The House Homeland Security Committee is interrogating Microsoft President Brad Smithon Thursday about the software giant’s plans to improve its security after a series of devastating hacks that hit the email accounts of federal officials, questioning the company’s suitability as a dominant government contractor.
The interrogation followed a scathing report over one of those gaps, where the Federal Cybersecurity Review Board found that the event was possible due to “a cascade of avoidable errors” and a safety culture “that requires a complete overhaul.”
In that hack, alleged agents of the Chinese Ministry of State Security created last year digital keys using a tool that allowed them to impersonate any existing customer of Microsoft. Using the tool, they posed as 22 organizations, including the US Departments of State and Commerce, and reviewed Commerce Secretary Gina Raimondo’s emailamong others.
The event triggered the strongest criticism of the strong federal provider in decades and has led rival companies and some policymakers to push for less government dependence on its technology. Two senators wrote to Pentagon last month, asking why the agency plans to improve the security of unclassified technology from the Defense Department with licenses Microsoft more expensive rather than with alternative suppliers.
“Cybersecurity should be an essential software feature, not a premium feature that companies sell to government and corporate clients with big budgets,” the researchers wrote. Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.). “Through their purchasing power, the strategies and standards of the DOD “They have the power to shape corporate strategies that result in more resilient cybersecurity services.”
Any serious change in executive branch spending would take years, but government leaders Department of Homeland Security They say plans are underway to add guarantees and safety requirements to more government purchases, an idea promoted in the US report. Microsoft of the Cyber Security Review Board. The report found that current requirements “do not consistently require robust practices” for authenticating users.
The chairman of the committee, Mark Green (R-Tenn.)said before the hearing that “it is now the responsibility of Congress to examine the response of Microsoft to this report. We must restore the confidence of the American people, who depend on American products. Microsoft every day.”
In written testimony presented Wednesday, Smith repeated previous statements welcoming the findings of the Review Board and committing to do better. Smith promoted a company-wide safety initiative that has brought 1,600 security engineers in the current fiscal year and will add other 800 positions next year.
Smith said the company had made safety its top priority companywide and would comply with the recommendations of the Review Board both for the company and for the industry in general.
“Microsoft accepts responsibility for each of the problems cited in the CSRB report,” he testified. Smith.
The testimony raised eyebrows among some security professionals which marked the launch this month by Microsoft of a characteristic of Windows call Recallwhich takes screenshots of most activities on a personal computer every few seconds and stores them to make it easier to search for past actions.
Although Microsoft said that users would only be able to see their own histories and that they would otherwise remain encrypted and stored locallyexperts called it a treasure trove for electronic intruders. They alleged that anyone with administrative rights to a machine could spy on other users, and that a hacker could export and read files, including financial password logs and encrypted messages, if they managed to break in..
After refusing to comment on those reports for more than a week, Microsoft He said he would not ship the software with Recall included automatically, as planned, and that would require further authentication on the user’s part to activate it.
In his written testimony, Smith He cited that change as an example of the company’s revitalized efforts in safety.
(c) 2024, The Washington Post
