A recent report issued by a review board appointed by the Biden administration has sharply criticized Microsoft's corporate security and transparency. The report, released on Tuesday, highlighted a series of errors by the tech giant that allowed state-backed Chinese cyber operators to breach email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo.
The Cyber Safety Review Board, established in 2021 through an executive order, pointed out shoddy cybersecurity practices, a lax corporate culture, and a lack of transparency regarding Microsoft's knowledge of the breach. The breach affected multiple U.S. agencies dealing with China, leading the board to conclude that Microsoft's security culture was inadequate and in need of a significant overhaul.
The panel emphasized the critical role of Microsoft products in supporting national security, the economy, and public health and safety, calling for substantial security improvements across the company and its products. It also recommended that Microsoft halt the addition of new features to its cloud computing environment until security enhancements are made.
Microsoft responded to the report, stating its commitment to strengthening its systems against cyber threats and enhancing detection capabilities. The intrusion, which was discovered in June and dated back to May, was described as preventable by the board, which criticized Microsoft for not identifying how the hackers gained access.
The breach involved the compromise of Microsoft Exchange Online email accounts of 22 organizations and over 500 individuals globally, including the U.S. ambassador to China and several foreign government entities. The report also highlighted a separate hack by state-backed Russian hackers targeting senior Microsoft executives and customers.
Microsoft acknowledged the need for a new culture of engineering security within its networks and outlined plans to address legacy infrastructure, improve processes, and enforce security standards. The company attributed the attacks to well-resourced nation-state threat actors operating without significant deterrence.