"Microsoft’s security culture was inadequate and requires an overhaul" says Cyber Safety Review Board following a "cascade of security failures"
What you need to know
- A report by the U.S. Cyber Safety Review Board states that Microsoft could have prevented the Chinese state-sponsored hacking group Storm-0558 from accessing the email accounts of U.S. government employees.
- The board was commissioned by President Biden and established by the U.S Department of Homeland Security in 2023.
- The report explained that "Storm-0558 was able to succeed because of a cascade of security failures at Microsoft."
The now-famous attacks of a Chinese state-sponsored hacking group on U.S. government employees could have been prevented by Microsoft, according to a report by the U.S. Cyber Safety Review Board. That hacking group was able to gain access to the emails of 22 organizations and over 500 people, including employees of the U.S. government that work on national security.
The 34-page report is damning. It outlines several failings made by Microsoft employees, including multiple practices that could have been in place to prevent the security breach from occurring. The Board called for an overhaul of Microsoft's security culture.
"The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft," said the report. "Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers."
Later, the report echoed similar sentiments, stating that, "the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed." Those errors included but were not limited to "failure to detect the compromise of its cryptographic crown jewels" and failure to detect that an employee's laptop from a recently acquired company had been compromised before letting that employee connect their device to Microsoft's corporate network.
The report also condemned Micrsoft for not correcting misinformation:
"Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction."
Several steps could have been taken by Microsoft to prevent the incident, including rotating security keys. Microsoft had paused the manual rotation of keys, which allowed old keys to continue to work. Another key-related issue was that Microsoft allowed consumer keys to authenticate to access enterprise customer data.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
The report extensively breaks down a series of faults by Microsoft and outlines some steps that need to be taken by the tech giant, at least in the eyes of the board.
A recap of the Chinese hackers
The recent report from the U.S. Cyber Safety Review Board is only the latest in an ongoing saga surrounding Chinese state-sponsored hackers gaining access to important information, some of which was related to U.S. national security. That panel was commissioned by U.S. President Biden.
The hacker group known as Storm-0558 was able to gain access to 22 organizations. Key to the hack was the group acquiring a Microsoft account consumer key that was then used to access Outlook and Outlook.com. Microsoft still isn't certain how the key was stolen, according to the U.S. Cyber Safety Review Board. Last September, Microsoft said that the most likely way Storm-0558 obtained the key was from a crash dump but the company has since updated its blog post to state that it hasn't determined how the key was obtained.
Microsoft admitted that its blog post was inaccurate last September but did not update it until less than one month ago on March 12, 2024. "Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction," said the Board's report.
Microsoft has responded to security threats and the U.S. Cyber Safety Review Board. The tech giant plans to improve its cybersecurity through several changes of policy plus the use of AI and the cloud. Microsoft made a Secure Future Initiative, which is a three-tier program designed to improve its cybersecurity, in November 2023. We broke down how Microsoft plans to improve its security with AI and automation shortly after the reveal of the Secure Future Initiative.
Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.