In This Story
Microsoft has been the target of major cyberattack campaigns over the last year, and now it’s accepting responsibility for its failures to prevent the hacks.
Brad Smith, president of Microsoft, is expected to tell U.S. lawmakers Thursday the company “accepts responsibility for each and every one” of its cybersecurity failures cited in a U.S. government-backed report. The hearing will focus on how Microsoft’s failures have impacted national security.
“We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted,” Smith’s prepared testimony to the House Homeland Security Committee says. Microsoft did not immediately respond to a request for comment.
In April, the U.S. Cyber Safety Review Board (CSRB) found that Chinese hackers known as Storm-558 compromised the Microsoft Exchange Online emails of 22 organizations and more than 500 people around the world, including senior U.S. government officials working on national security. Commerce Secretary Gina Raimondo and R. Nicholas Burns, the U.S. ambassador to China, were among the hacked U.S. government officials.
The report, released by the U.S. Department of Homeland Security (DHS), found the attack was “preventable,” and that a series of Microsoft’s operational and strategy decisions led to “a corporate culture that deprioritized enterprise security investments and rigorous risk management.”
The CSRB concluded that Microsoft’s “security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
“In sum, we accept responsibility for the past and are applying what we’ve learned to help build a more secure future,” Smith’s testimony says. “We are pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture.”
Microsoft was also at the center of one of the largest cyberattacks in U.S. history, SolarWinds, which was carried out between 2019 and 2020 by state-sponsored Russian hackers.
In January of this year, Microsoft’s corporate email systems were attacked by Midnight Blizzard, a Russian state-sponsored actor. The company said in March it could see evidence of the hackers using the stolen information to access or gain access to its “source code repositories and internal systems.” However, Microsoft said it hadn’t seen evidence its customer-facing systems were compromised.
Ahead of his hearing, Smith reportedly said Microsoft will review its employees’ cybersecurity contributions during performance reviews that would then be reflected in their compensation.