Lawmakers question Microsoft president over security culture that enabled recent hacking incidents

House lawmakers on Thursday questioned Microsoft President Brad Smith over recent vulnerabilities that allowed nation-state hackers to access inner workings of the company’s enterprise email systems over the past year and exfiltrate thousands of inbox communications from agency officials.

In opening remarks before the House Homeland Security Committee, Smith apologized for the incident, a breach carried out by Chinese cyberspies last summer that targeted both senior State Department and Commerce Department officials. A more recent hack involved Russian hackers nabbing agencies’ communications with the company.

The Chinese email hack, in particular, became the subject of a critical oversight report released by a DHS board in April that faulted Microsoft for maintaining a culture not focused on cybersecurity best practices, including poor management of signing keys that authenticate user entry into applications.

“Before I say anything else, I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation,” Smith said in prepared remarks, referring to the report authored by the Cyber Safety Review Board. “You cannot protect the homeland security of this country without protecting the cybersecurity of it as well,” Smith said in his opening testimony.

The company submitted an addendum to Smith’s written testimony on Wednesday saying the board approved a rule that would tie its executive leadership’s compensation to the company’s cybersecurity performance.

The hearing, for the most part, focused more on how Microsoft, with billions of dollars in federal IT contracts, could improve itself and where the U.S. government could get involved in those efforts, a dynamic that departed from more traditional instances of tech leaders going to Capitol Hill to face tough lines of questioning.

“By any measure, this cyber intrusion was not sophisticated. It did not involve advanced techniques or cutting-edge technologies. Instead, Storm-0558 exploited basic, well-known vulnerabilities that could have been avoided through basic cyber hygiene practices. In other words, this was avoidable,” said panel chairman Mark Green, R-Tenn. in his prepared opening statement that referred to the Chinese hacking group that carried out the intrusion.

The State Department was the first to discover and alert the company to last May’s hack. The intrusion was carried out around the middle of last year after the hackers obtained a Microsoft account key and used it to forge legitimate authentication tokens, hauling off some 60,000 emails from State and other victims.

The company initially said the key was inside a 2021 crash dump — spillover data that comes from a system crash. But that explanation, which the company reversed course on, got scrutiny from CSRB. Microsoft has updated its original July blog post about the incident several times. A recent March update said it has “not found a crash dump containing the impacted key material” despite its earlier claims.

Ranking Member Benny Thompson, D-Miss., also referenced a ProPublica story released the day of the hearing that reported a Microsoft whistleblower alerted colleagues about flaws that would later enable the Russian-linked SolarWinds hack in 2020 but went unaddressed because the company wanted to focus on business with the federal government.

“It’s not our job to find the culprits,” he said, telling Smith it’s the company’s responsibility to signal to its customers when a breach occurs.

Smith was grilled by lawmakers over the company’s business in China. He said Microsoft runs data centers in China for the benefit of multinational firms, as well as its own research lab, but that just around 1.5% of the tech giant’s revenues are tied to the nation.

Rep. Carlos Gimenez, R-Fl. asked if it was “really worth it” for Microsoft to be involved there. The two clashed over how the tech giant complies with China’s 2017 national intelligence law that compels all people and firms residing in the country to hand over data that can help with the central government’s intelligence investigations.

“I will tell you that there are days when questions are put to Microsoft, and they come across my desk. And I say no, we will not do certain things,” Smith said.

The aftermath of the cyberattack last year led to several rounds of congressional scrutiny over the U.S. government’s heavy reliance on Microsoft products and services, which are used across Capitol Hill, federal agencies and the Defense Department.

“He was very good about admitting that they made mistakes,” Green told Nextgov/FCW on the sidelines of the hearing. “There are some details we still need to get” in a classified setting, he added. As of now, no legislation is being developed that specifically puts Microsoft in the committee’s crosshairs, he said, though several broader cyber legislation pieces are in the works.