The US government’s public documentation of Microsoft’s shoddy cybersecurity practices, lax corporate culture and untruthfulness in public communications should come as no surprise to anyone.
There were dark patterns everywhere. For years, we collectively groaned and rolled our eyes as Microsoft shipped faulty and incomplete patches, gutted its Patch Tuesday bulletins into irrelevance, fought with hackers reporting security problems, and made baffling trade-offs around cybersecurity transparency.
Even the ‘/security’ page, for years used as a place to simplify the distribution of security warnings, mitigation guidance and software patches, morphed into a landing page to hawk Microsoft’s newly “AI-powered” cybersecurity products.
On the flip side, every communication out of Microsoft is meant to project cybersecurity power, with constant reminders that cybersecurity is big business in Redmond, generating $20 billion a year today while it builds a so-called “AI-based cyber shield” to protect the world.
This “dangerous addition to security revenue,” as Alex Stamos just described it, gets even uglier when Microsoft’s own security problems are used to upsell customers and important mitigation technologies are only available in expensive licensing packages.
In its review of the Microsoft Exchange Online hack, the government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and warned that a second nation state-backed hacking team (Russia) have also been rummaging through highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems.
“The Board finds that this intrusion was preventable and should never have occurred,” the CSRB said, bluntly. “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
It goes further, pointing the finger directly at CEO Satya Nadella and calling on Redmond’s leadership to “directly focus” on the company’s security culture and to develop and share publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products.
Microsoft has already pre-empted the CSRB’s findings with the announcement of a Secure Future Initiative promising faster cloud patches, better management of identity signing keys and products with a higher default security bar but the CSRB wants Nadella to direct internal Microsoft teams to deprioritize feature developments across its cloud infrastructure and product suite until security risks are fully addressed.
While unsurprising, the CSRB findings should scare us all. Microsoft is too big to fail, with its OS and cloud technologies powering some of the most critical and essential services on earth. It’s not quite a monoculture from the Dan Geer era but it’s near impossible to avoid interacting with Microsoft’s ecosystems, whether it’s Azure, M365, LinkedIn or XBox today.
As the report notes, Microsoft and cloud service providers (CSPs) are custodians of nearly unimaginable amounts of data, from consumer personal information to communications of U.S. diplomats and other senior government officials, as well as commercial trade secrets and intellectual property.
Important businesses large and small have made the bet to become “Microsoft shops,” adding to supply chain risks while large parts of the anti-malware world are dependent on Defender detections and discoveries from the company’s (very strong!) threat intelligence research teams.
For those deeply entrenched in Microsoft’s world, security costs can add up significantly, especially for granular logging to help with security incident detection, investigation, and response. “This course of business should stop,” the CSRB notes, arguing that security-related logging should be a core element of cloud offerings.
The CSRB report is a remarkable document providing a blow-by-blow into one of the most daring APT attacks in history against a company that somehow blew a decade’s worth of goodwill and completely lost its way in security.
Very few should be surprised.
Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack
Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’
Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails
Related: Microsoft Hires New CISO in Major Security Shakeup
Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails
