The Cyber Safety Review Board, which the Biden administration set up via executive order in 2021, has been looking into security breaches suffered by the Microsoft corporation has issued a report that tells the rest of us what many in the tech sector have been complaining about for years: In matters of corporate security and transparency, Microsoft does not excel.
According to the scathing report, an error “cascade” by the tech behemoth left the door wide open for cyber-operatives in the employ of the Chinese state to access the email of several senior American officials, including Secretary of Commerce Gina Raimondo.
The report describes a lazy corporate culture shot through with shoddy cybersecurity protocols and habits. The company, the report said, displayed a deep lack of sincerity when asked about its knowledge of the breach, which targeted multiple U.S. agencies tasked to matters involving China.
Microsoft, the report concludes, hosts an inadequate security culture, and that security culture requires a full overhaul. Considering Microsoft’s ubiquitous penetration into both corporate centers and halls of government worldwide, including in systems that run critical infrastructure and host classified materials, the flaws revealed in the report represent a high-level, persistent threat to the national security of the United States and many other nations, their economies, and their infrastructure.
The intrusion, which happened in May of 2023, was discovered last June by employees at the State Department. The panel’s report ruled that the entire incident was completely preventable, and only occurred because of an embarrassing series of avoidable errors. What’s worse, Microsoft still claims to be baffled by how the hackers got in nearly a year after the fact.
The panel’s final recommendations urge Microsoft to refrain from adding new features to its cloud computing interface until it makes major security improvements. Further, Microsoft needs to rapidly change its culture, publicly sharing a plan for fundamental security reforms across its entire product and application suite.
