Members of Congress pressed Microsoft on Thursday to strengthen how it handles reported security flaws in its ubiquitous products after a series of cyberattacks struck the federal government.
The criticism from members of the House Homeland Security Committee came in response to a new ProPublica investigation that found Microsoft repeatedly rebuffed a company engineer who, beginning in 2017, warned that a product flaw left millions of users vulnerable to attack, including federal employees. Russian hackers later exploited that weakness in one of the largest cyberattacks in U.S. history, widely known as SolarWinds.
Rep. Bennie Thompson of Mississippi, the committee’s top Democrat, entered the news organization’s story into the congressional record. He then asked Microsoft President Brad Smith if the company has since established a process “to ensure that employee concerns about security at Microsoft or their products are prioritized and addressed.”
Smith, sitting alone at the witness table in a packed hearing room, told lawmakers that the company is shifting its approach to security. Microsoft is trying “to empower every employee to focus on continuous improvement and speak up … and to ensure that those voices are heard and heeded,” he said.
Smith added, “We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems and then learn from the problems.”
As ProPublica reported, that is not the corporate culture that the former Microsoft engineer, Andrew Harris, encountered in the years leading up to SolarWinds. Harris said product leaders, who were focused on Microsoft’s drive to dominate the cloud computing market, told him that addressing the weakness he’d identified would undermine the company’s business goals of securing federal government contracts and marginalizing competitors.
The federal Cyber Safety Review Board, in its own examination of Microsoft’s role in a separate hack perpetrated last year by Chinese attackers, also found the company’s security culture “inadequate” and in need of an “overhaul.” Microsoft “deprioritized both enterprise security investments and rigorous risk management,” the board found, resulting in a “cascade of … avoidable errors.”
On Thursday, Smith said Microsoft accepted responsibility for the board’s findings and has since moved to tie executive bonuses to cybersecurity. He said security would also be part of every Microsoft employee’s performance review, and thus would indirectly impact compensation across the company.
Microsoft’s promise to change its security culture echoes a similar pledge from founder Bill Gates more than 20 years ago. “When we face a choice between adding features and resolving security issues, we need to choose security,” Gates wrote at the time.
In the decades since, former employees told ProPublica, developing new products and features was often prioritized over fixing security bugs in existing offerings.
While the official subject of Thursday’s hearing was the cybersafety board’s report on the China hack, members of the committee asked Smith question after question about ProPublica’s SolarWinds investigation, which Rep. Delia Ramirez, D-Ill., called a “bombshell report.”
She said the hearing was a “reckoning moment” for the company, which has repeatedly downplayed its role in SolarWinds. One of the flaws the Russians exploited involved a Microsoft application, which was supposed to ensure users had permission to log on to cloud-based programs. The weakness allowed intruders to masquerade as legitimate employees and rummage through sensitive data in the cloud, including emails.
Rep. Seth Magaziner, D-R.I., asked Smith about his prior congressional testimony, in which he said that Microsoft had first learned about this weakness in November 2017, when an outside cybersecurity firm published a report on it. ProPublica’s investigation, Magaziner noted, found that Harris had raised it even earlier, only to be ignored. The lawmaker asked Smith if his prior testimony was incorrect.
Smith demurred, saying he hadn’t read the story. “I was at the White House this morning,” he told the panel.
Later, Smith complained that ProPublica’s investigation was published the day of the hearing and said that he’d know more about it “a week from now.” ProPublica sent detailed questions to Microsoft nearly two weeks before the story was published on Thursday and requested an interview with Smith. The company declined to make him available.
On Thursday, Smith pointed out that the weakness in Microsoft’s product could also be found in other companies’ software. Cybersecurity specialists have noted, however, that Microsoft’s version was one of the most widely used, including by the federal government.
When Ramirez asked how Harris’ discovery would have been handled differently today, Smith said, “I think what’s most important for today is simply to note how we are changing … how we elevate these issues and reward people for finding, reporting and helping to fix problems.”