MICROSOFT PUTS PROFITS BEFORE CYBERSECURITY

Recent investigative reporting by ProPublica brought to light another example of a corporation putting profit before the well-being of its customers. Microsoft put making profits, through securing a place as an industry leader in cloud computing, ahead of keeping its customers safe from cyberattacks – with very detrimental results.

(Note: If you find my posts too long to read on occasion, please just skim the bolded portions. Thanks for reading my blog!)

You may remember the “SolarWinds” cybersecurity breach by Russian hackers that was revealed in 2020. It was one of the largest cyberattacks on U.S. government agencies and private businesses ever. The hackers penetrated the SolarWinds corporation’s software in 2019 and used it to gain access to the computer systems of multiple companies and U.S. government agencies. They got sensitive data from the National Nuclear Security Administration, which oversees U.S. nuclear weapons. They accessed the National Institutes of Health (NIH) as it was working to contain the Covid virus and develop a vaccine for it. They gained access to the email accounts of senior officials at the Treasury Department.

In 2021, Microsoft President Brad Smith testified before Congress that although all the affected companies and government agencies used Microsoft software and cloud computing services, no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach. He said the customers should have done more to protect themselves.

Recent investigative reporting by ProPublica has shown this to be a lie and, moreover, that Microsoft had been warned multiple times, years earlier, about a software flaw that was taken advantage of in the cyberattack. [1] In 2016, Microsoft engineer and cybersecurity expert, Andrew Harris, identified a flaw in a Microsoft software product. The flaw allowed a hacker who had gained access to an individual’s local computer at a Microsoft customer to steal the keys needed to access a broad range of programs and networks. These included Microsoft products that provided remote computing services and data storage to multiple customers, a service called “cloud computing.” Millions of users of these Microsoft products, including federal government agencies and employees, were vulnerable.

In 2016, Harris reported the flaw to Microsoft’s Security Response Center and to the product’s manager, who agreed it was a significant flaw but did not feel it was urgent to address it. Harris suggested a simple fix that would require users of the Microsoft product to logon a second time to access other programs and networks, including cloud computing systems. This was rejected because it would inconvenience customers and hurt marketing of the product, for which the single logon capability was a key selling point.

Harris personally contacted some sensitive Microsoft customers he worked with to inform them of the flaw and their vulnerability. For example, he worked with the New York Police Department to implement the fix he had recommended. [2]

In November 2017, a private cybersecurity firm, Cyber Ark, identified the same flaw. It reported it publicly after having notified Microsoft about it twice with no response. In 2018, another Microsoft engineer identified a related flaw that made the flaw Harris had identified even more serious.

In 2019, another private cybersecurity firm, Mandiant, after notifying Microsoft but getting no response, publicly demonstrated the use of the flaw to gain access to cloud computing services.

Nonetheless, in 2021, after the SolarWinds cyberattack had given Russian hackers access to Microsoft’s cloud computing services and customers’ data and emails, as noted above, Microsoft President Brad Smith testified (untruthfully) before Congress that no Microsoft vulnerability or flaw had been exploited in the SolarWinds cybersecurity breach.

Harris, frustrated by the failure of Microsoft to address the flaw he’d identified, left Microsoft in August 2020, before the SolarWinds cyberattack became publicly known. He publicly stated that Microsoft’s “decisions [were] not based on what’s best for Microsoft customers but on what’s best for Microsoft.”

Some context for Microsoft’s behavior, as well as steps that should be taken to stop the corporate practice of putting profits before all else, will be in my next post.

[1]      ProPublica, 6/18/24, “Nine takeaways from our investigation into Microsoft’s cybersecurity failures” (https://www.propublica.org/article/microsoft-solarwinds-what-you-need-to-know-cybersecurity)

[2]     Dudley, R., with Burke, D., 6/13/24, “Microsoft president grilled by Congress over cybersecurity failures,” ProPublica (https://www.propublica.org/article/microsoft-solarwinds-cybersecurity-house-homeland-security-hearing)