Washington – A scathing review by the US Cyber Safety Review Board found that Microsoft made a series of “avoidable errors” that allowed Chinese hackers to breach the company’s network last year. The hackers were able to access the email accounts of senior US officials, including the secretary of commerce. The report, released by a group of government and private cybersecurity experts led by the Department of Homeland Security, highlighted the preventable nature of the hack.
The review board specifically faulted Microsoft for not adequately protecting a sensitive cryptographic key, which allowed the hackers to remotely sign into Outlook accounts by forging credentials. The report concluded that Microsoft’s security culture was inadequate and in need of an overhaul due to the company’s centrality in the technology ecosystem.
The breach caused turmoil in Washington and granted Chinese operatives access to the unclassified email accounts of senior US diplomats. Around 60,000 emails were downloaded from the State Department alone by the hackers. The incident also involved breaches of the email accounts of Secretary of Commerce Gina Raimondo and US Ambassador to China Nicholas Burns.
Following the alleged Chinese hacking incident, Microsoft announced plans to enhance its security practices for developing software and protecting users. The company expressed its commitment to reviewing the board’s recommendations and implementing measures to strengthen its systems against cyber threats.
The hack last summer was part of a series of cyber-espionage campaigns linked to China and Russia that targeted US national security interests. The US government faces a critical juncture with its IT service providers, emphasizing the need for improved cybersecurity measures to prevent future attacks.
Cory Simpson, CEO of the Institute for Critical Infrastructure Technology, urged the US government to use the CSRB report as a catalyst for meaningful change in its relationship with Microsoft. The cybersecurity landscape continues to evolve, underscoring the importance of proactive measures to safeguard against cyber threats.