The world’s largest tech company has a security problem. A series of high-profile security incidents have rocked Microsoft over the past few years, and a scathing report from the Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and requires an overhaul.” Inside Microsoft, there is concern that the attacks could seriously undermine trust in the company.
Sources tell me that Microsoft’s engineering and security teams have been scrambling to respond to new attacks from the same Russian state-sponsored hackers that were behind the SolarWinds incident. Known as Nobelium or Midnight Blizzard, the hacking group was able to spy on the email accounts of some members of Microsoft’s senior leadership team last year and even steal source code recently.
The ongoing attacks have spooked many inside Microsoft, and teams have been working on improving Microsoft’s defenses and trying to prevent further breaches while the hackers pore over the information they’ve stolen and try to find more weaknesses. Security is always a cat-and-mouse game, but it’s made even more difficult when hackers have been spying on your communications.
These are just the latest in a long line of security breaches, though. Chinese government hackers targeted Microsoft Exchange servers with zero-day exploits in early 2021, enabling them to access email accounts and install malware on servers hosted by businesses. Last year, Chinese hackers breached US government emails thanks to a Microsoft Cloud exploit. The incident allowed the hackers to access online email inboxes of 22 organizations, affecting more than 500 people including US government employees working on national security.
Described as a “cascade of security failures” by the US Cyber Safety Review Board, last year’s US government email attack was “preventable,” according to the board. It also found that a number of decisions inside Microsoft contributed to “a corporate culture that deprioritized enterprise security investments and rigorous risk management.” Microsoft still isn’t 100 percent sure how a key was stolen to enable the Chinese hackers to forge tokens and access highly sensitive email inboxes.
Microsoft’s main response to these attacks has been its new Secure Future Initiative (SFI), an overhaul of how it designs, builds, tests, and operates its software and services. Unveiled in November, before the Russian email spying was revealed, the SFI should be the biggest change to Microsoft’s security efforts since the company launched its Security Development Lifecycle (SDL) in 2004. The SDL itself was a response to the devastating Blaster worm that crashed Windows XP machines in 2003 and shook the company into a bigger focus on security.
Publicly, we’ve seen very little from this new Secure Future Initiative, but behind the scenes, Microsoft is greatly concerned about losing customer trust. At an internal leadership conference earlier this month, both Microsoft CEO Satya Nadella and president Brad Smith spoke about the need to prioritize security above everything else, according to sources. The fear at Microsoft’s most senior levels is that trust is being eroded by these security issues and that it’s going to have to win back the trust of its customers as a result.
I understand engineering leads at Microsoft are now prioritizing security over new features or shipping products more quickly. It comes just weeks after the Cyber Safety Review Board said Microsoft should “deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made.”
Both AI and security are now the two biggest focuses inside Microsoft, I’m told, especially as the company’s rapid rollout of AI technologies introduces even more potential security headaches. As more and more of Microsoft’s customers move to the cloud and adopt AI, the need for security increases. Microsoft has built a $20 billion security business as a result of this cloud shift, but it’s largely based on upselling security on top of existing subscriptions.
Longtime Microsoft reporter Mary Jo Foley called for Microsoft to “stop selling security as a premium offering,” earlier this week. Foley highlights how certain security tools are only available as add-ons on top of Microsoft 365 subscriptions and that some customers were previously unable to see key logging information that could have allowed them to detect incidents as a result.
It’s a sentiment that’s echoed by former senior White House cyber policy director A.J. Grotto. “If you go back to the SolarWinds episode from a few years ago … [Microsoft] was essentially up-selling logging capability to federal agencies,” said Grotto in an interview with The Register recently. “As a result, it was really hard for agencies to identify their exposure to the SolarWinds breach.”
Microsoft responded to complaints about the logging information by increasing the amount of time logs were available from 90 to 180 days last year, but organizations still need to choose more expensive Microsoft 365 E5 subscriptions if they want most of Microsoft’s security and compliance features.
Even as Microsoft had to reveal Russian hackers had stolen source code recently, days later, the company announced it would start selling its Copilot for Security with pay-as-you-go pricing. The generative AI chatbot is designed for cybersecurity professionals to help them protect against threats, but businesses will have to pay $4 per hour of usage if they want to use Microsoft’s security-specific AI model.
This upselling and the vast reliance organizations have on Microsoft’s software hasn’t gone unnoticed by lawmakers, either. The US government relies on Microsoft’s software heavily, and email breaches have put even more focus on that relationship. “The US government’s dependence on Microsoft poses a serious threat to US national security,” says Sen. Ron Wyden (D-OR), in a statement to Wired. Wyden has been criticizing Microsoft’s cybersecurity efforts for years, calling for a federal government investigation after last year’s US government email breach.
How Microsoft responds to the growing criticisms over its security practices in the coming months will be telling. While the Cyber Safety Review Board thinks Microsoft’s security culture is broken, Microsoft disagrees. “We very much disagree with this characterization,” says Steve Faehl, chief technology officer for Microsoft’s federal security business, in a statement to Wired. “Though we do agree that we haven’t been perfect and have work to do.”
Microsoft’s behavior will only change if it’s forced to, though, Grotto argues in The Register interview. “Unless this scrutiny generates changed behavior among its customers who might want to look elsewhere, then the incentives for Microsoft to change are not going to be as strong as they should be.”
