Microsoft Admits Security Failings Allowed China to Access US Government Emails


Microsoft President Brad Smith acknowledged significant security lapses by the company that facilitated Chinese state hackers’ access to US government officials’ emails during the summer of 2023.

Speaking before the US House Committee on Homeland Security on June 13, 2024, Smith unequivocally accepted responsibility for all issues identified in the Cyber Safety Review Board (CSRB) report.

The CSRB report, published in April 2024, attributed a series of security failures at Microsoft for enabling the Chinese threat actor Storm-0558 to breach the email accounts of 25 organizations, including US government entities.

The attackers exploited a combination of a Microsoft encryption key and vulnerabilities in the authentication system of Exchange Online, allowing them unfettered access to virtually any account globally.

Among the findings, the CSRB investigation highlighted deficiencies in Microsoft’s security culture and gaps in its mergers and acquisitions (M&A) security assessment processes, which contributed to the successful cyber espionage.

In response, the CSRB issued 25 cybersecurity recommendations to Microsoft and other cloud service providers to prevent future breaches.

Smith emphasized Microsoft’s critical role in cybersecurity, not only for its customers but also for the US and allied nations. He acknowledged the heightened cyber threats exacerbated by geopolitical conflicts like the Russia-Ukraine war, leading to a surge in sophisticated cyberattacks from state actors.

Apologizing to those affected by the Storm-0558 attack, Smith outlined Microsoft’s commitment to bolstering cybersecurity measures based on the CSRB report’s findings.

Microsoft plans to implement all 16 recommendations applicable to the company, including transitioning to a new hardened key management system for identity systems and deploying enhanced detection measures for token validation.

To reinforce a security-first culture, Microsoft has expanded its security workforce by 1600 engineers this fiscal year, with an additional 800 positions planned for the next fiscal year. The company also established the Office of the Chief Information Security Officer (CISO) to oversee security integration into engineering processes.

Smith highlighted Microsoft’s Secure Future Initiative (SFI), launched in November 2023, aimed at embedding secure-by-design principles across its products and services.

In conclusion, Smith affirmed Microsoft’s accountability for past failures while committing to leveraging these lessons to forge a more secure future through enhanced strategies, investments, and cultural transformation.

Following Smith’s testimony, Microsoft announced the postponement of its Recall AI feature for Copilot and Windows PCs to conduct further security testing and address privacy concerns. Initially slated for broad release on June 18, 2024, Recall will now debut first in the Windows Insider Program in the coming weeks, offering users clearer opt-in choices.