These incidents occurred as security experts were increasingly criticizing Microsoft for failing to promptly and adequately fix flaws in its products. As by far the biggest technology provider for the US government, Microsoft vulnerabilities account for the lion’s share of both newly discovered and most widely used software flaws. Many experts say Microsoft is refusing to make the necessary cybersecurity improvements to keep up with evolving challenges.
Microsoft hasn’t “adapted their level of security investment and their mindset to fit the threat,” says one prominent cyber policy expert. “It’s a huge fuckup by somebody that has the resources and the internal engineering capacity that Microsoft does.”
The Department of Homeland Security’s CSRB endorsed this view in its new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticized Microsoft for publishing inaccurate information about the possible causes of the latest Chinese intrusion.
The recent breaches reveal Microsoft’s failure to implement basic security defenses, according to multiple experts.
Adam Meyers, senior vice president of intelligence at the security firm CrowdStrike, points to the Russians’ ability to jump from a testing environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to snoop on multiple agencies’ communications through one intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a single sign-in key.
“You don’t hear about these types of breaches coming out of other cloud service providers,” Meyers says.
According to the CSRB report, Microsoft has “not sufficiently prioritized rearchitecting its legacy infrastructure to address the current threat landscape.”
In response to written questions, Microsoft tells WIRED that it’s aggressively improving its security to address recent incidents.
“We are committed to adapting to the evolving threat landscape and partnering across industry and government to defend against these growing and sophisticated global threats,” says Steve Faehl, chief technology officer for Microsoft’s federal security business.
As part of its Secure Future Initiative launched in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuses of employee accounts, begun scanning for more types of sensitive information in network traffic, reduced the access granted by individual authentication keys, and created new authorization requirements for employees seeking to create company accounts.
Microsoft has also redeployed “thousands of engineers” to improve its products and has begun convening senior executives for status updates at least twice weekly, Faehl says.
The new initiative represents Microsoft’s “roadmap and commitments to answer much of what the CSRB report called out as priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report argues. “We very much disagree with this characterization,” Faehl says, “though we do agree that we haven’t been perfect and have work to do.”
A Security Revenue ‘Addiction’
Microsoft has earned special enmity from the cybersecurity community for charging its customers extra for better security protections like threat monitoring, antivirus, and user access management. In January 2023, the company touted that its security division had passed $20 billion in annual revenue.
“Microsoft has shifted to looking at cybersecurity as something that’s meant to generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos recently wrote that Microsoft’s “addiction” to this revenue “has seriously warped their product design decisions.”
