720-891-1663

Federal Cyber Safety Board Says Microsoft Security Culture is Inadequate

The cyber safety review board is similar to the FAA’s National Transportation Safety Board, except that they are investigating Cybersecurity crashes (breaches) rather than airplane or container ship crashes.

The board is new. It was created by Executive Order 14028 in 2021. They only convene when requested to by the Secretary of Homeland Security and, to date, this is only the second time they have convened. The first time was to review the Log4j breach. That means that this breach is a big deal.

This time, they convened to review Microsoft’s Exchange breach by the Chinese in May and June 2023.

The CSRB faulted Microsoft for not correcting a September 2023 blog about the root cause of the breach and not until the CSRB questioned them repeatedly.

The report also says that Microsoft still didn’t know EXACTLY how the hackers got the Microsoft Services Account signing key that was used in the attack.

The Board, like a lot of people, suggests that Microsoft consider focusing on improving security rather than adding new product features like rounded corners and moving the start menu to the center of the bottom of the screen. They suggested that Microsoft go back to Bill Gates 2002 Trustworthy Computing Initiative.

Note, and this is important, the Board says that this is a problem for the CEO, the Board of Directors and all senior leaders. This is not an IT problem.

Microsoft has acknowledged the problem. In response, in part, Microsoft said:

The question for everyone is will they succeed. To have a national panel of experts rake them over the coals is probably not exactly what they would like to be known for. And, I suspect, even they have to admit that this has not been a great year or two for them with all of the Exchange breaches.

One challenge for Microsoft is that some of their code is 25 or more years old. Probably more than anyone wants to acknowledge. Likely in this case, humans were a big part of the problem too.

At this point all we can do is watch and hope because, like it or not, Microsoft’s software is critical to our country. Credit: GeekWire

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *