If Microsoft has a security breach, are government agencies at risk?
Microsoft needs a security overhaul, according to a new report from cybersecurity insiders.
This comes after multiple breaches of Microsoft systems by foreign hackers in recent years, which have allowed them access to sensitive federal government email systems.
"When a hacking group associated with the government of the People’s Republic of China, known as Storm-0558, compromised Microsoft’s cloud environment last year, it struck the espionage equivalent of gold," the Cyber Safety Review Board wrote in its report. "The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China."
RELATED: Microsoft says Chinese hackers breached email, including U.S. government agencies
These breaches have led to growing concerns about whether the tech-giant is doing enough to defend against cybersecurity threats. The recent failures also have brought extra scrutiny to Microsoft’s close relationship with the United States government, raising questions about whether these contracts should be subject to closer oversight.
Eric Geller, a journalist covering cybersecurity and technology, covered the questions surrounding Microsoft's security in detail for WIRED. He told KUOW's Soundside that Microsoft is deeply entrenched in the federal government's operations, from email to word processing.
"They have just a ton of data about what's happening on government networks," Geller said. "Microsoft controls the keys to the kingdom in terms of all the user accounts, who's allowed to access what, what information your average employee is able to access. All of that is controlled through Microsoft services."
RELATED: State-backed Russian hackers accessed senior Microsoft leaders' emails, company says
In response to questions from KUOW, Microsoft sent a lengthy statement, outlining its Secure Future Initiative announced in November "to address security in this new age where the speed, scale, and sophistication of threats is rapidly increasing."
"And this is just the beginning," Bret Arsenault, Corporate Vice President and Chief Cybersecurity Advisor at Microsoft, said in a statement. "We commit to sharing transparent learnings and future milestones as part of our efforts to strengthen all systems against attacks."
Among the company's efforts, Arsenault said Microsoft is proactively removing unused or outdated users; requiring multi-factor authentication for users and making it automatic, including for those involved in development, testing, demos, and production; making improvements to Microsoft's own multi-factor authentication process; and implementing policies to reduce the possibility of impersonation, like mandatory video calls between managers and employees or vendors.
RELATED: Congress, AI, and a massive Microsoft bet
Engineering fixes are key here for Quentin Hodgson, a senior researcher specializing in cybersecurity at the non-partisan research institute RAND. He said there were clear engineering issues that contributed to data breaches.
"It's constantly surprising that we seem to be surprised by the hacks that are happening," Hodgson said. "And it always leads to a flurry of activity in the immediate aftermath. But the challenges is: How do we sustain that effort over the long term?"
The Cyber Safety Review Board also noted in its report that Microsoft fully cooperated with its review and "answered all of our questions to the best of its ability."
RELATED: Microsoft joins plea for government regulation of AI tools like ChatGPT
Still, though, Geller has questions about what is driving Microsoft's decision-making and how leaders at the company are choosing to address their vulnerabilities.
"One of the biggest themes that I heard was: Microsoft is prioritizing profits over security," he said. "They're charging a lot of money for security features that, if you were just a regular person on the street, and I told you what this feature was, you would say that should be built in, that should be free, that should be turned on automatically."
You can listen to the entire conversation with journalist Eric Geller and senior researcher Quentin Hodgson by clicking the play button above.