Microsoft fears that hackers from U.S. adversaries China and Russia will work together on devastating cyberattacks and collaborate with Iran and North Korea when the opportunity arises.
The Big Tech company is reeling from a China-linked hack that compromised the emails of its U.S. government clients last year and attempted to defend itself from sharp criticism at a House Homeland Security Committee hearing Thursday.
With congressional scrutiny mounting, Microsoft President Brad Smith told lawmakers about 47 million “phishing” raids on his company’s network and employees in the past year.
Russia and China work together in military and intelligence, Mr. Smith said in written testimony to the House panel, and are closely connected with Iran and North Korea.
Mr. Smith predicted that these real-world partnerships would expand into cyberspace.
“This is grave at multiple levels. It’s one thing to engage in cyber combat with four separate nation-state adversaries but quite another scenario if two or all four of these countries work in tandem,” Mr. Smith said. “This mounting danger is qualitative as well as quantitative.”
Russia and China have sophisticated complementary capabilities involving software engineering, computational resources and machine learning. Microsoft said these skills are more treacherous when combined.
“The greater danger for the United States and our allies is that these countries will not just combine forces but build up each other’s cyberattack capabilities as they do so,” Mr. Smith said. “Unfortunately, this is where the future is likely going.”
Mr. Smith said his company detects 345 million cyberattacks against its customers daily but has missed vulnerabilities that have exposed the private communications of top government officials.
Hackers suspected to be from China accessed Microsoft Exchange Online mailboxes in May and June 2023, including email accounts for Commerce Secretary Gina Raimondo and Rep. Don Bacon, Nebraska Republican, according to a federal board of cybersecurity investigators.
Frustration and fixes
Rep. Bennie Thompson, Mississippi Democrat, expressed frustration that the U.S. government, not Microsoft, first discovered the China-connected hack.
He bristled at the Microsoft executive’s dismissal of the government’s discovery as “the way it should work.”
“It’s not our job to find the culprits. That’s what we’re paying you for,” Mr. Thompson told Mr. Smith.
Mr. Smith said Microsoft accepted responsibility for the problems detailed by the Cyber Safety Review Board in March and was working to implement fixes.
“We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted,” he said. “This is the message I have conveyed personally when talking with individuals impacted in our government, as well as elsewhere.”
Some lawmakers questioned Mr. Smith’s sincerity. They noted Microsoft’s continued work in China despite the China-connected hack of the U.S. government.
Rep. Carlos Gimenez, Florida Republican, said he particularly doubted Mr. Smith’s representation of Microsoft as safe from Chinese Communist Party influence.
“I just don’t trust a word you’re saying to me, OK?” Mr. Gimenez told Mr. Smith. “You’re operating in China, you have a cozy relationship in China, you’re there, they allow you to be there.”
Some Microsoft vulnerabilities come from poor attention to detail. An unprotected Microsoft Azure server holding 3 terabytes of government data was exposed last year.
Some of that spilled data included U.S. military emails. Cybersecurity researcher Anurag Sen shared some of his discoveries with The Washington Times.
With multiplying problems at Microsoft, some lawmakers fear the U.S. government is too dependent on the company for security.
Sens. Eric Schmitt, Missouri Republican, and Ron Wyden, Oregon Democrat, have expressed concern that the Pentagon may soon mandate the use of Microsoft products. They said last week that they wrote to the Defense Department warning that such a dependence could halt innovation and waste taxpayer money.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.