The theft of Microsoft signing keys used to spy on senior U.S. officials was preventable and caused by the company’s failure to properly prioritize security, a federal review board said in a scathing report Tuesday. I concluded that it was a huge failure.
Tuesday’s report is the product of an independent cyber security review board established by President Joe Biden to investigate the breach, which was first disclosed in July 2023. The breach allowed a China-linked hacker known as Storm-0558 to intercept emails belonging to the Secretary of Commerce. Gina Raimondo and US Ambassador to China Nicholas Burns are preparing for a high-stakes meeting in Beijing.
The CSRB places the blame for this incident squarely on Microsoft. “The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed thanks to a series of security failures at Microsoft.”
The report represents the conclusion of a seven-month investigation, and a series of serious violations at Microsoft have exposed the company to national security responsibilities at a time when the federal government is increasingly relying on national security. This comes amid growing concerns in Washington that the A company that provides a number of cloud computing services. In January, Microsoft revealed its latest incident, in which Russian hackers were able to gain access to executives’ emails and company source code.
Tuesday’s report, the most detailed report yet on the Storm-0558 incident, provides more fodder for Microsoft’s critics as it accuses the company of fostering a culture that prioritizes security. Just do it. These strategic decisions collectively demonstrate a corporate culture that prioritizes both corporate security investments and rigorous risk management. ”
Perhaps the report’s most damning finding is that this breach could have been prevented if Microsoft had implemented security measures used by other cloud service providers, such as automatic key rotation and limiting the range of keys that can be verified. This means that there is a high possibility that
The report also accuses Microsoft of misleading the public in explaining how the breach occurred.
Two months after the breach was first disclosed, Microsoft revealed that Chinese hackers inadvertently stole its signing keys, which the CSRB calls “the best cryptographic equivalent for any cloud service provider.” The company announced that its research had identified the most likely method. It contains so-called “crash dumps”, the information generated when a computer system fails.
According to the CSRB, shortly after publishing that blog, Microsoft concluded that there was actually no evidence that the crash dump contained a key, and the company stated that the “crash dump theory is no longer more likely than any other theory.” We now rate it as “low” as the mechanism by which the attacker obtained the key. ”
According to the report, Microsoft left a blog post containing its claims about crash dumps unrevised for more than six months, and only fixed it after repeated scrutiny from the CSRB.
“Loss of signing keys is a serious problem, but loss of signing keys through unknown means leaves the victim company unaware of how their systems were compromised and whether the associated vulnerabilities have been blocked. “This is far more significant,” the report said. “The false impression remains that Microsoft has finally identified the root cause of this incident, and Microsoft customers are left with the critical facts they need to conduct their own risk assessments of the security of their Microsoft cloud environments in the wake of this breach. I didn’t have one.”
A Microsoft spokesperson said in a statement that the company praised the committee’s efforts to “examine the impact of resource-rich nation-state threat actors who continue to operate without meaningful deterrence.” said.
A spokesperson said the company is announcing what it calls the “Secure Future Initiative” to prioritize the security of its products, “mobilizing our engineering teams to identify and mitigate legacy infrastructure and improve processes. We are making improvements and conducting security benchmarks.”
The CSRB report acknowledges that effort, but argues that Microsoft is dangerously deprioritizing its security efforts. Because Microsoft’s “ubiquitous and critical” products “underpin essential services that support national security, economic infrastructure, and public health and safety,” Microsoft is committed to “the highest standards of security, accountability, and transparency.” The report argues that there is a need to “substantiate this.”
In explaining how Microsoft has changed, CSRB quotes company founder Bill Gates as saying, “When faced with a choice between adding features and solving security problems, you have to choose security.” The report cites a 2002 e-mail in which he appealed to the company.
“Our products must be security-focused out of the box, and we must continually refine and improve their security as threats evolve,” Gates wrote, adding that security is a priority. “It should be applied at every stage of the development cycle for every type of software we create,” from operating systems and desktop applications to global web services, he added. ”
According to the CSRB, the company has abandoned that idea. “The Board concludes that Microsoft is moving away from this ethos and must immediately restore it as a top corporate priority.”
