Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be “more important even than the company’s work on artificial intelligence.”
Satya Nadella, Microsoft’s CEO, “has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security,” Smith told Congress.
His testimony comes after Microsoft admitted that it could have taken steps to prevent two aggressive nation-state cyber attacks from China and Russia.
According to Microsoft whistleblower Andrew Harris, Microsoft spent years ignoring a vulnerability while he proposed fixes to the “security nightmare.” Instead, Microsoft feared it might lose its government contract by warning about the bug and allegedly downplayed the problem, choosing profits over security, ProPublica reported.
This apparent negligence led to one of the largest cyber attacks in US history, and officials’ sensitive data was compromised due to Microsoft’s security failures. The China-linked hackers stole 60,000 US State Department emails, Reuters reported. And several federal agencies were hit, giving attackers access to sensitive government information, including data from the National Nuclear Security Administration and the National Institutes of Health, ProPublica reported. Even Microsoft itself was breached, with a Russian group accessing senior staff emails this year, including their “correspondence with government officials,” Reuters reported.
“We acknowledge that we can and must do better,” Smith told Congress today, according to his prepared written testimony. “As a company, we need to strive for perfection in protecting this nation’s cybersecurity. Any day we fall short is a bad day for cybersecurity and a terrible moment at Microsoft.”
To reinforce the shift in company culture toward “empowering and rewarding every employee to find security issues, report them,” and “help fix them,” Smith said that Nadella sent an email out to all staff urging that security should always remain top of mind.
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” Nadella’s email said. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.” To ensure everyone’s on board, Microsoft has also started tying executives’ salary to meeting security goals.
Microsoft to adopt all the government’s recommendations
Smith was the only witness testifying at a House Committee on Homeland Security hearing, titled, “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”
He told Congress that Microsoft was following through on all 16 recommendations that the Cyber Safety Review Board (CSRB) made in a report that “identified a series of Microsoft operational and strategic decisions that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
As part of those obligations, Microsoft has committed to stop charging for key security-related features like more granular logging that the CSRB said should be a core part of their cloud service. (Last July, Microsoft started shifting that culture by expanding cloud logging accessibility and flexibility to give customers “access to wider cloud security logs” at no additional cost.)
Smith also said that Microsoft was “pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture.” That includes adding “another 18 concrete security objectives” beyond the CSRB recommendations and “dedicating the equivalent of 34,000 full-time engineers to what has become the single largest cybersecurity engineering project in the history of digital technology,” Microsoft’s Secure Future Initiative (SFI).
Microsoft also beefed up its security team, Smith said, adding “1,600 more security engineers this fiscal year” and planning to “add another 800 new security positions” in the next fiscal year. Additionally, the company’s Chief Information Security Officer (CISO) will now run an office with senior-level deputy CISOs “to expand oversight of the various engineering teams to assess and ensure that security is ‘baked into’ engineering decision-making and processes.”
Smith described the SFI as “a multiyear endeavor” focusing all of Microsoft’s efforts developing products and services “on achieving the highest possible standards for security.” He warned that online threats are always evolving but said that Microsoft was committed to grounding projects in core cybersecurity tenets that would prioritize security in product designs and ensure that protections are never optional and always enabled by default.
This initiative is part of Microsoft’s plan to win back trust after Smith and Microsoft previously did not seem to accept full responsibility for the Russian cyber attack. In 2021, Smith told Congress that “there was no vulnerability in any Microsoft product or service that was exploited” in that cyber attack, while arguing that “customers could have done more to protect themselves,” ProPublica reported.
In an exchange with Senator Marco Rubio (R.-Fla.), Smith specified that customers could have paid for “an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune,” ProPublica reported.
Now, Smith told Congress Thursday, “Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation. And without any sense of defensiveness.”