Microsoft President Brad Smith previewed his approach in prepared written testimony for his appearance Thursday before the U.S. House Committee on Homeland Security for a hearing about the company’s security failures.
“Before I say anything else,” he wrote, “I think it’s especially important for me to say that Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report,” he wrote, referencing an April report by the U.S. Cyber Safety Review Board (CSRB) that took Microsoft to task for its “inadequate” security culture.
Smith wrote that the company is committed to changing its ways. He cited evidence including Microsoft’s introduction last fall of its Secure Future Initiative, the more recent commitments by CEO Satya Nadella to put security above all else, and the company’s move to base part of senior executive compensation on security.
He said the company is committed to implementing each of the CSRB’s recommendations. He referenced, as an example, its move Friday to update the “Recall” feature on its Copilot+ PCs to address security concerns.
But if Microsoft is truly prioritizing security over new product features, why did it go forward with the Recall feature in the first place?
Microsoft has repeatedly promised to put security above features in the past, stretching back nearly 25 years — so what’s different this time?
And how can Microsoft justify making as much $20 billion a year on security products, given these problems with its core software products and services?
Those are the types of questions that Smith will face during the hearing, titled, “A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”
Like the CSRB report, the hearing will focus in part on a high-profile incident in May and June 2023, when the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
While accepting responsibility and acknowledging Microsoft’s shortcomings, Smith put the issue in broader geopolitical context in his written testimony, citing the potential for China, Russia, Iran, and North Korea to not only act on their own but to collaborate in the future to potentially devasting effect.
Make no mistake, we are all in this together. The CSRB report was sparked by a successful Chinese attack on Microsoft, and we understand every day that we have by far the first and greatest responsibility to heed its words. We’re committed to doing so and to playing an indispensable leadership role in defending not just our customers, but this country and its allies. But no single company can protect a country and other nations from what is emerging as a cyberwar waged by four aggressive governments.
Whether or not this scrutiny makes a meaningful difference in the security of Microsoft’s products, the company’s competitors are hoping that it raises awareness of the issue, at least, and causes government officials and corporate decision-makers to rethink the choices they make when buying software and cloud services.
“Microsoft poses an especially acute national security risk given it has a dominant 85 percent market share in the U.S. government’s productivity software market, which makes the government dependent on Microsoft products including Outlook email, Word, Excel, Teams instant messaging, and the Azure cloud platform,” wrote NetChoice, a trade association whose members include Google and Amazon, in its own letter to the House Homeland Security Committee.
The hearing begins at 10:15 a.m. Pacific. It can be viewed here or above.
Stay tuned for updates, and read Smith’s full written testimony here.
https://ift.tt/0f1dPi5 June 13, 2024 at 02:56PM GeekWire
Post a Comment
0Comments