Microsoft set to expand access to detailed logs in the wake of Chinese hacking operation

Microsoft will begin offering more customers access to an expanded set of logs at no additional charge, the company said Wednesday, following revelations earlier this month that hackers based in China exploited vulnerabilities in Microsoft cloud infrastructure to nab email data from multiple U.S. government agencies and officials.

Security staffers at the U.S. State Department detected the operation in mid-June using anomalous data entries captured in logs only available on a premium tier, officials said, spurring stark criticism of Microsoft from U.S. officials and experts in the cybersecurity community that the company was charging extra for essential security features.

Microsoft is now shifting its pricing and said in a blog post Wednesday that it will include “access to wider cloud security logs for our worldwide customers at no additional cost” starting in September and that it would increase default log retention from 90 to 180 days.

The Cybersecurity and Infrastructure Security Agency called the development “a significant step forward toward advancing security by design principles” in a statement Wednesday morning.

During a call with reporters last week, a senior CISA official criticized that Microsoft for charging a premium for the kind of logging necessary to detect the operation, noting that the paid tier approach was “not yielding the sort of security outcomes that we seek.” The official said that “every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box.”

Wednesday’s shift does not appear to have appeased the company’s critics. Sen. Ron Wyden, D-Ore., who has sharply criticized the company’s security failures even as it is an increasingly important provider of computing services to the U.S. government, said the pricing shift was insufficient to address a string of breaches.

“Unfortunately, as Microsoft’s $15 billion-plus cybersecurity business grows, Microsoft’s incentives are not to deliver secure operating systems and cloud software to its customers, but to deliver insecure products and then upsell them on cybersecurity add-ons,” Wyden said in a statement provided to CyberScoop.

“It shouldn’t have taken multiple disastrous hacks of federal systems for Microsoft to make essential security features standard for government customers, but better late than never,” Wyden said. “Going forward, federal agencies should insist that software contracts include security logs and other cybersecurity features, so our national security is no longer compromised by a shoddy procurement process.”

Trey Herr, the director of the Atlantic Council’s Cyber Statecraft Initiative, told CyberScoop called the policy update “a good step but not a great one.”

“Monetizing visibility into systems your customers are supposed to help defend undermines the so-called ‘shared responsibility’ model of cloud computing,” Herr said in an email. “More importantly, this commitment does nothing to address the process that led to another exploitable flaw in Microsoft’s crucial cloud identity service.”

Top CISA and Microsoft officials framed the company’s policy decision as the result of a months-long collaboration and conversation about the appropriate level of logging that should be available to customers.

“Today’s news comes as a result of our close partnership with CISA, which has called for the industry to take action in order to better protect itself from potential cyberattacks,” the company said in its blog post. “It also reflects our commitment to engaging with customers, partners, and regulators to address the evolving security needs of the modern world.”

Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement that his agency applauds Microsoft’s decision.

“While we understand it will take time to roll out such a major step, this effort will enhance cyber defense and incident response for every Microsoft customer,” Goldstein said. “As a founding partner in the Joint Cyber Defense Collaborative (JCDC), Microsoft’s decision is also a significant step toward creating a world where technology is safe and secure by design.”

Microsoft has said it is still investigating how the hackers were able to pull off an operation described as highly sophisticated and stealthy that resulted in the email inboxes of senior officials, including U.S. Commerce Secretary Gina Raimondo, being breached.

Elias Groll contributed reporting to this story.