In a scathing critique of Microsoft's corporate security and transparency, a review board appointed by the Biden administration issued a report on Tuesday, stating that a series of errors by the tech giant allowed state-backed Chinese cyber operators to access email accounts of senior U.S. officials, including Commerce Secretary Gina Raimondo.
The Cyber Safety Review Board, established in 2021 by executive order, highlighted Microsoft's inadequate cybersecurity practices, a permissive corporate culture, and a lack of transparency regarding the company's awareness of the targeted breach, which affected multiple U.S. agencies dealing with China.
The report concluded that Microsoft's security culture requires a complete overhaul, given the company's widespread use and critical role in the global technology ecosystem.
It stated that Microsoft products form the foundation of essential services supporting national security, the economy, and public health and safety.
The panel found that the intrusion, discovered in June by the State Department and dating back to May, could have been prevented and should never have occurred, attributing its success to a series of avoidable errors.
Furthermore, the board stated that Microsoft still does not know how the hackers gained access.
The board made comprehensive recommendations, including urging Microsoft to pause the addition of features to its cloud computing environment until substantial security improvements are made.
It also called on Microsoft's CEO and board to implement rapid cultural change, including publicly sharing a plan with specific timelines for fundamental security-focused reforms across the company and its products.
Microsoft responded in a statement, expressing appreciation for the board's investigation and pledging to further strengthen its systems against attacks, as well as to implement more robust sensors and logs to detect and repel cyber threats.
The state-backed Chinese hackers infiltrated the Microsoft Exchange Online email of 22 organizations and over 500 individuals worldwide, including the U.S. ambassador to China, Nicholas Burns.
They accessed some cloud-based email boxes for at least six weeks and downloaded approximately 60,000 emails from the State Department alone, the 34-page report revealed.
Three think tanks and four foreign government entities, including Britain's National Cyber Security Center, were also compromised.
Convened by Homeland Security Secretary Alejandro Mayorkas in August, the board accused Microsoft of issuing inaccurate public statements about the incident, including a statement claiming to have determined the likely root cause of the intrusion, which was not the case.
Microsoft updated its misleading blog post in mid-March after repeated requests from the board.
The board also expressed concern about another hack disclosed by Microsoft in January, targeting email accounts of an undisclosed number of senior Microsoft executives and customers, attributed to state-backed Russian hackers.
It criticized Microsoft's corporate culture for deprioritizing enterprise security investments and rigorous risk management.
Microsoft acknowledged that recent events have highlighted the need for a new culture of engineering security within its networks.
The company stated that it has mobilized its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.