U.S. Senator Ron Wyden (D-OR) has tagged Microsoft with responsibility for the recent espionage operation carried out by Chinese operatives in which the hackers broke into the email boxes of federal agencies, individuals and organizations.
In a letter to U.S. Attorney General Merrick Garland, Cybersecurity and Infrastructure Agency head Jen Easterly, and Lina Khan, Federal Trade Commission chair, Wyden accused the tech giant of repeated “negligent cybersecurity practices," which enabled a successful Chinese espionage campaign against the United States government.
Wyden, who has been a leading lawmaker in the fight against cybersecurity, also tied the recent hack to the massive SolarWinds attack in 2020 about which he said Microsoft “faced little scrutiny” for its cybersecurity practices.
“Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault.”
Wyden highlighted four significant cybersecurity failures by Microsoft that led to the most recent hack:
- Employing a single encryption key that could be used to forge access to consumer, commercial and government customers’ private communications.
- Microsoft’s blog post about the hack suggests it did not store high-value encryption keys in a Hardware Security Module, as the company had advised its customers to do, and is essential to protecting valuable encryption keys.
- Using an encryption key that was valid for 5 years, and was still accepted by Microsoft’s software, even though it had expired in 2021, two years before the hack, inconsistent with established cybersecurity best practices.
- Neither internal nor external security audits detected the security weaknesses that enabled the hack.
Wyden urged federal agencies to undertake the following investigations of the incident:
- A Cyber Safety Review Board investigation of the most recent hack, including whether Microsoft stored hacked encryption key in a Hardware Security Module.
- The Department of Justice should use civil enforcement tools to examine whether negligent practices at Microsoft violated federal contracting laws.
- The FTC should investigate whether Microsoft’s privacy and security practices violated FTC regulations, or violated a consent decree Microsoft agreed to stemming security failures from a previous sign-on product known as Passport.