US senator blasts Microsoft for “negligent cybersecurity practices”

Rebuke follows recent breach that exposed email accounts of US federal officials.

Microsoft remains tight-lipped

Asked to respond to Wyden’s claim that Microsoft hasn’t been transparent about its role in the latest breach, the company released a two-sentence statement. “This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” it read. “We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."

Wyden has long been known for his grasp of technical details involving cybersecurity and privacy, and his latest letter was no exception. When discussing the SolarWinds incident and Microsoft’s response to it, the senator wrote:

This is not the first espionage operation in which a foreign government hacked the emails of United States government agencies by stealing encryption keys and forging Microsoft credentials. The Russian hackers behind the 2020 SolarWinds hacking campaign used a similar technique, with a noteworthy difference. There, the targets were organizations that ran Microsoft’s identity management software on their own servers, rather than relying on Microsoft’s cloud service for user authentication, Azure Active Directory (Azure AD). That Microsoft software defaulted to not warning administrators when their organizations’ digital identity encryption keys were removed — even though removal is a rare event strongly indicative of suspicious activity. Moreover, while Microsoft had known since 2017 that such keys could be quietly exfiltrated from customer servers running its software, it failed to warn its customers, including government agencies, about this risk. Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault, known as a Hardware Security Module (HSM). Instead, Microsoft used the incident as an opportunity to promote its Azure AD product. After a 2021 Senate Intelligence Committee hearing focused on the SolarWinds incident, Microsoft’s President Brad Smith told the committee that “[t]hose who want the best security should move to the cloud.” Microsoft’s customers heard the message—it is too hard to secure these keys on your own servers, so let Microsoft do it for you. In the three years since that high-profile hacking campaign, Microsoft’s cloud security business revenues have ballooned to over $20 billion a year.

Wyden went on to say some blame also falls on the Biden administration. In 2021 Biden issued an executive order that created a Cyber Safety Review Board and tasked it, among other things, with studying the SolarWinds attack. The SolarWinds review never took place.

“I have repeatedly pushed CISA and DHS [Department of Homeland Security] to direct the Board to study the SolarWinds incident, but have been rebuffed,” he wrote. “Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted.”

Wyden called on Easterly to direct the board to investigate the SolarWinds incident, with a focus on whether Microsoft stored the encryption key stolen in the breach in an HSM. He urged Garland to examine whether Microsoft’s “negligent practices violated federal law.” And he called on Khan to investigate Microsoft’s privacy and data security practices to determine if they violated laws enforced by the FTC.

Channel Ars Technica