Feds to Microsoft: Clean Up Your Cloud Security Act Now

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a July 2023 cyberattack that let Chinese threat actors breach Microsoft 365 accounts to spy on key US government officials.

A report released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft's security culture, putting the blame squarely on the company and a "cascade of security failures" for the cyber espionage attack by China-based threat group Storm-0558, which "never should have happened."

The board — which was investigating the breach at the behest of President Joe Biden — demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.

"To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company's security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products," officials said in the report.

Put Security Before Product Innovation

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.

Microsoft leadership also should consider directing internal Microsoft teams to "deprioritize feature developments across the company's cloud infrastructure and product suite until substantial security improvements have been made," instead assessing and addressing security before deploying any new features, the board concluded.

Given the dependence on the security of Microsoft's cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it "a core element" of cloud offerings instead of an add-on service for an extra fee.

Microsoft already relented and dropped fees associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a logging tax on customers.

This One Is on Microsoft

The overall finding of the board is that the blame for the breach — which allowed Storm-0558 to gain access to email accounts across 25 government agencies in Western Europe and the US — is solely with Microsoft, and was directly due to a series of security failings on the part of the company.

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 owned up to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft's Internet-connected corporate network, where threat actors likely picked it off.

However, government officials held executives feet to the fire over the company's failure to detect the compromise of its "cryptographic crown jewels on its own," as it was a customer — a human rights organization who did not have access to advanced cloud security logging — that first alerted the company to a potential issue.

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause "in a timely manner." Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended its blog post and acknowledged it never located a crash dump containing the key.

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products "underpin essential services that support national security, the foundations of our economy, and public health and safety," which in turn, requires Microsoft "to demonstrate the highest standards of security, accountability, and transparency," officials concluded.

A Microsoft spokesperson said that the company appreciates the work of the board to investigate the attack, and that in its aftermath the company has recognized a"a need to adopt a new culture of engineering security in our own networks."

To that end, Microsoft unveiled what it's calling a Secure Future Initiative, to mobilize its engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.

"Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the spokesperson said, adding that Microsoft will also take into consideration any additional recommendations by the board.