Microsoft's Brad Smith acknowledges past security failures, outlines new security initiatives – SiliconANGLE

Microsoft Corp. President Brad Smith said before a House Committee on Homeland Security hearing today that the company acknowledges its past security shortcomings and detailed new initiatives to bolster defenses, as a former employee claimed that Microsoft ignored his warnings about vulnerabilities in Active Directory that ultimately led to the hack of SolarWinds Worldwide LLC in 2020.

During his testimony, Smith addressed significant breaches, including the SolarWinds hack and the compromise of Microsoft Exchange by hackers in 2023, saying that the incidents had resulted from multiple failures within Microsoft’s security protocols.

He went on to say that Microsoft is committed to making security its top priority and detailed the company’s Secure Feautre Initiative, a plan aimed at protecting user identities, securing networks and isolating production systems to prevent similar breaches. According to Smith, the initiative is part of a broader effort by Microsoft to enhance threat detection capabilities, improve incident response times and increase transparency with customers and stakeholders about security incidents.

In written testimony submitted to the hearing before he testified in person, Smith said that “Microsoft accepts responsibility for each and every one of the issues cited” in a Cyber Safety Review Report into the Exchange hack. He added “Without equivocation or hesitation. And without any sense of defensiveness. But rather with a complete commitment to address every recommendation and use this report as an opportunity and foundation to strengthen our cybersecurity protection across the board.”

Smith’s ownership of Microsoft’s past security failures comes as Andrew Harris, a disgruntled former Microsoft employee, claimed in an article published by ProPublica that his warnings of security issues with Microsoft products were ignored by the company. Smith argues that Microsoft failed to address a critical security flaw in Azure Active Directory Federation Services known as “Golden SAML” that ultimately led to the SolarWinds Breach.

Harris says he discovered the vulnerability in 2016 but was subsequently dismissed by colleagues and that Microsoft did not address the issue, citing the potential financial consequences of acknowledging the flaw. Harris left Microsoft in August 2020, with the SolarWinds hack occurring later the same year.

In his testimony, Smith did not refer to Harris but assured the committee that Microsoft is committed to being transparent about its security practices and vulnerabilities. Smith mentioned that the company is implementing more rigorous internal audits and external reviews to ensure accountability and continuous improvement.

Smith also stressed the importance of collaboration between tech companies, the government and other stakeholders to strengthen national cybersecurity. He noted that Microsoft is working closely with federal agencies to improve security measures and share critical threat intelligence as it becomes available.

Discussing the testimony, Ryan Kalember, chief strategy officer at cybersecurity company Proofpoint Inc., told SiliconANGLE that “there have been too many consequential cybersecurity incidents that have impacted consumers’ private information, organizations’ IP and sensitive data, and governments’ confidential intelligence that would have been avoidable had Microsoft made different choices and lived up their public promises.”

“Security and privacy have unfortunately taken a back seat in Microsoft’s product design in their quest for new productivity features and a higher stock price and their recent backtracking after the Microsoft Recall AI controversy is a particularly instructive example,” Kalember added. “It took an enormous amount of pressure from the entire cybersecurity industry and privacy experts for Microsoft to see this for what it is—a massive, trivially exploitable security risk—and to do the right thing by ensuring it is disabled by default.”

Not everyone was as harsh on Microsoft’s previous mistakes, with Jeff Williams, co-founder and chief technology officer at application security software platform provider Contrast Security Inc., noting that “while it’s pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture.”

“The unfortunate reality is that software is far more complex than most people understand. A single application is built from dozens of source code repos, hundreds of open-source libraries, multiple application frameworks, server software and often multiple language platforms,” Willams explained. “And Microsoft has tens of thousands of applications, each of which has vulnerabilities reported all the time by tools, penetration testers, customers and more.”

Photo: Web Summit/Flickr