Microsoft is facing heat from a US senator for failing to prevent state-sponsored hackers from breaking into US government systems twice: during the 2020 SolarWinds hack, and the more recent Outlook-based email hack that was disclosed this month.
Sen. Ron Wyden (D-Oregon) is demanding an investigation into Microsoft from the Justice Department, the Federal Trade Commission, and country’s cybersecurity agency, CISA.
“I write to request that your agencies take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government,” he wrote on Thursday.
Wyden says the hackers behind the SolarWinds incident and the Outlook breach gained access partly due to poor security practices from Microsoft. But rather than admit fault, the software giant allegedly shifted blame to others and urged customers to stick with Microsoft products.
For example, Wyden cites how the suspected Chinese hackers who broke into US government email accounts this month did so by using forged authentication tokens for Exchange Online and Outlook.com. In its own blog post, Microsoft revealed the hackers somehow acquired a “Microsoft account (MSA) consumer signing key,” which could also be exploited to forge the authentication tokens for enterprise accounts.
“Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Wyden says. “First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”
The other problem is that Microsoft neglected to store such signing keys in a hardware vault, known as a hardware security module—a practice Microsoft itself faulted customers for failing to do during the SolarWinds breach, Wyden’s letter says.
The senator then criticized the company over the signing keys used in the Outlook hack. According to cloud security provider Wiz, one key was valid since at least 2016 before it was replaced in recent weeks. “Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised,” Wyden says.
In addition, Microsoft’s internal and external audits failed to catch the key signing vulnerability, meaning it's possible the company’s products contain other problems. “Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Wyden adds.
Microsoft didn’t immediately respond to a request for comment. In the meantime, Wyden is asking US Attorney General Merrick Garland to investigate if Microsoft failed to follow required cybersecurity standards while receiving federal funding. Wyden also wants CISA to investigate the recent Outlook hacks and Microsoft’s role in them.
UPDATE: In response to Wyden's letter, Microsoft said: "This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks. We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog."
Meanwhile, CISA said the agency "has received Senator Wyden’s letter, and we look forward to responding to him directly. More generally, we continue to work with technology providers, including Microsoft, to advance adoption of secure by design practices that will help keep every American organization safe."