WASHINGTON, D.C. –– Last week, the House Committee on Homeland Security, led by Chairman Mark E. Green, MD (R-TN), held a hearing to examine Microsoft’s security culture in the wake of the Cyber Safety Review Board’s (CSRB) report on the Microsoft Online Exchange 2023 cyber intrusion by Storm-0558, a threat actor affiliated with the People’s Republic of China (PRC). Witness testimony was provided by Microsoft Vice Chairman and President Brad Smith, who accepted Microsoft’s responsibility in his opening statement for the intrusion that successfully compromised 22 enterprise organizations and over 500 individuals globally, including federal government accounts, due to what the CSRB described as “a cascade of failures” by Microsoft. Chairman Green and Ranking Member Bennie Thompson (D-MS) formally requested Smith’s testimony on May 9. 
 
In the hearing, members highlighted the risks associated with Microsoft’s presence in China, its approach to artificial intelligence (AI) development and deployment, Microsoft’s current and future approaches to business decisions, and the company’s plans to strengthen cybersecurity measures following the intrusion. Members also discussed the January 2024 cyber intrusion by “Midnight Blizzard,” a state-sponsored cyber actor affiliated with the Russian Foreign Intelligence Agency that was also responsible for the attack on SolarWinds in 2020.
 
Although the Committee commends Microsoft for announcing steps to reform its security practices, ensuring follow-through on the company’s stated commitments will be crucial for ensuring U.S. government networks and Americans––including U.S. officials––are not exposed to further risk.

In his opening statement, Chairman Green highlighted the broader questions the Committee must examine regarding the mitigation of economic and national security risks:

“To be clear, the U.S. government would never expect a private company to work alone in protecting itself against nation-state attacks. We need to do more work to define roles and responsibilities for public and private sector actors in the event of nation-state attacks on our networks. Our nation’s adversaries possess advanced cyber capabilities and substantial resources, often exceeding the defensive cybersecurity measures available to even the most sophisticated companies. However, we do expect government vendors to implement basic cybersecurity practices.”
 
“First, closing the cyber workforce gap—my top priority for the Committee this year. The security challenges we face as a nation are compounded by the persistent shortage of cybersecurity professionals. As Microsoft continues its work to invest in our cyber workforce, we must harken back to the lessons from the CSRB report. Our cyber professionals must be trained to think of security first. We must equip them with the right skills to protect our networks and to build our systems securely. Second, we need to define the role of public and private sector entities in protecting our networks against nation-state actors. These attacks have become increasingly common, rather than anomalies. We need clearly defined responsibilities so that we can effectively respond to nation-state attacks on our networks. Finally, we must address a fundamental issue: the economic incentives that drive cybersecurity investments. As the CSRB’s report recently revealed, underinvestment in essential security measures exposed critical vulnerabilities.”

Subcommittee on Transportation and Maritime Security Chairman Carlos Gimenez (R-FL)highlighted the dangers of doing business in Communist China and asked Smith if Microsoft shares critical information on cybersecurity with the Chinese Communist Party (CCP)––as companies are required to do under Chinese law:
 
“This law requires all organizations and citizens to cooperate with China’s intelligence agencies, including the People’s Liberation Army, in matters of national security. While the law does not specifically mention companies working in China, it does apply to all organizations operating within the country, including foreign companies. [Do] you operate in China?”
 
Smith answered: 
 
“Yes, we do”
 
Gimenez continued: 
 
“Do you comply with this law?”
 
Smith answered: 
 
“No, we do not”
 
Gimenez continued: 
 
“How is it you got away with not complying with the law? Do you have a waiver from the Chinese government saying you don’t have to comply with this law?”
 
Smith answered: 
 
“But there are many laws– there are two types of countries in the world. Those that apply every law they enact, and those that enact certain laws but don’t always apply them. And in this context, China, for that law, is in the second category.”
 
Gimenez continued: 
 
“Do you really believe that because––look, I sit on the Select Committee on China, and that’s not the information that we get––that all companies in China have to cooperate with the intelligence agencies of China and the People’s Liberation Army. You operate in China, and you’re sitting there telling me that you don’t have to comply with the laws of China?”
 
After pressing Smith further, Gimenez later concluded: 
 
“I’m sorry, I just––for some reason, I just don’t trust what you’re saying.”

Subcommittee on Border Security and Enforcement Chairman Clay Higgins (R-LA) asked Smith why Microsoft did not correct, in a timely manner, its inaccurate public statements about the 2023 cyber intrusion:
 
“After the hack, the 2023 Microsoft Online Exchange intrusion, why did it take six months for Microsoft to update the means by which most Americans would sort of be made aware of such a hack?”
 
