These incidents occurred as security experts were criticizing more and more Microsoft for don’t do it quickly and fix properly defects in your products. As by far the largest technology provider to the US government, Microsoft’s vulnerabilities represent the lion’s share from both recently discovered and most widely used software failures. Many experts say Microsoft is refusing to make necessary cybersecurity improvements to keep up with changing challenges.
Microsoft has not “adapted its level of security investment and mindset to adapt to the threat,” says a leading cyber policy expert. “It’s a big blunder by someone who has the resources and internal engineering capabilities that Microsoft has.”
The CSRB of the Department of Homeland Security supported this opinion in your new report on the 2023 Chinese intrusion, saying Microsoft exhibited “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report also criticizes Microsoft for publishing inaccurate information about the Possible causes of the latest Chinese intrusion.
The recent leaks reveal Microsoft’s inability to implement basic security defenses, according to several experts.
Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, points to the Russians’ ability to move from a test environment to a production environment. “That should never happen,” he says. Another cyber expert who works at a Microsoft competitor highlighted China’s ability to spy on communications from multiple agencies through a single intrusion, echoing the CSRB report, which criticized Microsoft’s authentication system for allowing broad access with a unique login key.
“You don’t hear about these types of breaches coming from other cloud providers,” Meyers says.
According to the CSRB report, Microsoft “has not given sufficient priority to restructuring its legacy infrastructure to address the current threat landscape.”
In response to written questions, Microsoft tells WIRED that it is aggressively improving its security to address recent incidents.
“We are committed to adapting to the changing threat landscape and partnering with industry and government to defend against these growing and sophisticated global threats,” says Steve Faehl, chief technology officer of Microsoft’s federal security business.
As part of its Secure Future Initiative launched in November, Faehl says, Microsoft has improved its ability to automatically detect and block abuse of employee accounts, and has begun scanning for more types of sensitive information in network traffic. , has reduced the access granted by individual authentication keys, and created new authorization requirements for employees seeking to create company accounts.
Microsoft has also redeployed “thousands of engineers” to improve its products and has begun calling on senior executives for status updates at least twice a week, Faehl says.
The new initiative represents Microsoft’s “roadmap and commitments to respond to much of what the CSRB report considered priorities,” Faehl says. Still, Microsoft does not accept that its security culture is broken, as the CSRB report maintains. “We don’t agree with this characterization,” says Faehl, “although we do agree that we haven’t been perfect and we have work to do.”
An ‘addiction’ to security income
Microsoft has earned special enmity from the cybersecurity community for charging extra to their clients for better security protections, such as threat monitoring, antivirus, and user access management. In January 2023, the promoted company that its security division had surpassed $20 billion in annual revenue.
“Microsoft has come to consider cybersecurity as something that should generate revenue for them,” says Juan Andrés Guerrero-Saade, associate vice president of research at security firm SentinelOne. His colleague Alex Stamos wrote recently that Microsoft’s “addiction” to these income “It has seriously distorted their product design decisions.”