A scathing US government-backed review found that Microsoft committed a series of “avoidable errors” that allowed Chinese hackers to breach the company’s network and access the email accounts of senior US officials, including the secretary of commerce. The report, released by the US Cyber Safety Review Board (CSRB), criticized Microsoft for not adequately protecting a sensitive cryptographic key that allowed the hackers to forge credentials and access Outlook accounts remotely. The board concluded that Microsoft’s security culture was inadequate and required an overhaul due to its centrality in the technology ecosystem.
The hack resulted in Chinese operatives gaining access to the unclassified email accounts of senior US diplomats, including US Ambassador to China Nicholas Burns, and Secretary of State Antony Blinken on the eve of a high-profile visit to China last June. Approximately 60,000 emails were downloaded from the State Department alone. Secretary of Commerce Gina Raimondo also had her email account breached prior to her trip to China in August. China has denied the hacking allegations, further exacerbating the situation.
Following the alleged Chinese hacking incident and increased scrutiny of its security practices by US lawmakers, Microsoft announced in November that it would enhance its security practices for software development and user protection. The company acknowledged the impact of threat actors operating continuously without deterrence and expressed appreciation for the Cyber Safety Review Board’s investigation. Microsoft has mobilized its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks to strengthen its systems against cyber threats.
The cyber-espionage campaign allegedly tied to China and Russia is one of several incidents that have exploited widely used software, such as Microsoft products, to target US national security interests. Russian hackers infiltrated software made by SolarWinds in 2020 to steal emails from US government agencies. CEO of the Institute for Critical Infrastructure Technology, Cory Simpson, emphasized the need for better cybersecurity and hoped that the CSRB report would prompt meaningful change in the US government’s relationship with Microsoft. The report is seen as a call to action for improved cybersecurity measures and closer collaboration between the government and technology providers.
Microsoft will review the recommendations made by the Cyber Safety Review Board to address the vulnerabilities that allowed the Chinese hackers to breach their network and access sensitive information. The company has committed to implementing enhanced security measures, hardening its systems against future attacks, and improving detection and response capabilities to repel cyber adversaries. The US government faces a decision point in its relationship with IT service providers, with the choice between maintaining the status quo or adopting better cybersecurity practices to safeguard national security interests. The CSRB report serves as a catalyst for change and underscores the urgent need for stronger cybersecurity measures and a more proactive approach to combating cyber threats.