US Senator Wyden Accuses Microsoft of ‘Cybersecurity Negligence’

Oregon senator Ron Wyden wants the U.S. government to hold Microsoft responsible for what he describes as “negligent cybersecurity practices” that enabled “a successful Chinese espionage campaign against the United States government.”

In a strongly worded letter to Attorney General Merrick Garland and the heads of CISA and the FTC, Wyden said the software giant “bears significant responsibility” for the M365 cloud hack that started with the theft of a Microsoft encryption key.

“Since the hackers stole an MSA encryption key, the hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, even if a user’s account was protected with multi-factor authentication and a strong password,” Wyden noted.

“Government emails were stolen because Microsoft committed another error,” Wyden declared.

When Microsoft acknowledged the hack and the stolen MSA key, the software giant said Outlook.com and Exchange Online were the only applications known to have been affected via the token-forging technique but new research shows that the stolen key gave Chinese hackers access to data beyond Exchange Online and Outlook.com.

The hack, which led to the theft of email from approximately 25 organizations, turned into a bigger embarrassment for Microsoft when customers complained they had zero visibility to investigate because they were not paying for the high-tier E5/G5 license. After intense public pressure, the company announced it would expand logging defaults for lower-tier M365 customers.

According to Senator Wyden, Microsoft never took responsibility for its role in the SolarWinds hacking campaign and instead blamed federal agencies and customers while using the incident to promote its Azure AD product. 

While noting Microsoft public boasts of raking in $20 billion a year in cybersecurity revenue, Wyden called for a “whole of government effort” to hold Microsoft responsible for its alleged cybersecurity negligence.

He called on CISA director Jen Easterly to direct the Cyber Safety Review Board (CSRB) to investigate the latest hack and look at whether Microsoft stored the stolen encryption key in an HSM, a best practice recommended by the National Security Agency.

“The Board should also examine why Microsoft’s negligence was not discovered during the external audits that were required to obtain certification for government use under the FedRAMP program, or during Microsoft’s own internal security reviews,” Wyden added.

Related: Microsoft Bows to Pressure to Free Up M365 Security Logs

Related: Microsoft Warns of Office Zero-Days, No Patch Available

Related: Microsoft M365 Exposed More Than Exchange, Outlook Emails

Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails