Microsoft in damage-control mode, says it will prioritize security over AI

Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be "more important even than the company’s work on artificial intelligence."

Satya Nadella, Microsoft's CEO, "has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security," Smith told Congress.

His testimony comes after Microsoft admitted that it could have taken steps to prevent two aggressive nation-state cyberattacks from China and Russia.

According to Microsoft whistleblower Andrew Harris, Microsoft spent years ignoring a vulnerability while he proposed fixes to the "security nightmare." Instead, Microsoft feared it might lose its government contract by warning about the bug and allegedly downplayed the problem, choosing profits over security, ProPublica reported.

This apparent negligence led to one of the largest cyberattacks in US history, and officials' sensitive data was compromised due to Microsoft's security failures. The China-linked hackers stole 60,000 US State Department emails, Reuters reported. And several federal agencies were hit, giving attackers access to sensitive government information, including data from the National Nuclear Security Administration and the National Institutes of Health, ProPublica reported. Even Microsoft itself was breached, with a Russian group accessing senior staff emails this year, including their "correspondence with government officials," Reuters reported.

"We acknowledge that we can and must do better," Smith told Congress today, according to his prepared written testimony. "As a company, we need to strive for perfection in protecting this nation’s cybersecurity. Any day we fall short is a bad day for cybersecurity and a terrible moment at Microsoft."

To reinforce the shift in company culture toward "empowering and rewarding every employee to find security issues, report them," and "help fix them," Smith said that Nadella sent an email out to all staff urging that security should always remain top of mind.

“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security," Nadella's email said. "In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.” To ensure everyone's on board, Microsoft has also started tying executives' salary to meeting security goals.

Microsoft to adopt all the government’s recommendations

Smith was the only witness testifying at a House Committee on Homeland Security hearing, titled, "A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.”

He told Congress that Microsoft was following through on all 16 recommendations that the Cyber Safety Review Board (CSRB) made in a report that "identified a series of Microsoft operational and strategic decisions that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management."

As part of those obligations, Microsoft has committed to stop charging for key security-related features like more granular logging that the CSRB said should be a core part of their cloud service. (Last July, Microsoft started shifting that culture by expanding cloud logging accessibility and flexibility to give customers "access to wider cloud security logs" at no additional cost.)

Smith also said that Microsoft was "pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture." That includes adding "another 18 concrete security objectives" beyond the CSRB recommendations and "dedicating the equivalent of 34,000 full-time engineers to what has become the single largest cybersecurity engineering project in the history of digital technology," Microsoft's Secure Future Initiative (SFI).

Microsoft also beefed up its security team, Smith said, adding "1,600 more security engineers this fiscal year" and planning to "add another 800 new security positions" in the next fiscal year. Additionally, the company's Chief Information Security Officer (CISO) will now run an office with senior-level deputy CISOs "to expand oversight of the various engineering teams to assess and ensure that security is 'baked into' engineering decision-making and processes."

Smith described the SFI as "a multiyear endeavor" focusing all of Microsoft's efforts developing products and services "on achieving the highest possible standards for security." He warned that online threats are always evolving but said that Microsoft was committed to grounding projects in core cybersecurity tenets that would prioritize security in product designs and ensure that protections are never optional and always enabled by default.

This initiative is part of Microsoft's plan to win back trust after Smith and Microsoft previously did not seem to accept full responsibility for the Russian cyberattack. In 2021, Smith told Congress that “there was no vulnerability in any Microsoft product or service that was exploited” in that cyberattack, while arguing that "customers could have done more to protect themselves," ProPublica reported.

In an exchange with Senator Marco Rubio (R.-Fla.), Smith specified that customers could have paid for "an antivirus product like Microsoft Defender and securing devices with another Microsoft product called Intune," ProPublica reported.

Now, Smith told Congress Thursday, "Microsoft accepts responsibility for each and every one of the issues cited in the CSRB’s report. Without equivocation or hesitation. And without any sense of defensiveness."

Microsoft offers recommendations for regulators

The company has invited the Cybersecurity and Infrastructure Security Agency to attend a "detailed technical briefing" on SFI and Microsoft's other engineering objectives to explain "the specific ways we are implementing the CSRB’s recommendations," Smith said.

Smith repeatedly emphasized to Congress that Microsoft alone cannot solve the country's cybersecurity problems. Although he acknowledged that Microsoft has "by far the first and greatest responsibility" to heed the CSRB's report, "no single company can protect a country and other nations from what is emerging as a cyberwar waged by four aggressive governments," Smith said.

While some think that the US government's over-reliance on Microsoft is itself a problem, Smith suggested that the US government also bears some responsibility in strengthening cybersecurity protection.

"The cyber domain is becoming more lawless, dangerous, and hostile," Smith testified.

Smith suggested that the committee members could "do more in support of cyber defense" by funding critical cybersecurity programs, strengthening countermeasures, and "imposing appropriate punishment" and heavy fines to deter malicious activity.

"Cybersecurity protection requires a whole-of-industry and whole-of-society mission across multiple countries," Smith said. "Each of us can and must learn from each other and work together to protect cybersecurity for our nation and the world."