The Cybersecurity and Infrastructure Security Agency Cyber Safety Review Board has concluded that the June 2023 breach of Microsoft’s Exchange Online service, which compromised accounts of senior US officials, could have been prevented. The breach was attributed to a group linked to China, known as “Storm-0558.” The board’s findings highlight significant lapses in Microsoft’s information security culture and cloud security precautions, necessitating a call for urgent reforms within the company.
Details of the Breach
The breach was facilitated by outdated key rotation practices within Microsoft’s identity management system, the Microsoft Services Account (MSA), which lacked automated signing key rotation or deactivation. This oversight allowed Storm-0558 to use a key from 2016, granting them access to Outlook Web Access for consumers and subsequently to enterprise email accounts, including those of the US State Department. The attackers were able to steal approximately 60,000 emails containing sensitive diplomatic discussions.
Recommendations for Improvement
The board recommends a series of actions for Microsoft, including a public commitment by its CEO and board of directors to a security-focused culture change, prioritizing security over feature development, and ensuring security risks are fully addressed before deploying new features. These recommendations come in response to what the board describes as a “cascade of Microsoft’s avoidable errors.”
Microsoft’s response to the incident, the “Secure Future Initiative,” has been criticized for lacking oversight by senior executives and an overreliance on AI for security improvements. The report suggests that Microsoft has deviated from the principles outlined by its founding CEO, Bill Gates, in his 2002 memo on Trustworthy Computing, which emphasized the importance of prioritizing security and privacy over new features. The incident and the subsequent review underscore the critical need for Microsoft to reassess its approach to security, especially in light of the increasing sophistication of cyber threats.
Last Updated on November 7, 2024 9:15 pm CET