The Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) released findings late Tuesday following its independent review of the summer 2023 Microsoft Exchange Online intrusion that attributed the success of the China-based hack to “a cascade of security failures at Microsoft” and an “inadequate” security culture at the company.
In its 34-page report, the CSRB concludes that the intrusion – which compromised the email accounts of several U.S. government officials, including Commerce Secretary Gina Raimondo – “was preventable and should never have occurred.”
“The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the report says.
Following last summer’s hack, Microsoft said in a Sept. 6 blog post that the hackers leveraged a stolen signing key used by the company to authenticate customers – allowing the hackers to masquerade as Federal users of Microsoft’s email services and access officials’ inboxes.
However, the report slams the company for not detecting the compromise of its signing keys – which it calls its “cryptographic crown jewels” – on its own. Instead, Microsoft was made aware of the compromise after a customer reached out to report anomalies.
Notably, the report also criticizes Microsoft’s “decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not.”
The CSRB says that even after Microsoft discovered its initial Sept. 6 blog post contained inaccurate statements, it did not update that post until March 12, 2024. This came as the CSRB was concluding its review and only after the board’s “repeated questioning about Microsoft’s plans to issue a correction.”
The report offers several recommendations to Microsoft, including that its CEO and board of directors focus on the company’s security culture and develop a plan to make “fundamental, security-focused reforms across the company and its full suite of products.”
It also recommends that Microsoft put any feature developments across its cloud infrastructure and product suite on hold until it makes substantial security updates.
The CSRB also offers security recommendations to all cloud service providers (CSPs) and government partners, such as implementing modern control mechanisms and baseline practices, adopting a minimum standard for default audit logging in cloud services, and implementing digital identity standards to secure cloud services against prevailing threat vectors.
Additionally, it recommends CSPs and government partners adopt incident and vulnerability disclosure practices, as well as develop more effective victim notification and support mechanisms.
As for the Federal government, the CSRB recommends it update the Federal Risk and Authorization Management Program (FedRAMP) and “establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations.”
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said it plans to convene major CSPs to develop cloud security practices aligned with the CSRB’s recommendations and “a process for CSPs to regularly attest and demonstrate alignment.”
“DHS is committed to efforts that meaningfully improve cybersecurity resilience and preparedness for our nation, and the work of the CSRB is reflective of our determination and dedication to this cause,” said CISA Director Jen Easterly. “I am confident that the findings and recommendations from the board’s report will catalyze action to reduce risk to the critical infrastructure Americans rely on every day.”
In a statement to MeriTalk, a Microsoft spokesperson said the company appreciates the efforts of the CSRB to investigate the incident, and pointed to the company’s recently announced “Secure Future Initiative.”
“As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” the company spokesperson said. “While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
“Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries,” they added. “We will also review the final report for additional recommendations.”
Regardless, the security community is looking to Microsoft to implement robust security changes following the scathing report.
Roger Cressey, a former senior national security official during the Clinton and George W. Bush administrations, told MeriTalk, “Make no mistake, this is Microsoft’s Boeing moment; there must be real cultural and leadership changes.”
“The U.S. government needs to reconsider its relationship with the company that dominates the public sector IT market but continually fails to fulfill its security obligations,” Cressey said. “At a minimum, the CSRB report presents a clear case for putting a hold on any new contract awards to Microsoft until it demonstrates that it can be a dependable partner to the Federal government.”
