Infosec professionals praise CSRB report on Microsoft breach

Report reactions

In a statement shared with TechTarget Editorial, Tenable Chairman and CEO Amit Yoran said he "couldn't be prouder of how CISA and CSRB are maturing." The board was established in 2022 by the Department of Homeland Security, via an executive order from President Joe Biden, to investigate and assess significant cyberattacks and incidents to identify areas of needed improvement in both the public and private sectors.

"The CSRB issued a masterful piece of work. This is not some watered-down, wishy-washy document full of government speak and platitudes," Yoran said. "It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."

Karan Sondhi, Trellix public sector CTO, warned of the "national security risks" posed by Microsoft.

"The world is just beginning to unpack the national security risks posed by Microsoft. [The CSRB] is right to worry about the use of Microsoft solutions as the dominant provider of mission-critical software to the federal government and enterprises," Sondhi said. "Today's report from the Cyber Safety Review Board further emphasizes the risk. Addressing the larger set of Microsoft security concerns, including their lack of action to address vulnerabilities in their products, their corporate infrastructure and their AI safety, is key to ensuring technology vendors are held to a high standard."

Omri Weinberg, co-founder and chief revenue officer at data and collaboration security vendor DoControl, called the report's tone "aggressive but not overly so, given the factors at play, both technical and political." He felt that the U.S. government, a subject of the Storm-0558 attacks, could be inclined to more aggressively direct blame.

Childs praised the tone of the document. "I don't find the report brutal at all," he said. "I find it incredibly well documented and almost clinical in nature. It's like an autopsy, but it just so happens that the subject matter itself is brutal. I count 179 footnotes to references, which is thorough. The 25 recommendations are also."

In an email, Adam Meyers, CrowdStrike senior vice president of counter adversary operations, called Microsoft a "national security risk" and said the tech giant must be held accountable.

"The report soberly states that this incident was preventable and never should have happened, as this is not the first intrusion perpetrated by nation-state adversaries that penetrated Microsoft's cloud environments," Meyers said. "The report objectively highlights the rapid cultural change that needs to happen in Redmond. This starts with making security a priority -- it can no longer be an afterthought."

Microsoft's Secure Future Initiative in doubt?

In a statement shared with TechTarget Editorial following the report's publishing, a Microsoft spokesperson thanked the CSRB for its investigation and reiterated Microsoft's commitment to adopting a new culture of security per its announcement of the Secure Future Initiative last fall. In the announcement, Microsoft said it would address vulnerability mitigation and software development issues, while also committing to greater transparency.

Microsoft's complete statement reads as follows:

We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations.

Childs highlighted a line in the CSRB report stating that "Microsoft's customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture."

"If their Secure Future Initiative had any real teeth, I doubt the CSRB report would start with that," Childs said. "I know I was hopeful when Microsoft announced the Secure Future Initiative, but I haven't really seen any positive changes that have resulted from it."

John Bambenek, president at security consultancy Bambenek Consulting, noted the timing of the Secure Future Initiative announcement, which came a few months after Microsoft disclosed the Storm-0558 breach.

"Given the timing, I suspect the announcement was in part a response to the breach and having an idea what the board was going to say," Bambenek said. "It's always easy to both say and actually commit to being secure after a breach. What matters is, will this commitment still be there in 2026? About two years after a major breach, complacency tends to come back."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.