and Iran and they are getting better,” Smith said.
“We can expect them to work together; They are launching attacks at extraordinary speed.”
While it’s inevitable that adversaries will use artificial intelligence for increasingly sophisticated attacks, the technology is already being used to strengthen cyber defenses, Smith added.
One more thing! We are now on WhatsApp Channel! Follow us there so you never miss any updates from the world of technology. To follow HT Tech channel on WhatsApp, click This to join now!
