NIXsolutions: Microsoft’s Security Practices Under Scrutiny

Microsoft President Brad Smith testified before the House Homeland Security Committee regarding the company’s practices that exposed its government customers to security risks. Parliamentarians expressed concern about Microsoft’s plans to improve its systems’ security following a series of hacks last year. These breaches compromised the email accounts of US federal officials, raising doubts about Microsoft’s credentials as a major government contractor. The Federal Cybersecurity Oversight Board attributed the incident to a “cascade of preventable errors” and a corporate security culture “that requires overhaul.”


Incident and Criticism

The hacks involved individuals associated with China’s Ministry of State Security using a tool to create digital keys that allowed them to impersonate any existing Microsoft customer. They posed as employees of 22 organizations, including the US State Department and the US Department of Commerce, reading emails of high-profile officials such as Gina Raimondo, the head of the Department of Commerce. This incident has led to significant criticism of Microsoft, a longstanding government contractor, with calls from rival companies and some authorities to reduce government dependence on the software giant.

Recently, two senators questioned the Pentagon’s decision to improve the technical security of unclassified Defense Department systems by purchasing expensive Microsoft licenses instead of cheaper solutions from other vendors, reminds NIXsolutions. At the hearing, Smith was asked about the risks of military dependence on a single supplier. He argued that a multi-vendor environment is equally risky due to the potential for hackers to exploit the seams where two systems connect. When asked about a Microsoft security expert’s repeated reports of a vulnerability, Smith stated he had not read the related article and mentioned that the vulnerability was linked to an industry standard rather than a specific Microsoft product.

Future Initiatives and Ongoing Concerns

Questions also arose about Microsoft’s operations in China, which accounts for 1.5 percent of its revenue. Smith clarified that Microsoft primarily serves other American companies in China and is not subject to laws requiring assistance to local security agencies and the military. He highlighted a new initiative at Microsoft, with 1,600 specialized engineers dedicated to security issues this fiscal year and an additional 800 positions to be added next year. Smith assured that security is now a priority for the company and pledged to implement the recommendations from the White House’s oversight board for both Microsoft and the industry.

Smith’s testimony also coincided with public concerns about Microsoft’s new Recall feature for Windows, which stores screenshots of user actions locally. Critics argue that administrators or hackers with access to these screenshots could compromise sensitive data. Microsoft initially refrained from commenting but later promised to enhance security features for Recall. Following Smith’s testimony, the company announced a delay in the feature’s rollout.

We’ll keep you updated as more information becomes available regarding Microsoft’s efforts to address these security concerns and implement recommended changes.