Microsoft 'Bears Responsibility' For China-Tied Hacks, Senator Says
Senator Ron Wyden sent a letter to heads of the Cybersecurity and Infrastructure Security Agency alleging that Microsoft “bears significant responsibility" over a breach of US officials' email accounts
In a scathing letter sent to key federal agencies, Senator Ron Wyden called for multiple investigations of Microsoft Corp. over a breach of US officials' email accounts by China-linked hackers.
Wyden's letter — sent to heads of the Cybersecurity and Infrastructure Security Agency, Department of Justice, and Federal Trade Commission — said that Microsoft “bears significant responsibility for this new incident.” The senator also chided the company for its role in the SolarWinds attack, disclosed in 2020, when Russian hackers compromised computer networks in the federal government and private sector.
The hack of US officials' email, which included the accounts of Commerce Secretary Gina Raimondo and State Department officials, took place shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping. The breach was described by Rob Joyce, a senior official at the National Security Agency, as “China doing espionage.”
The hack stood out not because of what took place but how the hackers were able to gain access. They did so by obtaining a Microsoft consumer signing key, which allowed them to obtain access to officials' emails despite security protections. Microsoft has yet to reveal exactly how the key was obtained.
“Government emails were stolen because Microsoft committed another error,” Wyden, a Democrat from Oregon, said in his letter. “Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers' private communications.”
A Microsoft spokesperson said the incident “demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.”
“We continue to work directly with government agencies on this issue, and maintain our commitment to continue sharing information at Microsoft Threat Intelligence blog,” the representative said.
Wyden's letter was previously reported by the Wall Street Journal.
Wyden said that Jen Easterly, the director of CISA, should direct the Cyber Safety Review Board to investigate the incident. That body, which was created by a Biden administration executive order, reviews cybersecurity incidents and issues and publishes a report.
The SolarWinds hack was originally intended to be the first investigation carried out by the board, according to the executive order that created it. But that probe never happened.
Wyden said he has been rebuffed in getting CISA and the Department of Homeland Security to direct the board to study the SolarWinds breach. “Had that review taken place, it is quite likely that Microsoft's poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted,” he said.
The letter also asks Attorney General Merrick Garland and FTC Chair Lina Khan to investigate if Microsoft violated federal laws, including those pertaining to unfair and deceptive business practices.