This article was initially published by ProPublica.

Examining the security practices of the world’s most prominent software provider.

Following a significant cyber espionage attack by Russian intelligence on US government institutions, the Biden administration established a new review board to investigate the incident and inform the public of its findings.

Malicious actors linked to a foreign state infiltrated SolarWinds, a US-based software provider that caters to the government and numerous American businesses. Utilizing a flaw in a Microsoft product, the perpetrators breached the National Nuclear Security Administration, National Institutes of Health, and the Treasury Department in what Microsoft President Brad Smith described as “the most massive and sophisticated breach ever seen.”

An executive order from the president in May 2021 established the Cyber Safety Review Board and tasked it with investigating the SolarWinds attack.

Despite unclear reasons, this investigation never materialized.

The board also did not delve into the SolarWinds incident for its subsequent report.

For its third report, the board scrutinized a separate 2023 cyberattack in which Chinese state hackers exploited vulnerabilities in Microsoft’s security protocols to access the email accounts of high-ranking federal officials.

A comprehensive and transparent examination of the SolarWinds breach could have had severe repercussions for Microsoft. An exposé by ProPublica revealed that Microsoft had been aware of a critical flaw used in the breach but neglected to address it. This lack of action was attributed to a corporate environment at Microsoft that prioritized profits over security, according to a whistleblower.

The creation of the board aimed to tackle the severe threats posed by adept hackers breaching government and corporate networks, plundering sensitive data, proprietary information, and personal records.

For years, the cybersecurity community advocated for a cybersecurity equivalent of the National Transportation Safety Board—an independent agency mandated by law to investigate and publish reports on the causes and insights from major aviation incidents. The NTSB, funded by Congress and staffed by industry-independent experts, conducts public hearings and issues reports that drive industry change and regulatory action by bodies like the Federal Aviation Administration.

However, the Cyber Safety Review Board has taken a divergent path.

As opposed to being completely autonomous, the board operates under the Department of Homeland Security. Rob Silvers, the board’s chair, serves as a Homeland Security undersecretary. The vice chair is a leading security executive at Google. The board lacks dedicated staff, subpoena authority, or specific funding.

Silvers informed ProPublica that the DHS chose not to conduct an independent review of SolarWinds based on the belief that the incident had already undergone thorough examination by both public and private entities.

“We intend to direct the board’s focus towards reviews where substantial insights and lessons can still be extracted through investigation,” mentioned Silvers.

Consequently, there has been no official government scrutiny of the unaddressed security flaw within Microsoft that was exploited by the Russian hackers. The SolarWinds reports did not identify or engage with the whistleblower who raised concerns about issues within Microsoft.

By abstaining from investigating SolarWinds, the board missed uncovering the significant role played by the weak security culture at Microsoft in the breach and the opportunity to trigger measures that could have mitigated or thwarted the subsequent 2023 Chinese cyberattack, experts in cybersecurity and elected officials told ProPublica.

“Effective oversight might have potentially prevented the most recent cyberattack,” remarked Senator Ron Wyden, a Democratic member of the Senate Select Committee on Intelligence. Wyden called for a review of SolarWinds by the board and urged the government to enhance its cybersecurity defenses.

In response to criticisms, a DHS spokesperson rejected the notion that an examination of SolarWinds could have unveiled Microsoft’s failures in time to prevent or reduce the impact of the Chinese state-sponsored attack in 2023. “The two incidents had distinctive characteristics, and we believe that probing SolarWinds would not necessarily have exposed the deficiencies detailed in the board’s latest report,” they stated.

Other board members either declined to comment, referred inquiries to the DHS, or did not respond to ProPublica.

In previous statements, Microsoft did not dispute the whistleblower’s allegations but underscored its dedication to security. “Ensuring the security of our customers is paramount,” a Microsoft spokesperson mentioned in the past. “Our security response team treats all security concerns with utmost seriousness, conducting thorough manual assessments and corroborating with engineering and security partners.”

The failure of the board to investigate the SolarWinds breach highlights concerns raised by critics, including Wyden, regarding the board’s ability, comprised mainly of federal officials, to hold government agencies accountable for lapses leading to cyberattacks.

“I remain deeply apprehensive that a primary reason for the board’s avoidance of examining SolarWinds—despite presidential directives—is the potential exposure of significant negligence by the US government,” Wyden stated. He pointed out deficiencies in government cyberdefense that failed to detect the SolarWinds breach.

While the board did not investigate SolarWinds, Silvers mentioned that it received approval from the independent Government Accountability Office, which, in an April report assessing the executive order’s implementation, concluded that the board fulfilled its obligation to conduct the review.

Cybersecurity experts found the GAO’s assessment perplexing. “Rob Silvers had claimed for some time that the CSRB adequately addressed the SolarWinds incident, but claims do not necessarily equate to reality,” noted Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, and co-author of a report at the Harvard Kennedy School outlining a cyber NTSB model.

Although the board’s inquiries did not focus on SolarWinds, Silvers asserted that the board’s initial and subsequent reports led to significant governmental changes, such as new regulations from the Federal Communications Commission concerning mobile phones.

“The tangible outcomes resulting from the board’s work to date speak for themselves and affirm the wisdom of our subject choices for review,” Silvers stated.