TLDR:
- A federal review board demanded that Microsoft prioritize its cloud security and stop pushing the burden onto customers after a breach.
- The report blamed Microsoft for last year’s breach, where Chinese threat actors hacked email accounts of key government officials.
A federal review board has criticized Microsoft for its “inadequate” cloud security posture, putting the blame on the company for a breach that allowed Chinese threat actors to hack email accounts of key government officials. The report by the independent Department of Homeland Security (DHS) Cyber Safety Review Board called on Microsoft to prioritize cybersecurity and make significant revisions to its cloud security position. The board demanded that Microsoft’s CEO and Board of Directors focus on the company’s security culture and develop a plan for fundamental security reforms.
The blame for the breach, which allowed China-based threat group Storm-0558 to access email accounts of government officials, was placed solely on Microsoft. The company was criticized for a series of security failings that led to the cyber espionage attack. Microsoft has since recognized the need to adopt a new culture of engineering security within its networks and has launched a Secure Future Initiative to address legacy infrastructure and improve security processes.
The board made recommendations for Microsoft to prioritize security over product innovation, hold leaders accountable for security implementation, and stop making customers pay for security-related logging. Microsoft is urged to level up its cloud security to meet higher standards due to the critical nature of its products that support essential services.