These incidents came as security experts increasingly criticized Microsoft for failing to fix bugs in its products in a timely and appropriate manner. As the U.S. government’s largest technology provider by far, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widespread software bugs. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep pace with evolving challenges.
Microsoft has “failed to adapt their security investments and thinking to the threat,” says a prominent cyber policy expert. “It’s a huge bullshit from someone who has the resources and internal technical capacity like Microsoft.”
The US Department of Homeland Security’s CSRB confirmed this view in its new report on the Chinese incursion in 2023, saying Microsoft “exhibited a corporate culture that deprioritized both investments in corporate security and rigorous risk management.” The report also criticized Microsoft for releasing inaccurate information about the possible causes of the recent Chinese intrusion.
According to several experts, the latest breaches show that Microsoft has failed to implement basic security measures.
Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, points to the Russians’ ability to move from a test environment to a production environment. “This should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to spy on the communications of multiple agencies through a single breach, echoing the CSRB report that criticized Microsoft’s authentication system for failing enable broad access with a single login key.
“You don’t hear about such breaches from other cloud service providers,” says Meyers.
According to the CSRB report, Microsoft “has not sufficiently prioritized restructuring its legacy infrastructure to address the current threat landscape.”
In response to written questions, Microsoft tells WIRED that it is aggressively improving its security in response to recent incidents.
“We are committed to adapting to the evolving threat landscape and working with industry and government to defend against these growing and sophisticated global threats,” said Steve Faehl, chief technology officer of Microsoft’s federal security business.
As part of its Secure Future Initiative launched in November, Faehl said Microsoft has improved its ability to automatically detect and block misuse of employee accounts, started searching for more types of sensitive information in network traffic and reduced access granted by individual authentication keys. and created new permission requirements for employees who want to create company accounts.
Faehl said Microsoft has also deployed “thousands of engineers” to improve its products and has begun convening senior executives for status updates at least twice a week.
The new initiative represents Microsoft’s “roadmap and commitment to address many of the issues identified as priorities in the CSRB report,” says Faehl. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We don’t agree with that characterization at all,” says Faehl, “although we agree that we haven’t been perfect and we still have a lot of work to do.”
An “addiction” to security revenue
Microsoft has drawn particular hostility from the cybersecurity community for charging its customers extra fees for better security measures such as threat monitoring, antivirus protection and user access management. In January 2023, the company announced that its security division had achieved annual revenue of over $20 billion.
“Microsoft has come to view cybersecurity as something that will generate revenue for them,” said Juan Andrés Guerrero-Saade, assistant vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to that revenue “has seriously distorted their product design decisions.”