Microsoft upgrades security for signing keys in wake of Chinese breach

Policymakers and researchers have sharply criticized Microsoft’s security practices after an illicitly obtained key enabled a wide-ranging espionage operation. 
(Photo by Peter Dazeley/Getty Images)

Microsoft announced on Thursday that it will update security protections for signing keys after coming under criticism from policymakers that deficient security controls allowed Chinese hackers to steal an encryption key, an incident that facilitated an espionage campaign targeting senior U.S. officials.

To combat hacking campaigns targeting the identity of users, Microsoft said it would move signing keys into a so-called “hardware security module,” which is a specialized piece of equipment used to store sensitive encryption keys. 

Critics of the company, including Sen. Ron Wyden, D-Ore., have blasted Microsoft for what they see as its negligent approach to security, and have seized on its  failure to store signing keys in hardware security modules as a particular point of weakness in the company’s security practices.

A spokesman for Microsoft told CyberScoop that the moves toward using hardware security modules to store signing keys are “not specific to one event but are a reflection of a changing landscape and a commitment to better safeguard customers in unprecedented times.”


Thursday’s announcement is part of a series of changes Microsoft is branding as its “Secure Future Initiative,” and comes in response to continued innovation and aggression from highly resourced nation-state hacking campaigns, Brad Smith, the company’s vice chair and president, said in a blog post.

The company said in a separate blog post that it will be moving “identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure,” so that “signing keys are not only encrypted at rest and in transit, but also during computational processes as well. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.” 

Smith pointed to the company’s revelations in May of an extensive hacking campaign tied to China’s targeting of critical infrastructure entities in Guam and the U.S. as an example of the advanced techniques Thursday’s announcements are designed to address, and noted the targeting of “cloud services infrastructure, including at Microsoft.” 

Computer security researchers have sharply criticized Microsoft for its approach to key management after an operation linked to China was able to obtain tens of thousands of U.S. government emails this summer after illicitly obtaining a signing key

Industry experts and government officials demanded to know why Microsoft had designed its systems to allow for such a breach. Members of Congress have called for investigations, and the Department of Homeland Security’s Cyber Safety Review Board said in August that it would review the matter as part of a broader look at securing cloud environments.


In a July letter, Wyden urged the DHS’ Cybersecurity and Infrastructure Security Agency, the Department of Justice and the Federal Trade Commission to “take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”

Latest Podcasts