Archived version

Microsoft president Brad Smith will tell lawmakers on Capitol Hill Thursday that the company is responsible for “each and every one of the issues” that a government advisory board uncovered while investigating a recent China hack, according to prepared remarks.

Why it matters: Lawmakers, administration officials and regulators have started to lose trust in the tech giant’s ability to secure its products after a series of nation-state cyberattacks.

Driving the news: Microsoft has faced two notable nation-state cyberattacks in the last year that has put federal agencies’ communications in jeopardy.

  • Microsoft disclosed last July that a China-backed hacking group had broken into the email accounts of several organizations, including federal offices. Commerce Secretary Gina Raimondo and several State officials were affected.

  • Russian intelligence hackers also stole several federal agencies’ emails after breaching Microsoft, the Cybersecurity and Infrastructure Security Agency said earlier this year.

The big picture: Ever since these incidents, Microsoft has faced a mountain of scrutiny in Washington from lawmakers and competitors.

  • The Cyber Safety Review Board (CSRB) said in an April report that the Chinese espionage campaign, in particular, was “preventable and should never have occurred.”

  • Senators are pushing back against the Pentagon’s reported plans to upgrade its suite of Microsoft products as part of its zero-trust transition.

  • And eager competitors have gone on a campaign to woo Microsoft’s government customers.

The other side: Microsoft has been briefing federal security leaders and their teams on a new set of security principles it’s been implementing internally, known as the Secure Future Initiative.

-The plan ties executives’ pay to improving cybersecurity and calls on teams to prioritize security investments over fast product development.

Zoom in: In his remarks to the House Homeland Security Committee, Smith will tell lawmakers that he sees the advisory board’s recommendations as good advice for all corporations to follow as they face “more prolific, well-resourced, and sophisticated cyberattacks.”

  • Smith plans to lay out how the new Secure Future Initiative will help address each issue in the advisory board’s report, per his remarks published Wednesday.

  • “We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted,” Smith will say.

  • Microsoft has invited the Cybersecurity and Infrastructure Security Agency (CISA) to its headquarters for a “detailed technical briefing” on the initiative, according to the published remarks.

Between the lines: Compared to past hearings about cyberattacks, Thursday’s congressional hearing will hit close to home for lawmakers given the federal government’s heavy reliance on Microsoft’s products.

  • Many agencies rely on Microsoft as their sole operating system, email provider, cybersecurity product vendor and office software provider.

  • The Software & Information Industry Association — a trade group that represents software vendors — sent a letter Wednesday to agency leaders urging them to find ways to diversify beyond Microsoft.

What we’re watching: Smith will need to provide bulletproof reassurances and transparency about Microsoft’s security plans to lawmakers and regulators to regain their trust in Washington.

  • jmp242
    link
    fedilink
    arrow-up
    3
    ·
    5 months ago

    I think it’s more the cloud being the issue here. Such an obvious and large and valuable target. Of course Microsoft also isn’t that secure historically.