Smith answered: 
 
“First of all, I appreciate the question, it’s one that I asked our team when I read the CSRB report. It’s the part of the report that surprised me the most. You know, we had five versions of that blog, the original, and then four updates. And we do a lot of updates of these reports. And when I asked the team, they said the specific thing that had changed, namely a theory, a hypothesis about the cause of the intrusion, changed over time. But it didn’t change in a way that would give anyone useful or actionable information that they could apply—”
 
Higgins continued: 
 
“Mr. Smith, respectfully, that answer does not encourage trust. And regular Americans listening are going to have to move the tape back on the Microsoft instrument and listen to what you said again. But you didn’t do it, I mean, you’re Microsoft, [you] had a major thing happen, and the means by which you communicate with your customers was not updated for six months. So I’m just going to say that I don’t really accept your answer as thoroughly honest.”
 
Smith answered: 
 
“I said the same thing, and we had the same conversation inside the company.”
 

Congresswoman Laurel Lee (R-FL) asked Smith how to improve the victim notification process in the wake of the challenges that Microsoft faced in notifying those impacted by the 2023 Storm-0558 hack:
 
“I’d like to hear more about one of the things that was identified in the report as an area in need of improvement––victim notification. So, I’d like for you to elaborate a little bit more on your thoughts and going forward plan on how to improve victim notification.”
 
Smith answered: 
 
“When we find that someone has been a victim of an attack, it doesn’t mean that the fault was ours, it’s just that our threat detection system may have found it. We need to let them know. Well, how do you let somebody know? If it’s an enterprise, we probably have a connection, there’s probably somebody there we can call. But if it’s a consumer, like a consumer-based email system, we don’t necessarily know who the human is, we just have an email address. So, we send an email. 
 
“There was a member of Congress we sent an email to last year. That member of Congress did what you sort of expect, they said well, that’s not really Microsoft, is it? It’s spam. […] That’s the world in which we live. And so, the CSRB has a great recommendation on this. It’s to create the equivalent of the Amber Alert. But it will require support from congress that CISA lead this, that the tech sector, and probably the telecommunications companies, and the phone makers, and the phone operating system makers all come together. This would be a huge step forward.”

Congressman Dale Strong (R-AL) pressed Smith on any vulnerabilities still present in Microsoft’s products due to the length of time the threat actor had access to stolen credentials:
 
“What are the security implications of China and other potential threat actors having access into your network for so long? What is the threat of that, you know, thank goodness it was discovered, but what is the threat do you see for them being in your system for so long without being noticed?”
 
Smith answered:  
 
“I would just like to qualify a little bit of the premise, because I noticed in some of the questions that were floating around this week that people suggested that because the Chinese had acquired this key in 2021 and we didn’t find it until 2023 that they must’ve had access for two years. I think that in fact they kept it in storage until they were ready to use it, knowing that once they did, it would likely be discovered quickly.”
 
Strong continued: 
 
“Thank you, and that leads to my next question. Are the Chinese still able to access Microsoft’s corporate network today?”
 
Smith answered: 
 
“No, not with anything they did before, and [we] do everything we can do to ensure they don’t get in any other way.”

Subcommittee on Emergency Management and Technology Chairman Anthony D’Esposito (R-NY) asked Smith why the government should continue using its products after the CSRB questioned Microsoft’s ability to prevent future hacks without an “overhaul” of its security culture:
 
“Are you confident that moving forward Microsoft has the ability to quickly detect and react to an intrusion like this?”
 
Smith answered: 
 
“I feel very confident that we have the strongest threat detection system that you’re going to find in, quite possibly, in any organization private or public on the planet. Will that always mean we will be the first to find everything, well no, that doesn’t work that way. But I feel very good about what we have, and I feel very confident about what we’re building.”

In his closing remarks, Chairman Green highlighted the importance of public-private partnerships in cybersecurity and harmonizing regulations in order to prevent future intrusions:
 
“Sometimes government, in this public-private partnership that we talked about a couple times … sometimes the government can get in the way too, and I want to ask that you educate us as much as possible. I will give you an example. The SEC ruling, the four-day report for a breach. Some of the big cybersecurity companies, I mean the biggest in the nation, told me it [takes] seven or eight days to fix a breach. We are announcing to the world that, at four days, we have a hole in the wall, and it takes seven days to close a hole––this is the government forcing companies to invite the enemy to come in. That is a stupid regulation. 
 
“We need help on understanding where the government also creates problems, so I would appreciate anything that comes to mind. One of the initiatives here, we talked about cyber workforce, one of the other initiatives is the synchronization of the regulations that are out there, making sure we are not duplicative, and we aren’t contradictory, because as I understand there are some regulations that are.”
 
“If we are causing you to have duplicitous effort, that is money that could be spent on real cybersecurity. In this partnership, we need communication, not just on the issues that are brought up here––the breach that was identified––but how we make things better and work better on how we regulate and create compliance requirements.”

###