Wyden wants feds to investigate Microsoft for cyber failings enabling Chinese hack

Sen. Ron Wyden wants federal investigators to probe Microsoft’s cybersecurity services that the Oregon Democrat said enabled a China-linked hack of the Biden administration.

China-based cyberattackers stole email data in a hacking campaign this year directed at the U.S. government that disrupted the Commerce Department, according to government officials and Microsoft.

As federal officials investigate those breaches, Mr. Wyden said Microsoft deserves most of the blame. He contended that in a letter to federal agencies last week requesting they hold the Big Tech company accountable.

“While Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits,” the senator wrote. “That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”

Mr. Wyden’s public plea for the Justice Department, Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency to investigate Microsoft is not the result of a single cyber debacle.

Microsoft previously provided substandard cybersecurity services, according to Mr. Wyden.

“Microsoft never took responsibility for its role in the SolarWinds hacking campaign,” Mr. Wyden wrote. “It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017.”

The Russia-attributed hack of SolarWinds computer network management software hit nine federal agencies and was publicly disclosed in 2020.

In response to the breaches, Microsoft President Brad Smith told the Senate Select Committee on Intelligence in 2021 that people who want better cybersecurity should move to cloud computing services.

“Microsoft’s customers heard the message — it is too hard to secure these keys on your own servers, so let Microsoft do it for you,” Mr. Wyden wrote. “In the three years since that high-profile hacking campaign, Microsoft’s cloud security business revenues have ballooned to over $20 billion a year.”

The U.S. government is a prominent client of Microsoft.

After Mr. Smith touted the cloud in February 2021, a COVID-19 spending bill directed $650 million to CISA. An unknown portion of the cyber spending in the COVID-19 bill reached Microsoft, with Reuters reporting the final tally may ultimately hit $150 million.

Microsoft’s security has left much to be desired for the U.S. government.

A Microsoft Azure server containing three terabytes of exposed data, including U.S. military emails, was discovered by cybersecurity researcher Anurag Sen this year. Mr. Sen shared some of the emails involving U.S. Special Operations Command with The Washington Times in February.

The Defense Department said it was investigating, and Mr. Sen said a likely human error meant the server was likely not password-protected.

Mr. Wyden said he has repeatedly urged the Homeland Security Department to study the SolarWinds incident. He said a federal review may have already uncovered Microsoft’s “poor data security practices” that might have prevented the most recent China-connected hack of the government.

“Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Mr. Wyden said.

Asked about Mr. Wyden’s letter, Microsoft said the China-connected hack shows the complexity of responding to cyber breaches.

“This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks,” the company said in a statement. “We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog.”