Four key highlights from the Microsoft cybersecurity hearing

Microsoft President Brad Smith made a number of key commitments, but faced no harsh criticism for his company's documented cybersecurity shortcomings.

Despite the scathing Cyber Safety Review Board report on his company’s cybersecurity practices, Microsoft President Brad Smith didn’t experience much venom when he testified before the House Homeland Security Committee today.

In fact, many lawmakers praised Smith for taking responsibility for the shortcomings identified in the report. Smith also described internal changes Microsoft is making under its “Secure Future” initiative, including efforts to implement many of the safety review board’s recommendations.

“The reality is you cannot protect the homeland security of this country without protecting the cybersecurity of it as well,” Smith said. “And that is a shared responsibility between the public and private sectors, and hence, what you do to oversee us and others in the private sector is critical. I think the most important thing for me to say, the most important thing for me to write in my written testimony, is that we accept responsibility for each and every finding in this CSRB report.”

The report, issued in April, found a “cascade of Microsoft’s avoidable errors” led to Chinese hackers breaking into the emails of high-level government officials, including Commerce Secretary Gina Raimondo, last summer.

“The board finds that this intrusion was preventable and should never have occurred,” the report stated. “The board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

While lawmakers asked Smith a garden variety of questions about the report and other issues, here are four key moments from the hearing.

Criticizing the CSRB process

While being questioned by Rep. Marjorie Taylor Greene (R-Ga.), Smith took the opportunity to hit back at the Cyber Safety Review Board itself. He specifically pointed to the presence of Microsoft’s competitors on the board.

“I think it’s probably a mistake to put on the board people who work for competitors of, say, a company that is the subject of a review,” Smith said. “The spirit of this, when it was created was to create a community of people who could learn together. But I’m less concerned about the way the process worked, and I just worry that where people want to take it in the future and just make hay out of other’s mistakes. And I’m just not sure that’s going to do us that much good.”

The review board includes a mix of government and private sector officials. Its chairman is DHS Under Secretary for Policy Robert Silvers, while the deputy chairwoman is Heather Adkins, vice president for security engineering at Google.

However, the CSRB notes that members who may have a potential conflict of interest with a particular review topic will be recused. And the Microsoft report does not list Adkins, nor any other direct representatives from Microsoft’s competitors, as being one of the members who participated in the review.

Still, Smith suggested other companies may not participate as willingly in a CSRB review due to how Microsoft’s competitors have pounced on the board’s latest findings.

“We are not adversaries with each other, even though we may compete with each other,” Smith said. “The adversaries are our foreign foes. So let’s try to exercise a little self restraint about how we work in these processes, because I don’t think that the next company that gets an invitation from the CSRB is likely to be necessarily as willing as we were to share everything, which we did.”

Smith’s comments come as Congress considers formally authorizing the board into law. It was created at the direction of President Joe Biden’s May 2021 cybersecurity executive order.

State Department praise

In the midst of last summer’s hack, it was State Department personnel who first uncovered evidence of the intrusion.

“You always want to be the first in life,” Smith said when asked if Microsoft should have detected the attack first. “But on the other hand, I have to say, especially given the nature of networks and how they’re distributed and different people see different things, mostly, I just want to celebrate the fact that people are finding different things, and we’re sharing them with each other.”

The State Department was able to uncover the hack because the agency paid for Microsoft’s premium audit logging services. Some members of Congress had been calling for Microsoft to provide logs for free after the 2020 SolarWinds incident.

But after last summer’s hack, Microsoft committed to retaining its customer security logs for up to six months, while providing access to them without charging extra. In February, it began making those logs available to federal agencies at no additional cost.

“I wish we had moved faster and had gone farther,” Smith said when asked why the company hadn’t done that sooner. “I think there was a focus on the real costs associated with keeping and retaining logs. But we should have recognized sooner, especially as the threat landscape changed, that we would be best served I think as we are now by not just retaining but providing these logs for free.”

Microsoft commitments

Meanwhile, House Homeland Security Committee Ranking Member Bennie Thompson (D-Miss.) said today’s discussion “is just the beginning of ongoing oversight to ensure that the technology products used by the federal government are secure and that federal vendors take the security obligation seriously.”

Thompson also asked Smith to commit to being transparent with its customers, especially within government, about vulnerabilities in its IT products, including cloud services.

“The answer is ‘yes,’” Smith responded. “And the only qualification I would offer is we need to do it in a way where we share information with the right people in the right governments, and then do it in a way that it doesn’t make that same sensitive information available to our adversaries. So I’m sure we can do that.”

Smith also committed to being transparent with its customers about the company’s investigations into cyber incidents, as well as to releasing benchmarks and time frames for implementing the CSRB’s recommendations.

Market dominance

Throughout the hearing, lawmakers also touched on Microsoft’s dominant footprint across government and critical infrastructure IT networks.

Smith said Microsoft accounts for about 3% of the annual federal IT budget.

“I know that the U.S. government has many choices when it comes to cybersecurity services,” Smith said when asked about Microsoft’s share of government IT contracts. “And I think it takes advantage of them. And we’re one of them. I don’t frankly know how we compare to some of the others.”

Meanwhile, Smith said Microsoft’s global government business likely accounts for less than 10% of its annual revenues.

“We love the federal government,” Smith said. “It is a big customer. It’s one of our biggest and it’s the one that we’re most devoted to, but it’s not the big source of our revenue.”

Some lawmakers recently expressed concern about the federal government’s reliance on Microsoft. Sen. Ron Wyden (D-Ore.) has authored draft legislation he said would end the government’s reliance on big technology companies, but no other lawmakers have signed onto that effort so far.

And during today’s House Homeland Security Committee hearing, none of the members referenced any ongoing work in Congress to address the CSRB report and its recommendations.

“Microsoft is a great company,” Rep. Clay Higgins (R-La.) said. “Everybody in here has some kind of interaction with Microsoft. We really don’t have much choice.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Microsoft Teams Office

    Lawmakers want answers about Pentagon’s increasing reliance on Microsoft

    Read more
    Cybersecurity Microsoft

    CISA directs agencies to investigate if Russian hackers stole Microsoft account details

    Read more