Microsoft’s Brad Smith should prepare for ‘ritual punishment’ before House hearing
When he appears before the House Homeland Security Committee on Thursday to answer questions about a string of security failures at his company, Microsoft President Brad Smith can expect to feel the full fury of a panel of irate lawmakers. But if he is able to endure that, cybersecurity experts believe the hearing is unlikely to result in meaningful change.
Coming as it does on the back of numerous bruising reports about the company’s cybersecurity shortcomings, the hearing could produce major drama, but Jim Lewis, who directs the strategic technologies program at the Center for Strategic and International Studies think tank, expects the event to yield little more than “ritual punishment.”
“Everybody’s mad at Microsoft,” Lewis said, adding that he’s heard frustrations from the White House, industry and Congress about recent cyber operations by Chinese and Russian operatives that have taken advantage of weaknesses in Microsoft products. “It’s hard to see how the House won’t use it as an opportunity to beat up on them. [Smith] is walking into a bear trap.”
Experts still harbor hope, however, that Thursday’s hearing could catalyze meaningful change at a company that has raised increasing concerns that it has become a major security liability.
The hearing takes its title — “Cascade of Security Failures” — from a report of the Department of Homeland Security’s Cyber Safety Review Board, which concluded that a Chinese operation to steal a signing key and use it to snoop on emails belonging to senior U.S. government officials was the result of “a cascade of security failures at Microsoft.”
But that incident was just one in a spate of bad cybersecurity headlines for the tech giant, which recently disclosed that hackers linked to Russia’s foreign intelligence agency accessed company source code.
In written testimony released in advance of the hearing, Smith offered an apology to those impacted by the Chinese breach, including those in the federal government, and acknowledged Microsoft “can and must do better.”
“In sum, we accept responsibility for the past and are applying what we’ve learned to help build a more secure future,” Smith said in his prepared testimony. “We are pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture.”
One observer of the company anticipates that Smith can use Thursday’s appearance to deflect scrutiny of his firm. Smith is “good at talking around issues, about issues,” said Cory Simpson, the CEO of the Institute for Critical Infrastructure Technology, who added that he expects “not much” from the hearing.
Lewis, too, said Microsoft has proven adept at dodging accountability for its cyber woes, relying on a well-honed “playbook” that includes hyping its initiative last month to declare security its top priority going forward: “Get caught with your pants down, and announce some new security initiative.”
Microsoft has established itself as a key purveyor of software to the federal government, to such a degree that the company’s critics have accused it of ”creating a security monoculture.” Microsoft’s competitors for federal government business have been taking advantage of the company’s blemishes, pressing publicly for themselves as alternatives, criticizing Microsoft in advance of the hearing and behind the scenes on the Hill.
One such competitor, Trellix Public Sector Chief Technology Officer Karan Sondhi, said he isn’t optimistic about the prospect for change resulting from the hearing, given the vastness of Microsoft’s market control of the sector.
While a legislative solution to reduce the federal government’s reliance would be helpful, Sondhi said he hoped the hearing would inspire agencies to take individual action to purchase products from a multitude of vendors, rather than in a bundle from one company.
“We’re hoping the hearing will make people realize that they need to do that on their own, without having any legislative body enforcing something,” he said.
Aside from the cybersecurity impact of Microsoft’s prevalence in federal systems, the committee is likely to question Smith about the company’s presence in China and its approach to artificial intelligence, a committee spokesperson said. “Tomorrow is a critical step in helping Congress better understand the evolving threats from our cyber adversaries and fulfill its role in improving our nation’s security posture,” according to the spokesperson.
House Homeland Security panel leaders have said they want to hear from Microsoft about its views on its security shortcomings, the challenges of foreign nation-backed hackers and the company’s plans for improvement.
The ideal outcome would be “a great American company coming forward and saying, ‘mea culpa,’” Simpson said. “‘We’ve done some things wrong. We’ve made some errors. We built this culture. We recognize a need to change. And here are the things you can expect from us moving forward that we can collectively look at and measure progress.’”
For Lewis, one potential positive lesson from the hearing is that it would boost the standing of the Cyber Safety Review Board, and give it more incentive to be tougher on companies, he said. DHS has long suggested that the board needs the authority to compel companies to cooperate with its probes, a sentiment shared by outside experts.
But even as the ranks of Microsoft critics grow — the latest is Robert O’Brien, former President Donald Trump’s former national security adviser, attacking the company in an op-ed — Smith is set to argue that his company needs the backing of the federal government to defend itself.
“Nation-state attackers too often attack without meaningful reprisal, consequence, or deterrence,” Smith said in his prepared testimony. “International law or norms of conduct are incomplete and lack meaningful enforcement.”
The U.S. government specifically could do more, Smith said. “Deter nation-state threat actors by imposing appropriate punishment so that the actions of nation-state actors are not without a cost,” his testimony states. “To accomplish this Congress should assess whether additional steps are needed to strengthen countermeasures against nation-state threat actors.”
Smith also warned that Russia and China may strengthen their already close relationship by carrying out cyberattacks together. “This is grave at multiple levels,” his testimony reads. “It’s one thing to engage in cyber combat with four separate nation-state adversaries, but quite another scenario if two or all four of these countries work in tandem.”
