Sen. Ron Wyden (D-OR) delivered a powerful demand on Thursday, urging the Justice Department and two civil regulators to launch separate investigations into what he called Microsoft’s “negligent cybersecurity practices.” According to Wyden, these practices led to a targeted hack that affected the highest levels of President Joe Biden’s cabinet.
The Chinese hackers managed to access Microsoft-powered email accounts belonging to top China envoys, Commerce Secretary Gina Raimondo, and Secretary of State Antony Blinken. This intrusion, which took place between May and June, happened just before a critical Sino-U.S. meeting.
In a letter sent to Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan, and Cybersecurity and Infrastructure Security Agency Director Jen Easterly, Wyden requested that the Justice Department investigate whether Microsoft violated federal law through negligence. He also asked CISA to examine whether Microsoft breached best practices for securing the highly sensitive “skeleton key,” and for the Federal Trade Commission to investigate potential violations of federal privacy statutes.
Wyden’s directive to the FTC specifically focused on privacy concerns, but the agency could expand its examination to examine whether Microsoft’s dominance in the cloud computing market has led to increased risks through anti-competitive behavior. This allegation has been raised by competitors and cybersecurity experts, including Google.
According to Wyden, Microsoft’s engineers should never have deployed systems that violated basic cybersecurity principles. He argued that these obvious flaws should have been identified during Microsoft’s internal and external security audits.
In response, a Microsoft spokesperson acknowledged the incident as a demonstration of the evolving challenges of cybersecurity in the face of sophisticated attacks. They expressed Microsoft’s commitment to working with government agencies on this issue and sharing information through the Microsoft Threat Intelligence blog.
While the FTC confirmed receiving the letter from Wyden, they declined to comment further. CISA has yet to respond to the request for comment.
Cybersecurity experts have grown increasingly concerned about the hack, which impacted numerous government organizations worldwide. The State Department and the Commerce Department were among the targeted agencies.
The State Department’s cyber team notified Microsoft about the attack, thanks to more detailed reporting and logging capabilities they had implemented. Following the hack, Microsoft announced that they would offer sophisticated logging for free, ceasing the previous practice of charging for it.
Wyden pointed out that this was not the first time a foreign government had exploited Microsoft vulnerabilities to hack government agencies. He highlighted the similarity to the 2020 SolarWinds hacking campaign orchestrated by Russian hackers and criticized Microsoft for failing to warn customers about the risk of keys being exfiltrated since 2017.
Both Microsoft and federal officials have been relatively tight-lipped about the hack. However, Microsoft has shared additional information and implemented measures to mitigate the impact of the breach for its customers.
Please see the letter below:
[Include the letter here if available]
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
