Feature Microsoft president Brad Smith struck a conciliatory tone regarding his IT giant's repeated computer security failings during a congressional hearing on Thursday - while also claiming the Windows maker is above the rule of law, at least in China.

He answered nearly three hours of questions from US House reps about Microsoft's infosec shortcomings. Now it's time for the White House and Congress to do their job and ensure we don't learn about yet another Redmond blunder exploited by a foreign government six months from now.

And the US government has several tools at its disposal, from executive orders to federal spending, to avoid another Microsoft-connected security breach.

Smith kicked off his testimony before Congress this week by accepting "responsibility for each and every one of the issues" cited in a recent Homeland Security report that blasted Microsoft for a series of "avoidable errors." These errors, the investigation found, allowed Beijing-backed cyberspies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

That theft was enabled by China stealing a cryptographic key from a crash dump file that had been left on Microsoft's internal internet-connected corporate network; the key should not have made it out of the mega-corp's isolated production environment.

Despite this major security intrusion by China, Smith defended Microsoft's business in the Middle Kingdom. National intelligence laws in China can be used to force companies operating there to provide snooping services for the government, or hand over proprietary code if pressured to do so. But Microsoft doesn't have to comply with that, Smith claimed, to some unbelieving members of Congress.

Mea culpa, then deflect

He gets an A for presentation, but a D for content. Smith issued a mea culpa, but also deflected some of the lawmakers' tough questions about China, and why Microsoft isn't doing a very important job (securing its code, which in this case is also a national security issue) that the government is paying it millions of dollars to do. 

Smith also said he hadn't read a ProPublica report that came out ahead of the Homeland Security subcommittee hearing and was the subject of several questions to the executive. That investigative report cited a now-ex-Microsoft whistle-blowing engineer who claimed he had repeatedly warned bosses as far back as 2017 about an authentication flaw that left Microsoft users and their work accounts vulnerable to compromise.

If anything like this happened with us ... it would not only destroy our product in the marketplace but the government would just kick us out

That flaw, which we're told involves exploiting weaknesses with Microsoft's Active Directory Federation Service and SAML, was allegedly used by the Russian government snoops behind the SolarWinds backdoor.

According to the whistle-blower, the Kremlin spies used the SAML-based authentication flaw to gain full access to organizations' files and messages after sneaking into those victims' IT networks via the backdoored SolarWinds software. In other words, this was a post-exploitation vulnerability.

It was further alleged Microsoft refused to fix this years-old problem because in doing so, the corporation would have to admit that its Active Directory software was faulty, which could have cost it billions of dollars as the biz was vying for a massive IT contract with the US federal government at the time.

In the wake of the Exchange Online intrusion, all of Microsoft's pledges to do better on security, and overhaul its entire security culture, are either voluntary or - with ideas like tying top exec pay to security performance - are going to be really hard to measure.

"If it was any other vendor, if anything like this happened with us, where we had such a gaping security hole that foreign governments could come into our cloud environment it would not only destroy our product in the marketplace because we have no credibility, but the government would just kick us out," Trellix CTO Karan Sondhi told The Register.

The repeated intrusions by both Russian and Chinese cyber-spies highlight the national security risks of Uncle Sam's increasing reliance on a single technology vendor, Sondhi told us. 

Specific to Microsoft and America: The US government uses everything from the super-corp's cloud infrastructure to its operating system and productivity tools, and then also adds on Redmond's security products, which Trellix and other infosec vendors say discourages competition in the marketplace.

"We're just saying to the government: Have an independent evaluation of security tooling," Sondhi said. "Measure the security tools' effectiveness, independent of the bundle that Microsoft offers, and pick your favorite. If it's us, great. If it's CrowdStrike, more power to you. If it's Sentinel One, great."

Microsoft, he added, "should be fixing vulnerabilities in their products. They should be squarely focused on that instead of trying to sell you security tools."

Microsoft ... should be fixing vulnerabilities in their products. They should be squarely focused on that

When asked during the congressional hearing about Microsoft's bundling practices, which may dissuade the government and other customers from selecting a third-party vendor for security, Smith responded: "I'm not aware of any so-called practices that limit what our customers can do in terms of cybersecurity protection."

No real incentive to change

As long as federal dollars keep pouring into Microsoft's coffers, there's no real incentive to change. US government data showed at least $498 million of payments to Microsoft in 2023 alone.

In a May 29 letter to US Department of Defense CIO John Sherman, Senators Ron Wyden (D-OR) and Eric Schmitt (R-MO) questioned why the Pentagon is "doubling down" on its investment in Microsoft products despite the IT giant's serious failings.

This, after the Department of Homeland Security's Cyber Safety Review Board's slammed Microsoft's "cascade" of security snafus that made China's digital intrusion into government inboxes possible.

"What should the government do? Probably not give a $10 billion DoD contract to Microsoft for a commercial, off-the-shelf product," said Cory Simpson, CEO of the Institute for Critical Infrastructure Technology and a senior advisor to the Cyberspace Solarium Commission.

"You have one entity responsible for national security saying here's an entity that poses a risk, and then you have DoD, another entity responsible for national security, doubling down on Microsoft," Simpson told The Register. "We've got to have that conversation, and it needs to be with the White House." 

The first thing that needs to happen, according to Simpson, is triage, which needs to come from a White House Executive Order. Later, there's long-term care, which comes from Congress. 

While the administration doesn't control the government's purse strings, it could put a pause on future Microsoft integrations while the government explores other vendors' security products, he explained. "That could be done with an executive order," Simpson noted.

The White House Office of the National Cyber Director declined to comment for this story.

The long-term care, on the other hand, involves Congressional action to codify best security practices and even simpler ones, such as requiring Microsoft products to be interoperable with those from its peers.

"The two ends of the continuum are a decoupling of Microsoft, and at the other end doing nothing," Simpson said. "And there's a range of options in between."

Time for Biden administration to 'walk the talk'

Under President Joe Biden's leadership, the administration has touted its commitment to shoring up the nation's networks. This included releasing the National Cybersecurity Strategy in March 2023.

Part of the strategy centers around holding software makers liable for security flaws in their products, thus shifting IT defense away from the end users of technology and onto the providers. It also says the administration will work with Congress and the private sector to develop legislation around secure software and services.

Plus, this is the focus of the US Cybersecurity and Infrastructure Security Agency's secure by design pledge, signed by nearly 70 software companies - including Microsoft - at last month's RSA Conference.

Another piece of the strategy involves investing in longer-term security practices at the government and enterprise level, rather than relying on short-term fixes, such as patches and more temporary solutions to problems.

"You can't accomplish both of those things with minimum regulation," Simpson said. "The best way to do that is to fully leverage the government as the largest consumer in the world. It's about purchasing power. If they don't change procurement practices, shame on them. They have to walk the talk of their strategy." ®

https://www.theregister.com//2024/06/15/microsoft_brad_smith_congress/