The Cyber Safety Review Board (CSRB) recently released a report following an intrusion in Summer 2023 of Microsoft Exchange Online that created digital security vulnerabilities for several areas of our government, breaching U.S. national security. The report details how a suspected actor from China exploited vulnerabilities in Microsoft’s cloud systems to gain access to sensitive emails from the State and Commerce Departments, and other important government actors.
The CSRB’s findings are deeply troubling, with the report stating that “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” It identified a series of operational and strategic decisions by Microsoft that “collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report pulls no punches in its assessment, declaring that “the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” was both preventable and unacceptable.
“Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
Adding to these concerns, the Board found that Microsoft made several misleading and inaccurate public statements about the breaches and failed to correct known errors in a timely manner. This lack of transparency undermines the trust that government agencies and other customers place in Microsoft to honestly communicate about security violations and their root causes. It also raises questions about why the government is quite so reliant on Microsoft when it comes to keeping its systems secure.
The CSRB’s report should be a wake-up call, highlighting the serious and long neglected national security risks posed by an overreliance on Microsoft alone and a lack of diversity in who serves as vendors for government systems. As Senator Eric Schmitt (R-Mo.) aptly put it, the government has a “monoculture of cybersecurity services” that leaves America’s digital infrastructure exposed. The report acknowledges that breaches like this are not inevitable, noting that other cloud providers had implemented security controls that Microsoft did not.
To address these issues, the CSRB recommends that Microsoft’s leadership deprioritize feature development across the company’s cloud infrastructure and product suite until substantial security improvements have been made. New features are great, but they can’t be the focus when Microsoft isn’t appropriately achieving the desired security basics.
Of course, the government should reconsider its reliance on Microsoft and how changes can be made to how vendors are selected so that American cybersecurity is made a greater priority. Procurement policies should change, or they will continue to enable the exploitation of U.S. servers by bad actors taking advantage of a lax security culture.
The CSRB report provides stark evidence that the U.S. government cannot afford to prioritize incumbency over critical cybersecurity protections. By doing so, it has inadvertently incentivized Microsoft to maintain a dangerously vulnerable status quo that endangers us all.
As policymakers grapple with the serious implications of this report and seek more information from Microsoft executives, it’s crucial that both Microsoft and the U.S. government take swift and decisive action to address the identified security shortcomings. The safety of our digital infrastructure depends on it.
Image generated by NetChoice using ChatGPT’s DALL-E.