Cyber review board blames cascading Microsoft failures for Chinese hack

A federal review board concluded in a scathing report Tuesday that the theft of a Microsoft signing key used to spy on senior U.S. officials was a preventable failure caused by the company’s failure to appropriately prioritize security. 

Tuesday’s report, the work of the independent Cyber Safety Review Board established by President Joe Biden, examines a breach that first came to light in July 2023, when hackers linked to China known as Storm-0558 were able to snoop on emails belonging to Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns ahead of high-stakes meetings in Beijing. 

The CSRB lays the blame for the incident squarely on Microsoft: “The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”

The report represents the conclusion of a seven-month review and comes against the backdrop of growing concern in Washington that a series of severe breaches at Microsoft has made the company a national-security liability at a time when the federal government is increasingly relying on that company for a raft of cloud computing services. In January, Microsoft disclosed the latest such incident, in which Russian hackers were able to access emails belonging to senior company officials and company source code. 

Tuesday’s report, the most detailed accounting to date of the Storm-0558 incident, will only provide additional ammunition to the company’s critics, as it accuses Microsoft of fostering a corporate culture that has deprioritized security: “The Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Perhaps the most damning finding in the report is that the breach would likely have been prevented if Microsoft had put in place security measures — such as automatic key rotation and limiting the scope of what keys can validate — adopted by other cloud service providers. 

The report also accuses Microsoft of misleading the public in its accounting of how the breach occurred.

Two months after the breach was first revealed, Microsoft said its investigation had identified the most likely way in which Chinese hackers stole a signing key — what the CSRB calls “the cryptographic equivalent of crown jewels for any cloud service provider” — after it was inadvertently included in a so-called “crash dump,” the information that is generated when a computer system fails. 

According to the CSRB, shortly after publishing that blog, Microsoft concluded that it did not actually have any evidence that a crash dump had contained the key, leading the company “to assess that the crash dump theory was no longer any more probable than other theories as the mechanism by which the actor had acquired the key.” 

Microsoft left its blog post containing its assertion regarding the crash dump uncorrected for more than six months and only corrected it after repeated prodding by the CSRB, according to the report. 

“The loss of a signing key is a serious problem, but the loss of a signing key through unknown means is far more significant because it means that the victim company does not know how its systems were infiltrated and whether the relevant vulnerabilities have been closed off,” the report notes. “Left with the mistaken impression that Microsoft has conclusively identified the root cause of this incident, Microsoft’s customers did not have essential facts needed to make their own risk assessments about the security of Microsoft cloud environments in the wake of this intrusion.”

A Microsoft spokesperson said in a statement that the company appreciated the board’s work “to investigate the impact of well-resourced nation state threat actors who operate continuously and without meaningful deterrence.”

The spokesperson noted that the company has announced what it calls the Secure Future Initiative to better prioritize security in its products, and that the company has “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.” 

The CSRB report acknowledges that initiative but argues that Microsoft has dangerously deprioritized its security commitments. Because Microsoft’s “ubiquitous and critical” products “underpin essential services that support national security, the foundations of our economy, and public health and safety,” Microsoft must “demonstrate the highest standards of security, accountability, and transparency,” the report contends. 

In describing how Microsoft has changed, the CSRB cites a 2002 email from company founder Bill Gates in which he implores the company “when we face a choice between adding features and resolving security issues, we need to choose security.”

“Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve,” Gates wrote, adding that prioritizing security “should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.”

According to the CSRB, the company has abandoned that thinking: “The Board concludes that Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.”