The
world’s
largest
tech
company
has
a
security
problem.
A
series
of
high-profile
security
incidents
have
rocked
Microsoft
over
the
past
few
years,
and
a
scathing
report
from
the
Cyber
Safety
Review
Board
recently
concluded
that
“Microsoft’s
security
culture
was
inadequate
and
requires
an
overhaul.”
Inside
Microsoft,
there
is
concern
that
the
attacks
could
seriously
undermine
trust
in
the
company.
Sources
tell
me
that
Microsoft’s
engineering
and
security
teams
have
been
scrambling
to
respond
to
new
attacks
from
the
same
Russian
state-sponsored
hackers
that
were
behind
the SolarWinds
incident.
Known
as
Nobelium
or
Midnight
Blizzard,
the
hacking
group
was
able
to
spy
on
the
email
accounts
of
some
members
of
Microsoft’s
senior
leadership
team
last
year
and
even
steal
source
code
recently.
The
ongoing
attacks
have
spooked
many
inside
Microsoft,
and
teams
have
been
working
on
improving
Microsoft’s
defenses
and
trying
to
prevent
further
breaches
while
the
hackers
pore
over
the
information
they’ve
stolen
and
try
to
find
more
weaknesses.
Security
is
always
a
cat-and-mouse
game,
but
it’s
made
even
more
difficult
when
hackers
have
been
spying
on
your
communications.
These
are
just
the
latest
in
a
long
line
of
security
breaches,
though.
Chinese
government
hackers
targeted
Microsoft
Exchange
servers
with
zero-day
exploits
in
early
2021,
enabling
them
to
access
email
accounts
and
install
malware
on
servers
hosted
by
businesses.
Last
year,
Chinese
hackers
breached
US
government
emails
thanks
to
a
Microsoft
Cloud
exploit.
The
incident
allowed
the
hackers
to
access
online
email
inboxes
of
22
organizations,
affecting
more
than
500
people
including
US
government
employees
working
on
national
security.
Described
as
a
“cascade
of
security
failures”
by
the
US
Cyber
Safety
Review
Board,
last
year’s
US
government
email
attack
was
“preventable,”
according
to
the
board.
It
also
found
that
a
number
of
decisions
inside
Microsoft
contributed
to
“a
corporate
culture
that
deprioritized
enterprise
security
investments
and
rigorous
risk
management.”
Microsoft
still
isn’t
100
percent
sure
how
a
key
was
stolen
to
enable
the
Chinese
hackers
to
forge
tokens
and
access
highly
sensitive
email
inboxes.
Microsoft’s
main
response
to
these
attacks
has
been
its
new
Secure
Future
Initiative
(SFI),
an
overhaul
of
how
it
designs,
builds,
tests,
and
operates
its
software
and
services.
Unveiled
in
November,
before
the
Russian
email
spying
was
revealed,
the
SFI
should
be
the
biggest
change
to
Microsoft’s
security
efforts
since
the
company
launched
its
Security
Development
Lifecycle
(SDL)
in
2004.
The
SDL
itself
was
a
response
to
the
devastating
Blaster
worm
that
crashed
Windows
XP
machines
in
2003
and
shook
the
company
into
a
bigger
focus
on
security.
Publicly,
we’ve
seen
very
little
from
this
new
Secure
Future
Initiative,
but
behind
the
scenes,
Microsoft
is
greatly
concerned
about
losing
customer
trust.
At
an
internal
leadership
conference
earlier
this
month,
both
Microsoft
CEO
Satya
Nadella
and
president
Brad
Smith
spoke
about
the
need
to
prioritize
security
above
everything
else,
according
to
sources.
The
fear
at
Microsoft’s
most
senior
levels
is
that
trust
is
being
eroded
by
these
security
issues
and
that
it’s
going
to
have
to
win
back
the
trust
of
its
customers
as
a
result.
I
understand
engineering
leads
at
Microsoft
are
now
prioritizing
security
over
new
features
or
shipping
products
more
quickly.
