The world’s largest technology company has a security problem. A series of high-profile security incidents have rocked Microsoft in recent years, and a damning report from the Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and in need of an overhaul.” There are concerns at Microsoft that the attacks could seriously undermine trust in the company.
Sources tell me that Microsoft’s tech and security teams have been scrambling to respond to new attacks from the same state-sponsored Russian hackers who were behind the SolarWinds incident. The hacking group known as Nobelium or Midnight Blizzard was able to spy on the email accounts of some members of Microsoft’s executive team last year and recently even stole source code.
The ongoing attacks have unnerved many at Microsoft, and teams have worked to improve Microsoft’s defenses and prevent further security breaches as the hackers combed through the stolen information and looked for additional vulnerabilities. Security is always a game of cat and mouse, but it becomes even more difficult when hackers are spying on your communications.
However, these are just the latest in a long line of security breaches. Chinese government hackers attacked Microsoft Exchange servers with zero-day exploits in early 2021, allowing them to access email accounts and install malware on company-hosted servers. Last year, Chinese hackers hacked US government emails thanks to a Microsoft cloud exploit. The incident allowed the hackers to access online email inboxes of 22 organizations, affecting more than 500 people, including U.S. government national security employees.
Last year’s U.S. government email attack was described by the U.S. Cyber Safety Review Board as a “cascade of security failures” and was “preventable,” according to the panel. It also found that a number of decisions within Microsoft contributed to “a corporate culture that deemphasized investments in corporate security and rigorous risk management.” Microsoft still isn’t 100 percent sure how a key was stolen that allowed the Chinese hackers to forge tokens and access highly sensitive email inboxes.
Microsoft’s main response to these attacks has been the new Secure Future Initiative (SFI), an overhaul of the way the company designs, builds, tests and operates its software and services. The SFI, revealed in November, before the Russian email spying operation was uncovered, is expected to be the biggest change in Microsoft’s security efforts since the company launched its Security Development Lifecycle (SDL) in 2004. The SDL itself was a response to the Blaster worm’s devastating crash on Windows XP machines in 2003 and led the company to focus more on security.
Publicly we’ve seen very little of this new Secure Future initiative, but behind the scenes Microsoft is very concerned about losing customer trust. At an internal leadership conference earlier this month, both Microsoft CEO Satya Nadella and President Brad Smith spoke about the need to prioritize security above all else, according to sources. Microsoft’s senior management fears that these security issues will erode trust and require the company to regain the trust of its customers.
I understand that technical leaders at Microsoft are now prioritizing security over new features or shipping products faster. It comes just weeks after the Cyber Safety Review Board said Microsoft should “deprioritize feature developments across the company’s cloud infrastructure and product suite until significant security improvements have been made.”
I’m told that both AI and security are now the two biggest focuses at Microsoft, especially as the company’s rapid adoption of AI technologies brings with it even more potential security issues. As more Microsoft customers move to the cloud and adopt AI, the need for security increases. Microsoft has built a $20 billion security business through this cloud shift, but it’s largely based on upselling security on top of existing subscriptions.
Longtime Microsoft reporter Mary Jo Foley called earlier this week for Microsoft to “stop selling security as a premium offering.” Foley notes that certain security tools are only available as add-ons on top of Microsoft 365 subscriptions and that some customers were previously unable to see important logging information that could have allowed them to detect incidents.
This opinion is also shared by former White House senior cyber policy director AJ Grotto. “If you look back at the SolarWinds episode from a few years ago… [Microsoft] “Essentially it was about reselling logging capacity to federal agencies,” Grotto said in an interview with The registry recently. “So it was really difficult for authorities to identify their exposure to the SolarWinds breach.”
Microsoft responded to complaints about logging information by increasing the length of time that logs were available from 90 to 180 days last year. However, companies will still have to opt for more expensive Microsoft 365 E5 subscriptions if they want to take advantage of most of Microsoft’s security and compliance features.
Although Microsoft recently had to disclose that Russian hackers had stolen source code, the company announced days later that it would begin selling its Copilot for Security at a pay-as-you-go price. The generative AI chatbot is designed for cybersecurity professionals to help them protect against threats. However, companies will have to pay $4 per hour of usage if they want to use Microsoft’s security-specific AI model.
This upselling and the great trust that companies place in Microsoft’s software have not gone unnoticed by legislators. The U.S. government relies heavily on Microsoft’s software, and email breaches have brought that relationship into even greater focus. “The U.S. government’s dependence on Microsoft poses a serious threat to U.S. national security,” Sen. Ron Wyden (D-OR) said in a statement Wired. Wyden has been critical of Microsoft’s cybersecurity efforts for years. demand a federal government investigation following the U.S. government email breach last year.
It will be instructive to see how Microsoft responds to growing criticism of its security practices in the coming months. While the Cyber Safety Review Board believes Microsoft’s security culture is broken, Microsoft disagrees. “We strongly disagree with this characterization,” Steve Faehl, chief technology officer of Microsoft’s federal security business, said in a statement Wired. “Although we agree that we haven’t been perfect and we still have a lot of work to do.”
However, Microsoft’s behavior will only change if it is forced to do so, argues Grotto The registry Interview. “If this review does not lead to changed behavior among customers who want to look elsewhere, Microsoft’s incentives to change will not be as strong as they should be.”