Getty Images

Congress grills Microsoft president over security failures

Microsoft President Brad Smith testifies on a wide range of issues, including Chinese and Russian nation-state attacks, the controversial AI-powered Recall feature and more.

Microsoft President Brad Smith addressed Microsoft's recent security shortfalls during a House Committee on Homeland Security hearing Thursday.

The hearing, titled "A Cascade of Security Failures: Assessing Microsoft Corporation's Cybersecurity Shortfalls and the Implications for Homeland Security," focused primarily on claims found in April's Cyber Safety Review Board (CSRB) report. The report found that a "cascade" of errors led to a Chinese nation-state threat actor tracked as Storm-0558 breaching email accounts at 22 organizations last year, including some federal agencies.

The threat actors accessed accounts using Outlook Web Access in Exchange Online and Outlook.com through forging authentication tokens via a stolen Microsoft account (MSA) signing key. A Federal Civilian Executive Branch agency detected suspicious activity in its Microsoft 365 environment a month before disclosure, and the breach was only detected because government 365 licenses include enhanced cloud logging features that, at the time, were not available at all subscription levels. Microsoft addressed this latter issue last September.

However, the Storm-0558 attack was far from the only topic that came up during the nearly three-hour meeting. Smith also discussed and responded to questions from members of Congress about topics including the breach Microsoft disclosed in January involving Russian nation-state actor Midnight Blizzard; Microsoft's highly controversial AI-powered Recall feature, which was delayed mere hours after the testimony; and Microsoft's efforts to prioritize security at all company levels in the form of its Secure Future Initiative.

In his written testimony, Smith said Microsoft "accepts responsibility for each and every one of the issues cited in the CSRB's report" without equivocation, hesitation or defensiveness, and that the company is in the process of addressing all of the CSRB's recommendations. He also apologized and expressed regret on behalf of Microsoft to those affected by the tech giant's security missteps and admitted that the Midnight Blizzard and Storm-0558 attacks could have been prevented.

"In sum, we accept responsibility for the past and are applying what we've learned to help build a more secure future. We are pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture," Smith wrote. "We have reallocated resources and have assigned technical and engineering employees across the company to this endeavor, dedicating the equivalent of 34,000 full-time engineers to what has become the single largest cybersecurity engineering project in the history of digital technology. And we are identifying new opportunities not just for ourselves, but for all our customers and for greater collaboration across the private and public sectors."

Smith was repeatedly asked about a ProPublica article published Thursday in which a former employee, Andrew Harris, said Microsoft dismissed warnings of a critical flaw he discovered because, he claimed, it would have massive financial consequences for the tech giant. Russian state-sponsored hackers used the flaw, dubbed "Golden SAML," during the SolarWinds attacks to further compromise critical organizations -- including, ProPublica reported, the National Nuclear Security Administration. Smith declined to comment during the hearing because he said he had not read the article.

At one point, Rep. Clay Higgins (R-La.) asked Smith about the MSA key used in the Storm-0558 attack. Microsoft said in a September 2023 blog post that the MSA key was incorrectly included in a crash dump, and Storm-0558 obtained a Microsoft engineer's credentials to access a debugging environment containing said key. The CSRB investigation, however, found that "Microsoft has no evidence or logs showing the stolen key's presence in or exfiltration from a crash dump." This was not reflected in the initial blog post until Microsoft updated it on March 12.

Asked why this occurred, Smith told Higgins that it's a question he asked his team when he read the CSRB report because "it's the part of the report that surprised me the most."

"We had five versions of that original blog and four updates, and we do a lot of updates of these reports. And when I asked the team, they said the specific thing that had changed -- namely, a hypothesis about the cause of the intrusion -- it changed over time, but it didn't change in a way that would give anyone useful or actionable information that they could apply."

In response, Higgins said, "Respectfully, that answer does not encourage trust" and that he did not accept Smith's answer. Smith then added, "I said the same thing, and we had the same conversation inside the company."

Smith also fielded questions regarding Recall, a tool announced alongside Microsoft's AI-powered CoPilot+ PCs for Windows, unveiled last month. The tool uses a natural language model to take a snapshot of a user's work every five seconds, intended to help said user find previously viewed content; it has been criticized for posing significant data privacy and security concerns.

During a response to a question about secure by design practices, Smith said it was something considered during the development of Recall and that "we have the time to do this right," even though the feature hadn't yet been delayed and was mere days from reaching the public. When asked later about how Microsoft would incorporate secure by design principles into Recall, Smith noted that the feature "hasn't yet been finished" and that "we designed it so it's off by default," even though Recall was introduced as an opt-out feature.

"This product hasn't yet been launched. The feature hasn't yet been finished, and we've had a process to share information and take lots of feedback. We've designed it so it's off by default, so that people have to choose to turn it on. And we can share information with them before they make that decision. We've designed the feature so that the information always stays on one's own PC. Doesn't go to Microsoft, it doesn't go anywhere else," he said. "We're trying to take a very comprehensive approach to addressing all of the security and privacy issues as well."

TechTarget Editorial asked Microsoft whether Recall's delay was tied at all to Smith's testimony, but the company has not responded at press time.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Next Steps

Risk & Repeat: Microsoft under fire again over Recall

Microsoft security overhaul offers blueprint for SecOps

Risk & Repeat: Is Microsoft security back on track?

Dig Deeper on Security operations and management