HomeWinBuzzer NewsCISA Cybersecurity Board Criticizes Microsoft for Preventable Exchange Online Breach

CISA Cybersecurity Board Criticizes Microsoft for Preventable Exchange Online Breach

A US government report blames lax security at Microsoft for a Chinese cyberattack that breached US officials' email.

-

The Cybersecurity and Infrastructure Security Agency Cyber Safety Review Board has concluded that the June 2023 breach of Microsoft’s Exchange Online service, which compromised accounts of senior US officials, could have been prevented. The breach was attributed to a group linked to China, known as “Storm-0558.” The board’s findings highlight significant lapses in Microsoft’s information security culture and cloud security precautions, necessitating a call for urgent reforms within the company.

Details of the Breach

The breach was facilitated by outdated key rotation practices within Microsoft’s identity management system, the Microsoft Services Account (MSA), which lacked automated signing key rotation or deactivation. This oversight allowed Storm-0558 to use a key from 2016, granting them access to Outlook Web Access for consumers and subsequently to enterprise email accounts, including those of the US State Department. The attackers were able to steal approximately 60,000 emails containing sensitive diplomatic discussions.

Recommendations for Improvement

The board recommends a series of actions for Microsoft, including a public commitment by its CEO and board of directors to a security-focused culture change, prioritizing security over feature development, and ensuring security risks are fully addressed before deploying new features. These recommendations come in response to what the board describes as a “cascade of Microsoft’s avoidable errors.”

Microsoft’s response to the incident, the “Secure Future Initiative,” has been criticized for lacking oversight by senior executives and an overreliance on AI for security improvements. The report suggests that Microsoft has deviated from the principles outlined by its founding CEO, Bill Gates, in his 2002 memo on Trustworthy Computing, which emphasized the importance of prioritizing security and privacy over new features. The incident and the subsequent review underscore the critical need for Microsoft to reassess its approach to security, especially in light of the increasing sophistication of cyber threats.

Last Updated on November 7, 2024 9:15 pm CET

SourceCISA
Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon