How Microsoft's security flaws leave America vulnerable

The company is the cornerstone of federal IT, but there are big questions, including in Congress, over its ability to cope with cyberattacks from Russia and China

Mario Tama / GETTY

Travellers from France wait on their delayed flight on the check-in floor of the Delta Air Lines terminal at Los Angeles International Airport (LAX) on July 23, 2024, in Los Angeles, California.

How Microsoft's security flaws leave America vulnerable

Marco Mossad

last update on 10 Sep 2024

In today's interconnected world, the role of major technology companies in the national security of the United States is coming under increasing scrutiny. One name stands out: Microsoft. It is a global leader in software, cloud computing, and artificial intelligence and has become both a vital player and a potential major risk factor for the US.

The worries relate to the extent of the company’s wide and deep role within the federal government’s IT infrastructure. According to former White House cybersecurity director Andrew Grotto, recent security lapses at Microsoft run beyond technical failings and have become a full-blown national security concern.

Microsoft’s dominance over government systems has hindered federal agencies' ability to manage and mitigate security breaches – such as the SolarWinds attack – which compromised key elements of the US legal system and breached at least one email account in the attorney general’s office.

Despite generating substantial revenue from its security services, Microsoft has been slow to implement basic security measures without significant pressure from the government. Combined with recent cyberattacks by foreign entities, which have exploited Microsoft products, these lapses highlight the urgent need for greater scrutiny and competition in the software market for government and public service applications.

For as long as its dominant status minimises competition for government contracts, Microsoft lacks incentive to significantly improve its systems’ security, even as it earns billions of dollars of revenue from public contracts. Grotto stressed that even securing minor concessions from the company has been a major challenge for federal agencies, particularly in the aftermath of high-profile breaches, which have created alarm within the government at the extent of the vulnerability to cyberattacks.

The government’s contracting out of services to the private sector has made Microsoft and its Windows operating system the biggest and most critical part of computer infrastructure across federal agencies. It operates a large swathe of the IT needed to keep the state functioning, including data centres that run everything from official databases to diplomats’ emails. Outsourcing to the private sector should make government more cost-effective and efficient.

The contracts granted come with stringent security and confidentiality conditions. Once met, the government allocates a budget to execute the project within a specified period, often renewing the contract as needed. Such contracts can be highly profitable, prompting fierce competition among companies to secure them.

Microsoft has established itself as one of the biggest government contractors, both in terms of the market value of its deals—which runs to billions of dollars annually—and in terms of employee numbers. It is a major custodian and manager of the government’s cloud computing systems and federal email facilities. That means, if and when Microsoft is breached, much critical government infrastructure is at risk.

Reuters — A simulation drawing of people working on computers and smartphones in front of the Microsoft logo.

Such breaches can also impact international power dynamics, as technology has become a crucial factor in global politics. In recent years, Microsoft has suffered several significant breaches, primarily by Chinese and Russian groups, with catastrophic consequences. The emails of key figures, including the Secretary of Commerce, the American ambassador to China, and numerous American diplomats, were among the most severely compromised.

It was once unthinkable that the security of such sensitive figures could be at risk, but now Microsoft has found itself at the centre of national security concerns amid uproar over the breaches.

Chinese and Russian attacks

The firm has been the target of specific attacks over the last four years. In 2021, Microsoft announced that a hacking group operating in China, known as "Hafnium," had breached its email servers. The data of over 30,000 individuals and entities in the United States and around 200,000 worldwide were compromised.

Hackers exploited an unknown vulnerability in three phases: first, they accessed the servers using stolen passwords, then they established a command-and-control (C2) system for the breached servers, ultimately allowing them to steal data by remotely controlling the servers based in the US.

This was not the only incident involving China-backed hackers targeting Microsoft. In the summer of 2023, Chinese hackers exploited another vulnerability in Microsoft’s email system to access sensitive information from the federal government. High-profile officials whose emails were breached included Secretary of Commerce Gina Raimondo, Ambassador to China Nicholas Burns, Assistant Secretary of State for East Asia Daniel Kritenbrink, and hundreds of State Department diplomats.

The hackers specifically targeted an unclassified government email system, which was widely regarded as vulnerable to breaches. At the time, the Biden administration believed that the Chinese operation provided Beijing with critical insights into US strategies before Secretary of State Antony Blinken’s high-risk visit to China in June 2023.

The tactics used in that attack bear striking similarities to previous operations. US intelligence agencies connected it with a past campaign known as Operation Aurora. It was first discovered in late 2009 when Google revealed it had been the target of a sophisticated cyberattack. Aurora targeted several major organisations, including Google, Adobe, and other companies in sensitive industries, with the apparent goal of stealing intellectual property and accessing corporate secrets.

The attacks were linked to Chinese cyber-espionage groups known for their advanced capabilities. While the extent of the Chinese government's links to these attacks remains unclear, evidence suggests that they were either directly involved or, at the very least, aware of the campaign. The attackers employed sophisticated techniques such as phishing emails and exploiting software vulnerabilities to infiltrate networks. Once inside, they were able to access and extract sensitive information.

Operation Aurora had a significant impact, highlighting vulnerabilities in corporate and government networks and sparking increased efforts to bolster cybersecurity defences. In response, many affected organisations enhanced their security. Aurora raised broader awareness of the growing threat posed by state-sponsored cyber espionage. These revelations spurred international discussions about the need for stronger cybersecurity standards and coordinated responses to such attacks.

In recent years, Microsoft has suffered several major breaches, primarily by Chinese and Russian groups, with catastrophic consequences.

China is not the only nation conducting cyberattacks. Russia has also shown its capabilities, most notably through the infamous "SolarWinds" attack led by Russian intelligence. In this attack, malicious actors transformed a routine software update for the software known as Orion into a vehicle for chaos by injecting malicious code. This code acted as a backdoor, allowing the attackers to infiltrate approximately 18,000 computers across the US.

For the attack to succeed, two conditions had to be met: first, the victim had to download the compromised update, and second, the targeted device needed to be connected to the internet, enabling the attackers to control it remotely. Following the attack, cybersecurity teams launched investigations to understand the breach and mitigate the damage.

But these efforts did not prevent the attackers from accessing confidential information and communications involving federal officials and entities, including the Department of Homeland Security, through Microsoft's contracting system with the government.

Congressional scrutiny

Midway through the year, the House Homeland Security Committee questioned Microsoft President Brad Smith regarding the company's plans to address the security flaws that had allowed repeated cyberattacks on federal officials.

Lawmakers criticised Microsoft's practices in securing data and protecting the email inboxes of hundreds of thousands of federal employees. Smith faced intense scrutiny over the company's cybersecurity vulnerabilities, which allowed nation-state hackers to penetrate its email systems.

During his testimony, Smith focused on two major hacking incidents. The first, attributed to Chinese cyber agents, targeted senior officials in two areas of government, the Department of State and the Department of Commerce.

The second breach, carried out by Russian hackers, further compromised additional government communications. In his opening remarks, Smith took full responsibility for the breaches, acknowledging the company's shortcomings, as detailed in a critical report by the Cybersecurity Review Board. The report, issued in April, highlighted Microsoft's inadequate cybersecurity measures, particularly in the management of authentication keys. Expressing regret, Smith stated: "Microsoft is responsible for every issue mentioned in the Internet Security Review Committee report, without equivocation or hesitation."

Smith's comments followed revelations that Microsoft had initially misrepresented key aspects of the breaches. The company had previously claimed that the passkey used by the attackers was located inside a troubleshooting file, a narrative later updated amid mounting scrutiny.

Lawmakers, including the committee's Chairman Mark Green, a Republican from Tennessee, chastised Microsoft for failing to implement basic cybersecurity practices that could have prevented these breaches: "By any measure, this cyber intrusion was not sophisticated. It did not involve advanced cutting-edge techniques. Instead, it exploited basic, well-known vulnerabilities that could have been avoided with proper cyber hygiene".

The session also scrutinised Microsoft's global operations, particularly its business dealings in China. Smith defended the company's presence there, highlighting its data centres and research labs supporting multinational corporations. However, he faced tough questions regarding compliance with China's 2017 National Intelligence Law, which mandates that companies assist in intelligence gathering. Congressman Carlos Gimenez pressed Smith on whether the potential risks of operating in China outweighed the benefits.

Congressman Bennie Thompson cited a ProPublica report. The report revealed that a Microsoft whistleblower had previously warned the company about vulnerabilities later exploited in the Russia-linked SolarWinds breach. Thompson criticised Microsoft for disregarding these warnings in favour of maintaining its federal business relationships, stating, "It's not our job to find the culprits. That's what we are paying you for."

Attractive target

Microsoft is a cornerstone of the federal government's digital infrastructure, making it an attractive target for cyberattacks by hostile entities like China and Russia. With such attacks becoming more frequent and their impact on national security more profound, there are increasing calls for a reassessment of Microsoft's role and responsibility in safeguarding sensitive data.

The recurring breaches expose critical flaws in Microsoft's systems and cast doubt on the company's ability to adequately secure government systems. The federal contracting system, in particular, needs stronger security provisions to ensure that contracted companies meet the highest standards of protection.

To rise to these challenges, Microsoft and the US government must collaborate to develop more effective technological solutions and robust security policies to prevent the leakage of sensitive information and better safeguard American national security.

The consequences of these hacking incidents have brought increased scrutiny from Congress regarding Microsoft's broad role in federal IT infrastructure. As investigations into Microsoft's cybersecurity practices continue, the tech giant faces mounting pressure to rebuild trust and demonstrate a stronger commitment to protecting sensitive data.

+ / -