Microsoft comes under intense scrutiny and pointed criticism in a 34-page report released Tuesday by the Cyber Safety Review Board (CSRB), a group created by the U.S. Secretary of Homeland Security in 2021 to review major cybersecurity incidents.
The report focuses on a high-profile incident in May and June 2023, when the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
The CSRB report takes Microsoft to task for its security culture, describing it as “inadequate” and saying it “requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The report also criticizes Microsoft’s public communications, noting that the company waited until last month to correct a September 2023 blog post about the root cause of the breach after repeated questions from the board.
At the conclusion of CSRB’s review, the report said, Microsoft still didn’t know exactly how Storm-0558 obtained the critical 2016 Microsoft Services Account (MSA) signing key that was used in the 2023 intrusion.
At one point, the report says Microsoft’s leaders need to consider refocusing its product development, prioritizing security features over new product features, effectively reviving the spirit of the “Trustworthy Computing” initiative that Microsoft co-founder Bill Gates famously instituted in 2002.
The CSRB report reads, in part:
“The Board concludes that Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority. The Board is aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November 2023. The Board believes that these and other security-related efforts should be overseen directly and closely by Microsoft’s CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”
Asked for comment on the report, a Microsoft spokesperson gave this statement:
“We appreciate the work of the CSRB to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence. As we announced in our Secure Future Initiative, recent events have demonstrated a need to adopt a new culture of engineering security in our own networks. While no organization is immune to cyberattack from well-resourced adversaries, we have mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks. Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries.”
The statement added that Microsoft “will also review the final report for additional recommendations.”
Read the full report here.