Federal Cyber Safety Board Says Microsoft Security Culture is Inadequate
The cyber safety review board is similar to the FAA’s National Transportation Safety Board, except that they are investigating Cybersecurity crashes (breaches) rather than airplane or container ship crashes.
The board is new. It was created by Executive Order 14028 in 2021. They only convene when requested to by the Secretary of Homeland Security and, to date, this is only the second time they have convened. The first time was to review the Log4j breach. That means that this breach is a big deal.
This time, they convened to review Microsoft’s Exchange breach by the Chinese in May and June 2023.
The CSRB faulted Microsoft for not correcting a September 2023 blog about the root cause of the breach and not until the CSRB questioned them repeatedly.
The report also says that Microsoft still didn’t know EXACTLY how the hackers got the Microsoft Services Account signing key that was used in the attack.
The Board, like a lot of people, suggests that Microsoft consider focusing on improving security rather than adding new product features like rounded corners and moving the start menu to the center of the bottom of the screen. They suggested that Microsoft go back to Bill Gates 2002 Trustworthy Computing Initiative.
“The Board concludes that Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority. The Board is aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November 2023. The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft’s CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”
https://www.geekwire.com/2024/cyber-safety-review-board-finds-microsoft-security-culture-inadequate-calls-for-internal-accountability/
Note, and this is important, the Board says that this is a problem for the CEO, the Board of Directors and all senior leaders. This is not an IT problem.
Microsoft has acknowledged the problem. In response, in part, Microsoft said:
As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
https://www.geekwire.com/2024/cyber-safety-review-board-finds-microsoft-security-culture-inadequate-calls-for-internal-accountability/
The question for everyone is will they succeed. To have a national panel of experts rake them over the coals is probably not exactly what they would like to be known for. And, I suspect, even they have to admit that this has not been a great year or two for them with all of the Exchange breaches.
One challenge for Microsoft is that some of their code is 25 or more years old. Probably more than anyone wants to acknowledge. Likely in this case, humans were a big part of the problem too.
At this point all we can do is watch and hope because, like it or not, Microsoft’s software is critical to our country. Credit: GeekWire