Getty Images

Infosec professionals praise CSRB report on Microsoft breach

Security professionals and executives weigh in on how the Cyber Safety Review Board handled its investigation into Microsoft and what it could mean for the tech giant.

Security professionals have broadly praised the U.S. Department of Homeland Security's Cyber Safety Review Board for its handling of a highly critical report involving Microsoft's response to a major breach last year.

The CSRB report, published Tuesday, is the result of an investigation that occurred following a breach disclosed last July in which a Chinese nation-state actor tracked as Storm-0558 used a stolen Microsoft account (MSA) signing key to gain access to 22 customer organizations, including federal government agencies.

The report criticized the tech giant on several fronts and found that the breach was the result of a "cascade" of preventable errors on Microsoft's part. The CSRB noted that Microsoft failed to detect the theft of its "cryptographic crown jewels" and instead relied on a customer -- the U.S. State Department -- to do so. And according to the CSRB, Microsoft still does not know how exactly the MSA signing key was stolen.

The tech giant claimed in a September blog post that the MSA key had been incorrectly included in a crash dump inside the company network. The CSRB said Microsoft found no evidence or logs proving this, and the blog post was not updated to correct the inaccurate information until March 12.

The CSRB's ultimate conclusion in the report was that "Microsoft's security culture was inadequate and requires an overhaul." That conclusion was based in part on "Microsoft's decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board's repeated questioning about Microsoft's plans to issue a correction," the report said.

Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told TechTarget Editorial that Microsoft's delay in correcting the record regarding the theft of the MSA key was a major misstep.

"I've done crisis communications and have written many such blogs (including many that were never published)," he said in an email. "One of the worst things you can do in a crisis is publish incomplete or inaccurate information. It's bad enough that they did it -- and at the time, they may have thought the information was correct -- but to not update the blog when it became apparent the information was not factual is careless at best and negligent at worst."

Report reactions

In a statement shared with TechTarget Editorial, Tenable Chairman and CEO Amit Yoran said he "couldn't be prouder of how CISA and CSRB are maturing." The board was established in 2022 by the Department of Homeland Security, via an executive order from President Joe Biden, to investigate and assess significant cyberattacks and incidents to identify areas of needed improvement in both the public and private sectors.

"The CSRB issued a masterful piece of work. This is not some watered-down, wishy-washy document full of government speak and platitudes," Yoran said. "It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."

Karan Sondhi, Trellix public sector CTO, warned of the "national security risks" posed by Microsoft.

"The world is just beginning to unpack the national security risks posed by Microsoft. [The CSRB] is right to worry about the use of Microsoft solutions as the dominant provider of mission-critical software to the federal government and enterprises," Sondhi said. "Today's report from the Cyber Safety Review Board further emphasizes the risk. Addressing the larger set of Microsoft security concerns, including their lack of action to address vulnerabilities in their products, their corporate infrastructure and their AI safety, is key to ensuring technology vendors are held to a high standard."

Omri Weinberg, co-founder and chief revenue officer at data and collaboration security vendor DoControl, called the report's tone "aggressive but not overly so, given the factors at play, both technical and political." He felt that the U.S. government, a subject of the Storm-0558 attacks, could be inclined to more aggressively direct blame.

Childs praised the tone of the document. "I don't find the report brutal at all," he said. "I find it incredibly well documented and almost clinical in nature. It's like an autopsy, but it just so happens that the subject matter itself is brutal. I count 179 footnotes to references, which is thorough. The 25 recommendations are also."

In an email, Adam Meyers, CrowdStrike senior vice president of counter adversary operations, called Microsoft a "national security risk" and said the tech giant must be held accountable.

"The report soberly states that this incident was preventable and never should have happened, as this is not the first intrusion perpetrated by nation-state adversaries that penetrated Microsoft's cloud environments," Meyers said. "The report objectively highlights the rapid cultural change that needs to happen in Redmond. This starts with making security a priority -- it can no longer be an afterthought."

Microsoft's Secure Future Initiative in doubt?

In a statement shared with TechTarget Editorial following the report's publishing, a Microsoft spokesperson thanked the CSRB for its investigation and reiterated Microsoft's commitment to adopting a new culture of security per its announcement of the Secure Future Initiative last fall. In the announcement, Microsoft said it would address vulnerability mitigation and software development issues, while also committing to greater transparency.

Microsoft's complete statement reads as follows:

We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries. We will also review the final report for additional recommendations.

Childs highlighted a line in the CSRB report stating that "Microsoft's customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture."

"If their Secure Future Initiative had any real teeth, I doubt the CSRB report would start with that," Childs said. "I know I was hopeful when Microsoft announced the Secure Future Initiative, but I haven't really seen any positive changes that have resulted from it."

John Bambenek, president at security consultancy Bambenek Consulting, noted the timing of the Secure Future Initiative announcement, which came a few months after Microsoft disclosed the Storm-0558 breach.

"Given the timing, I suspect the announcement was in part a response to the breach and having an idea what the board was going to say," Bambenek said. "It's always easy to both say and actually commit to being secure after a breach. What matters is, will this commitment still be there in 2026? About two years after a major breach, complacency tends to come back."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing