Cybersecurity Flaws at Microsoft Put America at Risk

Those studying cybersecurity issues have increasingly focused on a troubling and evident fact: Microsoft has a security problem.

Four years ago, while I was the National Security Advisor, Microsoft found itself at the heart of one of the biggest cybersecurity breaches in U.S. history. government history, known as the SolarWinds hack. Russian-backed hackers gained access to the communications of individuals and public and private organizations, including government agencies like the Department of Homeland Security.

The hackers also breached Microsoft’s systems, reportedly using this access to amplify their attack. In response to the SolarWinds breach, Microsoft Vice President Brad Smith blamed the federal government, saying, “We need a more effective national and global strategy to protect against cyberattacks.”

The Biden administration has spoken extensively about reforms to our federal cybersecurity infrastructure in light of the SolarWinds breach. Biden’s aides described SolarWinds as a “top priority” for the incoming administration. In April 2021, President Biden sanctioned Russian officials over the breach and announced new cybersecurity standards that would, in the words of Deputy National Security Advisor Anne Neuberger, allow federal agencies to tell vendors, “Here is a set of things you need to comply with to do business with us.”

Despite the administration’s concerns, Chinese-backed hackers exploited vulnerabilities in Microsoft’s email systems to access sensitive federal communications last summer, including emails from Commerce Secretary Gina Raimondo. Last month, the Cyber Safety Review Board issued a report on the China breach, highlighting a “series of avoidable errors” by Microsoft that made the breach possible. The board emphasized that the breach was “preventable” and identified “a series of Microsoft’s operational and strategic decisions that collectively indicated a company culture that placed a lower priority on enterprise security investments and rigorous risk management.”

Just a few months later, Russian hackers again breached Microsoft systems, gaining access to executive emails and eventually some of the company’s source code. This raises serious concerns about the risks to sensitive federal communications, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive to all federal agencies, asking them to “analyze potentially affected emails, reset any compromised credentials, and take additional steps to secure Microsoft Azure privileged accounts.” The extent of this breach remains unknown.

As stories of Microsoft’s failures spread in the media, Senator Rick Scott (R-Fla.) sent a letter to CISA Director Jen Easterly asking, among other questions, “What standards or metrics has CISA set for contractors to improve cybersecurity protocols and how often are these standards and metrics evaluated?” Senator Ron Wyden (D-Ore.) criticized federal agencies, stating they “share the blame for giving Microsoft billions in government contracts without holding the company to basic cybersecurity standards.”

Meanwhile, the Chairman of the Homeland Security Committee, Rep. Mark Green (R-Tenn.), and Ranking Member Rep. Bennie Thompson (D-Mo.), have requested Microsoft Vice President and President Brad Smith to appear before a full committee hearing titled “A Series of Security Failures: Assessing Microsoft’s Cybersecurity Shortcomings and Their Implications for Homeland Security.”

However, the Biden administration has remained silent. President Biden, Homeland Security Secretary Alejandro Mayorkas, and our intelligence agency leaders have declined to comment on the series of avoidable errors by one of the federal government’s largest cybersecurity contractors. Last month in Wisconsin, President Biden joined Microsoft executives to promote the company and showcase a new economic development project.

Certainly, other companies also have less-than-stellar reputations in cybersecurity, but due to its ubiquitous presence in our lives, Microsoft’s problems concern us all. I have a long record of opposing overregulation of our big tech companies, but in this case, the Biden administration must work with Microsoft to develop an actionable plan to improve performance, potentially overseen by a federal monitor.

Cybersecurity plays a vital role in keeping our nation safe. We simply cannot allow one of our major tech companies to become a superhighway for hackers to enter and exit the digital realm of America.

Ambassador Robert C. O’Brien (Ret.) was the U.S. National Security Advisor from 2019 to 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *