Microsoft is set to speak before the US House Committee on Homeland Security today, and its president Brad Smith’s written testimony has surfaced ahead of what looks to be a contentious hearing on the company’s recent security failures.
In Smith’s prepare remarks, he immediately claims ownership, on behalf of Microsoft, for the string of recent cybersecurity deficiencies outlined by US Cyber Safety Review Bord (CSRB) in its April 2024 report.
The CSRB report concludes that “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
The 34-page report from the CSRB outlines several incidents involved with notorious Storm-0558 hack, labeling the company’s response and timing as “inadequate” as well as offering 25 recommendations to address a slipping security ethos by Microsoft.
With the CSRB report as the backbone to today’s congressional hearing, Smith cites several policies and incentivized structures that have been adjusted to return the company to a security first minded organization as well as pointing out the adoption of 16 of the CSRB’s 22 recommendations and applying 18 additional security objectives of its own.
We are taking action to address every one of the CSRB’s recommendations applicable to Microsoft. To put this in context, the CSRB’s report provides 25 recommendations, 16 of which apply to Microsoft. Four of these are directed to Microsoft specifically and the remaining 12 recommendations are addressed to all cloud service providers (CSPs).
Brad Smith, Microsoft President
We are acting on all 16 of these recommendations. But we are not stopping there. We have added another 18 concrete security objectives, reflecting the work we started last summer after we assessed the shortfalls we identified from the Storm-0558
intrusion from China. As a result, last November we launched a company-wide initiative, called the Secure Future Initiative (SFI), to act on this learning. We expanded this work in January after an aggressive attack by the Russian Foreign Intelligence Agency, or SVR, and then expanded it again in March after the CSRB report.
Microsoft CEO Satya Nadella addressed the company’s shift back to being a security-first minded business shortly after the CSRB’s report, in companywide memo where he also introduced its new Secure Future Initiative (SFI).
While Microsoft’s recent security initiatives and the timing of today’s hearing can be argued as coincidental, the company is now on the record and its current and future offering will be measure against its remarks.
One of the first measures of its new renewed commitment to security-first products will be the rollout of its AI-powered Recall feature set to debut on Windows PCs next week.
Microsoft has recently made some amendments to how Recall will roll out, that include an Opt-In versus Opt-Out approach, bio-authentication to operate, encryption, and leveraging Windows 11 Secure-Core to enable firmware protections and dynamic root-of-trust continuous data analysis.
Despite the Houses Homeland Security Committee expecting to rhetorically badger Microsoft over its mishandling of several cybersecurity incidents, there isn’t much expected in the way of immediate legislation to keep the company an honest actor to its own pledges.
Microsoft’s real threat comes from rivals hoping to use the hearing as a wedge between the company and its close ties to government contracts as the NetChoice trade association issued its own letter to the committee on homeland security that argues about the threat Microsoft poses due to its lapse security stance.
“Microsoft poses an especially acute national security risk given it has a dominant 85 percent market share in the U.S. government’s productivity software market, which makes the government dependent on Microsoft products including Outlook email, Word, Excel, Teams instant messaging, and the Azure cloud platform.
NetChoice
While the CSBR offered several diplomatic suggestions to Microsoft on addressing its security shortcomings, at which point does another high-profile cybersecurity blunder continue the erosion the company’s stronghold on government assurance and subsequent lucrative contracts to the point of financial risk?
