Upon Microsoft’s disclosure in January that overseas government hackers had once again infiltrated its systems, there was a renewed wave of criticism regarding the security stance of the largest tech company globally.

Despite the concerns among decision-makers, security specialists, and rivals, Microsoft did not face any repercussions for its recent lapse. The US government continued to procure and utilize Microsoft solutions, with top officials declining to publicly admonish the technology behemoth. This highlighted how shielded Microsoft has become from almost all governmental scrutiny, even as the Biden administration pledges to hold prominent tech corporations more accountable for safeguarding America’s cyber infrastructure.

This existing state of affairs is unlikely to shift following a recent evaluation by the Cyber Safety Review Board (CSRB), a consortium of governmental and business authorities, which strongly criticizes Microsoft for failing to prevent one of its most severe hacking incidents in recent memory. The report asserts that Microsoft’s “security culture was deficient and necessitates a complete revamp.”

Microsoft’s nearly invulnerable position is the outcome of various intertwined factors. It is undoubtedly the primary technology supplier for the US government, fueling computer systems, text processing, and electronic correspondences within agencies such as the Pentagon, the State Department, and the FBI. The company plays a pivotal role in the government’s cyber defense initiatives, possessing unique insights into cybercriminal activities and potent capabilities to disrupt their endeavors. Moreover, its executives and lobbyists have persistently positioned the firm as a leading advocate for a digitally secure world.

These enviable benefits elucidate why senior government officials have refrained from censuring Microsoft despite instances of Russian and Chinese government-affiliated hackers repeatedly penetrating the company’s networks, as outlined by cybersecurity experts, lawmakers, former government officials, and Microsoft’s competitors.

These individuals—some opting for anonymity to candidly weigh in on the US government and their industry’s unchallenged giant—argue that the US government’s association with Microsoft is hampering Washington’s capacity to defend against major cyber onslaughts endangering sensitive data and vital services. According to them, oversight of Microsoft is long overdue.

An account of breaches and disputes

Historically, Microsoft has grappled with security breaches, but recent years have been notably difficult for the company.

In 2021, Chinese government hackers unearthed and exploited vulnerabilities in Microsoft’s email servers to infiltrate the company’s users, subsequently making the vulnerabilities public to incite a flurry of attacks. In 2023, China breached the email accounts of 22 federal agencies, surveilling senior State Department officials and Commerce Secretary Gina Raimondo ahead of multiple US delegation visits to Beijing. Around three months ago, Microsoft uncovered that Russian government hackers had leveraged a simple strategy to access the emails of specific Microsoft executives, cybersecurity experts, and legal practitioners. Recently, the company admitted that this attack also compromised certain source code and confidential details exchanged between staff members and clients. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that these clients encompassed federal entities and issued an urgent directive urging affected agencies to monitor potential attempts by the Russian hackers to exploit login credentials obtained through those emails.

These occurrences unfolded as security pundits increasingly chastised Microsoft for its failure to promptly and effectively rectify flaws in its offerings. Being the primary technology supplier for the US government, Microsoft’s vulnerabilities account for the majority of both recently discovered and widely utilized software vulnerabilities. Numerous experts argue that Microsoft is failing to implement the necessary cybersecurity enhancements to adapt to evolving threats.

According to a prominent cyber policy authority, Microsoft has not “aligned its security investment and mindset with the current threat landscape,” which represents a major failing for a entity with the extensive resources and internal engineering capabilities at Microsoft’s disposal.

The CSRB under the Department of Homeland Security shares this sentiment by

The latest document on the Chinese cyber attack in 2023 has been released by Microsoft, highlighting the company’s tendency to prioritize other aspects over enterprise security investments and robust risk management practices. The report also raised concerns about Microsoft disseminating incorrect information regarding the potential origins of the recent cyber breach.

Security experts emphasize that the recent security breaches underscore Microsoft’s lax implementation of fundamental security measures.

Adam Meyers, the senior intelligence executive at CrowdStrike, noted the Russian group’s ability to transition from a trial platform to a live environment, a scenario he deems unacceptable. Another cybersecurity specialist from a rival firm of Microsoft highlighted how China managed to eavesdrop on various agencies’ communications using a single breach, echoing the criticisms in the CSRB report, which faulted Microsoft’s authentication mechanism for enabling broad access with a single login credential.

“Breaches of this nature are rarely associated with other cloud service providers,” mentions Meyers.

Per the CSRB analysis, Microsoft has failed to prioritize the restructuring of its outdated infrastructure to align with the current threat environment.

Microsoft responded in writing, affirming its active efforts to enhance security in response to recent incidents.

“We are dedicated to adapting to the evolving threat landscape and collaborating with industry and government bodies to shield against these evolving and sophisticated global threats,” stated Steve Faehl, who heads Microsoft’s federal security division.

As part of its Secure Future Initiative introduced in November, Faehl revealed that Microsoft has enhanced its capacity to automatically identify and prevent misuse of staff accounts, expanded scrutiny to include additional categories of sensitive data in network communications, limited the privileges associated with individual login keys, and established new authorization criteria for personnel seeking to create corporate accounts.

Microsoft has reassigned “numerous engineers” to revamp its products and initiated regular meetings with senior management for progress updates at least twice a week, Faehl highlighted.

The new campaign embodies Microsoft’s “strategy and commitments to address many of the priorities outlined in the CSRB report,” Faehl maintained. Nonetheless, Faehl refuted the assertion made in the CSRB report that Microsoft’s security culture is flawed. “We strongly reject this portrayal,” Faehl asserted, “although we acknowledge our imperfections and room for improvement.”