Microsoft President receives subpoena from the US House of Representatives
US authorities and government react to Microsoft's IT security failures. Brad Smith is to appear before the US House of Representatives.
(Image: Ben McShane/Web Summit via Sportsfile CC BY 2.0)
The US authorities and the US government are reacting increasingly harshly to Microsoft's lapses in IT security in recent years. Now Microsoft's President Brad Smith has received a subpoena to appear before the Homeland Security Committee of the US House of Representatives.
In the PDF of the subpoena published by CNBC, the committee members write that Smith will testify in a public hearing entitled "A cascade of security failures: Assessing Microsoft's Cybersecurity Deficiencies and the Implications for Homeland Security" to testify. This will take place on May 22. This should give Microsoft the opportunity to present its own perspective on the Cyber Safety Review Board (CSRB) report "Overview of the Microsoft Online Exchange Incident from Summer 2023".
Scathing report from the US Department of Homeland Security
The US Department of Homeland Security issued a damning verdict on how Microsoft responded to the incident involving the Azure master key stolen by suspected Chinese cybercriminals. The attackers were able to use the stolen key to access the online Exchange accounts of various US government agencies, for example. A cascade of avoidable errors made the attack possible, and the company did not even notice the theft of the "cryptographic crown jewels" itself. In September, Microsoft also claimed to have found the cause of the incident, but this was not true. The correction was only made after repeated requests by the Board in March.
"The hearing will specifically examine Microsoft's views on the company's security deficiencies, challenges in preventing significant cyberattacks by suspected national threat actors, and plans to strengthen security measures in the future," Homeland Security Committee Chairman Mark Green and Ranking Member Bennie Thompson wrote in the subpoena. Microsoft, as a provider of operating systems, cloud platforms and productivity software to U.S. government agencies - including those within the U.S. intelligence community - has a profound responsibility to prioritize and implement effective IT security measures. However, the CSRB report has shown that Microsoft has repeatedly failed to prevent cyber intrusions, causing serious consequences to the security and integrity of US government data, networks and information. This puts Americans, including U.S. government officials, at risk.
The committee also cites Microsoft's interception of Microsoft emails by the criminal group Midnight Blizzard as alarming. "These are just two of many examples of cyberattacks that have occurred in recent years due to Microsoft's negligence in the area of cybersecurity at certain U.S. government agencies." It is imperative "that Microsoft, which accounts for nearly 85 percent of the U.S. government's productivity software market share, be held accountable to the same degree as the rest of the U.S. government's trusted vendors." However, the recent announcements by Microsoft are an encouraging ray of hope, the authors of the subpoena add.
Microsoft has been trying to calm the waters for some time. Last November, for example, the company announced its intention to set up a "Secure Future Initiative" (SFI). The aim is to pool resources and expand resilience against cyberattacks on the basis of three pillars. In a discussion with analysts regarding Microsoft's quarterly figures two weeks ago, CEO Satya Nadella also announced that Microsoft wanted to make IT security its "number one priority".
(dmk)