First design
Site Theme
Microsoft is transforming its corporate culture to make security a very sensible priority, President Brad Smith told Congress on Thursday, promising that security will be “more than the company’s paintings of synthetic intelligence. “
Satya Nadella, Microsoft’s chief executive, “has taken on the responsibility of acting as Microsoft’s senior security executive,” Smith told Congress.
His testimony comes after Microsoft admitted it may have taken steps to prevent two cyberattacks in competitive geographic regions of China and Russia.
According to Microsoft whistleblower Andrew Harris, Microsoft has spent years ignoring a vulnerability while providing solutions to the “security nightmare. “Instead, Microsoft feared wasting its contract with the government by warning of the bug and reportedly downplayed the problem, opting for profits over security, ProPublica reported.
This obvious negligence led to one of the largest cyberattacks in U. S. history, and to jeopardizing the knowledge of the culprits due to Microsoft’s security breaches. China-linked hackers stole 60,000 emails from the U. S. State Department, Reuters reported. And several federal agencies were affected, giving the attackers access to sensitive government information, adding knowledge from the National Nuclear Security Administration and the National Institutes of Health, ProPublica reported. Even Microsoft itself has been hacked, and this year a Russian organization gained access to the emails of senior officials, adding its “correspondence with government officials,” Reuters reported.
“We recognize that we can and will have to do better,” Smith told Congress today, according to his ready-made written testimony. “As a company, we will have to try to achieve perfection in protecting cybersecurity in this country. Every day we fail is a bad day for cybersecurity and a terrible time for Microsoft. “
To reinforce the corporate culture shift toward “empowering and rewarding each and every worker for stumbling into safeguarding issues, reporting them” and “helping them,” Smith said Nadella sent an email to all staff to emphasize that safeguarding deserves to remain a priority at all times. priority. .
“If you’re faced with a balance between security and some other priority, your answer is clear: make security,” Nadella’s email reads. “In some cases, this will mean prioritizing security over other things we do, such as releasing new features or ongoing offerings for existing systems. To make sure everyone participates, Microsoft has also begun tying executive pay to achieving security goals.
Smith was the lone witness to testify at a House Committee on Homeland Security hearing, titled “A Cascade of Security Blosses: Assessing Microsoft Corporation’s Cybersecurity Breaches and Their National Security Implications. “
He told Congress that Microsoft is acting on the 16 recommendations made through the Cybersecurity Review Board (CSRB) in a report that “identified a number of Microsoft operational and strategic decisions that, taken together, denote a corporate culture that has deprioritized investments in corporate security and rigorous management.
As a component of those obligations, Microsoft has committed to avoiding charging for key security-related functions, such as more granular logging, which the CSRB says is a critical component of its cloud service. (Last July, Microsoft began turning that culture around by expanding the accessibility and flexibility of cloud logging to give consumers “access to broader cloud security logs” at no additional cost. )
Smith also said that Microsoft is “pursuing new strategies, investing more resources, and fostering a stronger cybersecurity culture. “This adds “18 more concrete security objectives” beyond the CSRB’s recommendations and “dedicates the equivalent of 34,000 complete tasks. “time engineers to what has the largest cybersecurity engineering task in the history of virtual technology,” according to Microsoft’s Secure Future Initiative (SFI).
Microsoft has also strengthened its security team, Smith said, adding “1,600 more security engineers this fiscal year” and making plans to “add 800 more new security positions” in the next fiscal year. In addition, the company’s data security leader (CISO) will now lead a meeting with senior deputy CISOs “to expand oversight of other engineering groups to assess and ensure that security is ’embedded’ into engineering and decision-making processes. “
Smith described SFI as “a multi-year effort” that focuses all of Microsoft’s efforts to expand products and facilities “on achieving the highest security standards imaginable. “He warned that online threats are constantly evolving, but said Microsoft is committed to basing its plans on core cybersecurity principles that would prioritize security in product design and ensure protections are never optional and always enabled by default.
The move is part of Microsoft’s plan to regain trust after Smith and Microsoft did not appear to fully accept responsibility for the Russian cyberattack. In 2021, Smith told Congress that “no vulnerabilities in any Microsoft product or service were exploited. “in this cyberattack, while stating that “customers may have done more to protect themselves,” ProPublica reported.
In an exchange with Sen. Marco Rubio (RFLA. ), Smith clarified that it’s possible that consumers may have simply paid for “an antivirus product like Microsoft Defender and secure devices with some other Microsoft product called Intune,” ProPublica reported.
Now, Smith told Congress on Thursday: “Microsoft accepts responsibility for fixing the problems cited in the CSRB report. Without equivocation or hesitation. And without any sense of defensiveness. “
Join Ars Orbital Transmission mail to receive weekly updates in your inbox. Sign up →