UPDATED 18:58 EST / JUNE 13 2024

SECURITY

Microsoft’s Brad Smith acknowledges past security failures, outlines new initiatives

Microsoft Corp. President Brad Smith said before a House Committee on Homeland Security hearing today that the company acknowledges its past security shortcomings and detailed new initiatives to bolster defenses.

The testimony came as a former employee claimed that Microsoft ignored his warnings about vulnerabilities in Active Directory, which ultimately led to the hack of SolarWinds Worldwide LLC in 2020.

During his testimony, Smith (pictured) addressed significant breaches, including the SolarWinds hack and the compromise of Microsoft Exchange by hackers in 2023. He said the incidents had resulted from multiple failures within Microsoft’s security protocols.

He went on to say that Microsoft is committed to making security its top priority and detailed the company’s Secure Feature Initiative, a plan aimed at protecting user identities, securing networks and isolating production systems to prevent similar breaches. According to Smith, the initiative is part of a broader effort by Microsoft to enhance threat detection capabilities, improve incident response times and increase transparency with customers and stakeholders about security incidents.

In written testimony submitted to the hearing before he appeared in person, Smith said that “Microsoft accepts responsibility for each and every one of the issues cited” in a Cyber Safety Review Report into the Exchange hack. He added, “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.”

Smith’s ownership of Microsoft’s past security failures comes as Andrew Harris, a disgruntled former Microsoft employee, claimed in an article published by ProPublica that his warnings of security issues with Microsoft products were ignored by the company. Smith argues that Microsoft failed to address a critical security flaw in Azure Active Directory Federation Services known as “Golden SAML” that ultimately led to the SolarWinds Breach.

Harris says he discovered the vulnerability in 2016 but was subsequently dismissed by colleagues and adds that Microsoft did not address the issue, citing the potential financial consequences of acknowledging the flaw. Harris left Microsoft in August 2020, and the SolarWinds hack occurred later the same year.

In his testimony, Smith did not refer to Harris but assured the committee that Microsoft is committed to being transparent about its security practices and vulnerabilities. Smith mentioned that the company is implementing more rigorous internal audits and external reviews to ensure accountability and continuous improvement.

Smith also stressed the importance of collaboration between tech companies, the government and other stakeholders to strengthen national cybersecurity. He noted that Microsoft is working closely with federal agencies to improve security measures and share critical threat intelligence as it becomes available.

Ryan Kalember, chief strategy officer at cybersecurity company Proofpoint Inc., told SiliconANGLE that “there have been too many consequential cybersecurity incidents that have impacted consumers’ private information, organizations’ IP and sensitive data, and governments’ confidential intelligence that would have been avoidable had Microsoft made different choices and lived up their public promises.”

“Security and privacy have unfortunately taken a back seat in Microsoft’s product design in their quest for new productivity features and a higher stock price and their recent backtracking after the Microsoft Recall AI controversy is a particularly instructive example,” Kalember added. “It took an enormous amount of pressure from the entire cybersecurity industry and privacy experts for Microsoft to see this for what it is — a massive, trivially exploitable security risk — and to do the right thing by ensuring it is disabled by default.”

Not everyone was as harsh on Microsoft’s previous mistakes. Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noted that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”

“The unfortunate reality is that software is far more complex than most people understand,” he said. “A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms. And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Photo: Web Summit/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU