Biden Review Board Gives Microsoft a Big, Fat Raspberry – Security Boulevard

5 minutes, 6 seconds Read
Last year’s Chinese hack of federal agencies’ email is still a mystery, and “should never have occurred,” says CISA.

CISA’s Cyber Safety Review Board thinks Microsoft’s cybersecurity is rotten. The company needs cultural reform and needs to stop releasing new features until it fixes the problem, the board says.

Microsoft’s cloud email system was hacked in 2023. But Redmond still doesn’t know how. In today’s SB Blogwatch, we aggregate fruity reactions.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention: Fab.4 vs. Q.Bey.

What’s the craic? Ellen Nakashima and Joseph Menn broke the story: Microsoft faulted for ‘cascade’ of failures

Need to adopt a new culture
A review board, mandated by President Biden, issued a scathing report Tuesday detailing lapses by … Microsoft that led to a targeted Chinese hack last year of top U.S. government officials’ emails. … The Cyber Safety Review Board [took] aim at shoddy cybersecurity practices, lax corporate culture and a deliberate lack of transparency [and] issued sweeping recommendations.

Beijing’s top spy service, the Ministry of State Security … exploited security gaps in the company’s cloud, allowing MSS hackers to forge credentials. … Microsoft still does not know how the Chinese carried out the attack. … The root cause may never be known, the report indicates.

Microsoft said it appreciated the board’s work: … “Recent events have demonstrated a need to adopt a new culture of engineering security.”

Can you explain it like I’m five? Sam Sabin does, in Microsoft’s ‘inadequate’ cybersecurity:

National security risk
The board’s conclusion is the harshest denouncement of Microsoft’s cybersecurity practices to-date following a series of high-profile breaches that’s put U.S. government secrets at risk. … In July, Chinese government hackers were spotted in Microsoft’s cloud networks and appeared to be accessing email inboxes across roughly 25 organizations.

The incident stirred a lot of anxiety across Washington. … The board’s report is already fueling Microsoft’s competitors and critics who have long argued that the tech company’s dominance as the U.S. government’s top cloud provider and enterprise software vendor was a national security risk.

From the horse’s mouth? According to Robert Silvers and the rest of CISA’s Cyber Safety Review Board: Review of the Summer 2023 Microsoft Exchange Online Intrusion

Fundamental, security-focused reforms
This intrusion was preventable and should never have occurred. … Microsoft’s security culture was inadequate and requires an overhaul.

Microsoft’s ubiquitous and critical products … require the company to demonstrate the highest standards of security, accountability, and transparency. [But] a series of Microsoft operational and strategic decisions … deprioritized both enterprise security investments and rigorous risk management.

The Board recommends that Microsoft’s CEO hold senior officers accountable for …  fundamental, security-focused reforms across the company and its full suite of products. … Microsoft leadership should consider directing internal … teams to deprioritize feature developments … until substantial security improvements have been made. … Security risks should be fully and appropriately assessed and addressed before new features are deployed.

Who watches the watcher? Jason Keirstead sees the irony:

Meanwhile, Microsoft is the world’s largest cybersecurity vendor. Microsoft currently earns $20B/year in cybersecurity revenue. … Ironically, they also build the products that people are paying them to secure.

Tell me something I didn’t know. Vincent van Gopher kinda fails in this task:

Lax security from Microsoft—who knew? In other news:
• The Pope is Catholic.
• Bears defecate in the woods.

The report has a lot of fancy words. This is the key recommendation, according to dhx:

The [only] tangible outcome appears to be: Stop charging for audit logs. … On this point, Microsoft announced … they’ll make this feature part of the “standard” feature level some time after June.

The rest of the items give the impression of just being a bit angry, but nothing materially planned to be done about it. What other option realistically exists once 99% of businesses and government agencies are locked into using M365?

And stop prioritizing features over security, of course. Here’s what Junta thinks about that:

Frankly, there’s probably very few companies that would stand up to this sort of scrutiny by this audience. Probably none of the companies folks have heard of. The companies that would be respected by this sort of report generally go out of business in the face of a competitor that is able to deliver more capability at more reasonable pricing.

OK, so how do we fix this? BenSlade ponders the situation:

Microsoft didn’t auto rotate their security “signing” keys and didn’t notice they had a stale key? Cancel their $10 billion DOD cloud contract. That should get their attention. 😏

To be fair, Microsoft is listening. Kevin Beaumont, a.k.a. @[email protected], is even-handed:

I will say, to Microsoft’s credit; I’ve heard they got the memo on security and plan a range of things including org. and governance changes.

MS need a properly centralised security op model, like you see at—well—every other org. … Security should be treated like safety: If you endanger customers, you’re on the naughty step.

And Dan 55 sounds slightly sarcastic:

Ten years ago, Microsoft fired their QA and decided to crowdsource testing. Nobody could have foreseen what happened next.

Meanwhile, EAtmULFO sees into the future:

I wonder if they are now going to find/replace “China” for “Russia” and publish the next Microsoft Cyber Safety Review Board findings for the Russian hacks? May as well.

And Finally

When I heard QB’s cover on Saturday, I knew it was only a matter of time

[embedded content]

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image sauce: Mockup Graphics (via Unsplash; leveled and cropped)

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts