The heads of the Justice Department, the Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission received a letter on July 27 from US Sen. Ron Wyden (D-Ore.) asking them to hold Microsoft responsible for "negligent security practices."
This comes after a Microsoft 365 breach where Chinese government hackers were able to access the email accounts of 25 organizations. Microsoft asserted that the compromise occurred due to three exploited vulnerabilities from its Exchange Online email service and Azure Active Directory. According to a Microsoft blog post, the "China-based threat actor with espionage objective" began using forged authentication tokens on May 15 to access the emails. Microsoft blocked the malicious campaigns after a customer made the company aware and directly notified the affected customers — though another security firm recently said that many other Azure AD applications could also be at risk.
Now, Sen. Wyden believes that Microsoft is withholding key information about the hack, due to the fact that Microsoft has gone to great lengths to avoid saying that its infrastructure was breached by threat actors.
The letter, which is four pages long, details how this espionage operation is not the first time a foreign government has tried to hack the US governments emails, noting the 2020 SolarWinds hacking campaign.
"Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault," Wyden stated in his letter. "Holding Microsoft responsible for its negligence will require a whole-of-government effort."
He goes on to list actions that heads of the different departments need to take to hold Microsoft accountable in this latest breach, though whether the individuals mentioned in his letter — CISA Director Jen Easterly, Attorney General Merrick Garland, and FTC Chair Lina Khan — will heed his requests is too soon to tell.