It
comes
just
weeks
after
the
Cyber
Safety
Review
Board
said
Microsoft
should
“deprioritize
feature
developments
across
the
company’s
cloud
infrastructure
and
product
suite
until
substantial
security
improvements
have
been
made.”
Both
AI
and
security
are
now
the
two
biggest
focuses
inside
Microsoft,
I’m
told,
especially
as
the
company’s
rapid
rollout
of
AI
technologies
introduces
even
more
potential
security
headaches.
As
more
and
more
of
Microsoft’s
customers
move
to
the
cloud
and
adopt
AI,
the
need
for
security
increases.
Microsoft
has
built
a
$20
billion
security
business
as
a
result
of
this
cloud
shift,
but
it’s
largely
based
on
upselling
security
on
top
of
existing
subscriptions.
Longtime
Microsoft
reporter
Mary
Jo
Foley
called
for
Microsoft
to
“stop
selling
security
as
a
premium
offering,”
earlier
this
week.
Foley
highlights
how
certain
security
tools
are
only
available
as
add-ons
on
top
of
Microsoft
365
subscriptions
and
that
some
customers
were
previously
unable
to
see
key
logging
information
that
could
have
allowed
them
to
detect
incidents
as
a
result.
It’s
a
sentiment
that’s
echoed
by
former
senior
White
House
cyber
policy
director
A.J.
Grotto.
“If
you
go
back
to
the SolarWinds
episode from
a
few
years
ago
…
[Microsoft]
was
essentially
up-selling
logging
capability
to
federal
agencies,”
said
Grotto
in
an
interview
with
The
Register
recently.
“As
a
result,
it
was
really
hard
for
agencies
to
identify
their
exposure
to
the
SolarWinds
breach.”
Microsoft
responded
to
complaints
about
the
logging
information
by
increasing
the
amount
of
time
logs
were
available
from
90
to
180
days
last
year,
but
organizations
still
need
to
choose
more
expensive
Microsoft
365
E5
subscriptions
if
they
want
most
of
Microsoft’s
security
and
compliance
features.
Even
as
Microsoft
had
to
reveal
Russian
hackers
had
stolen
source
code
recently,
days
later,
the
company
announced
it
would
start
selling
its
Copilot
for
Security
with
pay-as-you-go
pricing.
The
generative
AI
chatbot
is
designed
for
cybersecurity
professionals
to
help
them
protect
against
threats,
but
businesses
will
have
to
pay
$4
per
hour
of
usage
if
they
want
to
use
Microsoft’s
security-specific
AI
model.
This
upselling
and
the
vast
reliance
organizations
have
on
Microsoft’s
software
hasn’t
gone
unnoticed
by
lawmakers,
either.
The
US
government
relies
on
Microsoft’s
software
heavily,
and
email
breaches
have
put
even
more
focus
on
that
relationship.
“The
US
government’s
dependence
on
Microsoft
poses
a
serious
threat
to
US
national
security,”
says
Sen.
Ron
Wyden
(D-OR),
in
a
statement
to
Wired.
Wyden
has
been
criticizing
Microsoft’s
cybersecurity
efforts
for
years,
calling
for
a
federal
government
investigation
after
last
year’s
US
government
email
breach.
How
Microsoft
responds
to
the
growing
criticisms
over
its
security
practices
in
the
coming
months
will
be
telling.
While
the
Cyber
Safety
Review
Board
thinks
Microsoft’s
security
culture
is
broken,
Microsoft
disagrees.
“We
very
much
disagree
with
this
characterization,”
says
Steve
Faehl,
chief
technology
officer
for
Microsoft’s
federal
security
business,
in
a
statement
to
Wired.
“Though
we
do
agree
that
we
haven’t
been
perfect
and
have
work
to
do.”
Microsoft’s
behavior
will
only
change
if
it’s
forced
to,
though,
Grotto
argues
in
The
Register
interview.
“Unless
this
scrutiny
generates
changed
behavior
among
its
customers
who
might
want
to
look
elsewhere,
then
the
incentives
for
Microsoft
to
change
are
not
going
to
be
as
strong
as
they
should
be.”
Comments