Posting on LinkedIn last week, Charlie Bell, executive vice president of security at Microsoft Corp., last week announced a shakeup of its security organization in the wake of a Chinese government-backed hack that resulted in the theft of U.S. government emails.
A bit of background: This summer, Senator Ron Wyden called for Microsoft to be held accountable in a letter to Attorney General Merrick Garland and the leaders of the Cybersecurity and Infrastructure Security Agency and the Federal Trade Commission.
In the letter, Wyden wrote that “Holding Microsoft responsible for its negligence will require a whole-of-government effort.” The government effort, which appears to be ongoing, will come after Microsoft concluded its own internal investigation, which revealed some startling admissions.
The Chinese-backed cybercriminals, known by the handle “Storm-0558,” first gained access to the Microsoft 365 emails of high-level government officials in April 2021. According to a blog post, the criminals used “an acquired Microsoft account (MSA) consumer key to forge tokens to access OWA and Outlook.com. Upon identifying that the threat actor had acquired the consumer key, Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our technical investigation has concluded.”
So, it’s no surprise that heads rolled over this. In a bit of spin in his LinkedIn post, Bell referenced the company’s “Secure Future Initiative.” “As we recently shared in the Secure Future Initiative memo, the speed, sophistication, and scale of cyber-attacks is accelerating,” he wrote. “This requires a new focus.”
Yeah — no kidding. This statement has been true for the better part of 30 years. Microsoft is just realizing this now?
The shakeup included several changes in roles. This includes Bret Arsenault, chief information security officer for 14 years, who moves aside along with deputy Aanchal Gupta. The company is elevating Igor Tsyganskiy, a recent addition to Microsoft who was recently president and chief technology officer at Bridgewater Associates.
Tsyganskiy has his work cut out for him. Just as enterprises and governments have finally started to trust the cloud for their most critical intellectual property, Microsoft has burst that bubble. The vulnerabilities are real. And it’s almost certain that Microsoft’s inability to stop such an incursion will slow the adoption of M365 by a range of organizations.
In some ways, this shouldn’t be a surprise. After all, Microsoft almost singlehandedly ushered in the cybersecurity business — a quarter-trillion-dollar market in 2023. The company, which blithely engineered its systems without giving security a thought in the early days (and maybe even the later days), gave rise to a cottage industry of startups that all solved one element of security that Microsoft ignored.
In fact, PowerShell remains the preferred attack technique for hackers. This post in SecurityWeek states, “The reason PowerShell is so prevalent is quite clear: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform administrative and automation tasks without risking being blocked.
This lack of security in Microsoft code has complicated the lives of information technology and security teams for decades now, and it doesn’t appear to be getting better. For a company that has always seemed to give security short shrift, Microsoft reaps a good pile of cash from that sector — bringing in some $20 billion in security revenue. It’s a pretty good business cleaning up its own mess.
I don’t know much about Igor Tsyganskiy, but when he starts his new gig on Jan. 1, I’d urge him to have Microsoft take a clean sheet-of-paper approach to security. Instead of a series of Band-Aids applied to major wounds, the company needs to think about why these things keep happening. How about a “Secure Present Initiative”?
Maybe the answer isn’t building lots of new tools to patch the holes left by careless engineering. Instead, maybe (just maybe) Microsoft should think more about their users and the companies that pay it billions each year. With that in mind, it should build secure solutions. Period.