Cyber Safety Review Board to analyze cloud security in wake of Microsoft hack

A U.S. government review board will examine the suspected-Chinese cyberespionage operation that breached Microsoft’s email authentication system and nabbed American officials’ emails, the Department of Homeland Security announced Friday.

The Cyber Safety Review Board — a public/private entity established via presidential executive order in 2021 in the wake of the SolarWinds breach and launched in early 2022 — will review the incident as part of a broader look at the “malicious targeting of cloud computing environments” and “focus on approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud,” the agency said in a statement.

The operation targeting top U.S. officials’ emails, announced in July but detected in June by security staff at the U.S. State Department, spurred heavy criticism of Microsoft, particularly because evidence of the breach was only apparent if customers paid for a premium logging tier. Microsoft has since announced that customers will have access to expanded logging and storage capability at no additional cost.

“We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” CSRB Chair and DHS Under Secretary for Policy Rob Silvers said in the agency’s statement.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in the statement that an “effective shared responsibility model requires a persistent focus on potential systemic risks in cloud environments,” and that the board’s findings will “advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems.”

Sen. Ron Wyden, D-Ore., urged DHS and CISA to use the CSRB to examine how Microsoft’s approach to storing authentication keys contributed to the breach. Wyden also called for the Department of Justice to review whether Microsoft’s “negligent practices” violated federal law, and asked for the Federal Trade Commission to analyze whether Microsoft’s privacy and data practices violated federal law.

“I applaud President Biden and CISA Director Easterly for acting on my request for the board to review this recent espionage campaign, including cybersecurity negligence by Microsoft that enabled it,” Wyden told CyberScoop in an email Friday.

Microsoft did not immediately respond to a request for comment.

The CSRB on Thursday released its report on attacks associated with Lapsus$, a cybercrime group that included teenagers that managed to infiltrate and extort some of the biggest and most well resourced companies on the planet. A previous report focused on the Log4j vulnerability.

Critics of the CSRB’s approach to its mission have pointed out that the board’s policy of not “finger-pointing” diminishes the potential for true accountability, and others have noted that the board is inherently hamstrung because of confidentiality concerns from private vendors and conflicts of interest.

“Had the board studied the 2020 SolarWinds hack, as President Biden originally directed, its findings might have been able to shore up federal cybersecurity in time to stop hackers from exploiting a similar vulnerability in the most recent incident,” Wyden said in his email. “The government will only be able to protect federal systems against cyberattacks by getting to the bottom of what went wrong. Ignoring problems is both a waste of taxpayer dollars and a massive gift to America’s adversaries.”

Adam Shostack, a cybersecurity researcher and faculty at IANS Research who has written extensively about the CSRB, said he is concerned that the upcoming report would repeat the board’s past mistakes of failing to study incidents in sufficient depth. By couching the upcoming report as part of a “broader” look at cloud security, Shostack said he feared that “we are again not going to get into specifics.”

“I would love to see a more specific version of this,” Shostack said, pointing to one of the central unanswered questions in the most recent Microsoft incident: “What happened with the Microsoft signing key that was stolen?”

Elias Groll contributed reporting to this article.

Updated Aug. 11, 2023: This article has been updated with comment from Adam Shostack.