Updated below with details from hearing.
Microsoft President Brad Smith previewed his approach in prepared written testimony for his appearance Thursday before the U.S. House Committee on Homeland Security for a hearing about the company’s security failures.
“Before I say anything else,” he wrote, “I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” he wrote, referencing an April report by the U.S. Cyber Safety Review Board (CSRB) that took Microsoft to task for its “inadequate” security culture.
Smith wrote that the company is committed to changing its ways. He cited evidence including Microsoft’s introduction last fall of its Secure Future Initiative, the more recent commitments by CEO Satya Nadella to put security above all else, and the company’s move to base part of senior executive compensation on security.
He said the company is committed to implementing each of the CSRB’s recommendations. He referenced, as an example, its move Friday to update the “Recall” feature on its Copilot+ PCs to address security concerns.
But if Microsoft is truly prioritizing security over new product features, why did it go forward with the Recall feature in the first place?
Microsoft has repeatedly promised to put security above features in the past, stretching back nearly 25 years — so what’s different this time?
And how can Microsoft justify making as much $20 billion a year on security products, given these problems with its core software products and services?
Those are the types of questions that Smith will face during the hearing, titled, “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”
Like the CSRB report, the hearing will focus in part on a high-profile incident in May and June 2023, when the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
While accepting responsibility and acknowledging Microsoft’s shortcomings, Smith put the issue in broader geopolitical context in his written testimony, citing the potential for China, Russia, Iran, and North Korea to not only act on their own but to collaborate in the future to potentially devasting effect.
Make no mistake, we are all in this together. The CSRB report was sparked by a successful Chinese attack on Microsoft, and we understand every day that we have by far the first and greatest responsibility to heed its words. We’re committed to doing so and to playing an indispensable leadership role in defending not just our customers, but this country and its allies. But no single company can protect a country and other nations from what is emerging as a cyberwar waged by four aggressive governments.
Whether or not this scrutiny makes a meaningful difference in the security of Microsoft’s products, the company’s competitors are hoping that it raises awareness of the issue, at least, and causes government officials and corporate decision-makers to rethink the choices they make when buying software and cloud services.
“Microsoft poses an especially acute national security risk given it has a dominant 85 percent market share in the U.S. government’s productivity software market, which makes the government dependent on Microsoft products including Outlook email, Word, Excel, Teams instant messaging, and the Azure cloud platform,” wrote NetChoice, a trade association whose members include Google and Amazon, in its own letter to the House Homeland Security Committee.
The hearing begins at 10:15 a.m. Pacific. It can be viewed here or above.
Stay tuned for updates, and read Smith’s full written testimony here.
Update, 8:30 a.m.: In a follow-up letter to the Homeland Security Committee, Smith provided details on the Microsoft board’s decisions this week regarding the new security components of senior executives’ compensation.
He wrote, in part, “Beginning with the start of the company’s new fiscal year on July 1, one-third of the individual performance element for each SLT member’s bonus will be based exclusively on the [Microsoft Board Compensation] Committee’s assessment of the executive’s individual performance relating to cybersecurity.”
Update, 10:50 a.m.: In his opening statement, ranking member Rep. Bennie Thompson cited a ProPublica article published Thursday, in which a former Microsoft employee said he tried, without success, to warn execs about a flaw that ultimately left customers vulnerable to the 2019 SolarWinds attack.
Asked about the ProPublica report, Smith cited subsequent changes by the company including the addition of deputy chief information security officers into individual product groups. “The job of these individuals is to constantly monitor and assess and pick up feedback and apply a principled approach to things,” he said.
Asked how the company can earn back the trust of customers, Smith said, “I think it’s just critical that we acknowledge shortcomings, accept responsibility, devise the strategy to address them, change the culture, be transparent about what we’re doing, and always listen to feedback.”
Update, 11:05 a.m.: Members questioned Smith about Microsoft’s failure to update a blog post with information about the 2023 Storm-0558 attack.
Rep: Clay Higgins: Why did it take six months for Microsoft to update the means by which most Americans would be made aware of such a hack?
Smith: Well, first of all, I appreciate the question. It’s one that I asked our team. When I read the CSRB report, that’s part of the report that surprised me the most.
We had five versions of that blog: the original, and then four updates. And we do a lot of updates of these reports. And when I asked the team, they said the specific thing that had changed, namely, a theory, a hypothesis about the cause of the intrusion, changed over time, but it didn’t change in a way that would give anyone useful or actionable information that they could apply.
Higgins: Okay, so you see Mr. Smith, respectfully that answer… does not encourage trust. … The means by which you communicate with your customers was not updated for six months. So I’m just gonna say I don’t really accept that answer. …
Smith: I said the same thing, and we had the same conversation inside the company.
Higgins: Okay, I accept that.
Later, in response to a follow-up question from Rep. Eric Swalwell, Smith elaborated: “We updated that particular blog four times. It was at least one time too few.”
Smith answered another question about competitive alternatives to Microsoft software: “People can compete. Somebody said there’s no Plan B. I think about two-thirds of the folks sitting behind me in this room are trying to sell Plan B to you in one way or another, and that’s okay.”
