Skip to content

News

Chairman Green Opens Microsoft Hearing: The American People and Federal Agencies “Deserve Assurances That Their Data and Operations Are Protected”

June 13, 2024

WASHINGTON, D.C. — Today, House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) delivered the following opening statement in a hearing to examine Microsoft’s security shortcomings, challenges encountered in preventing significant cyber intrusions, and its plans to strengthen security measures following the Cyber Safety Review Board’s (CSRB) report on the Microsoft Online Exchange 2023 cyber intrusion by threat actors affiliated with the People’s Republic of China (PRC).
 


Watch Chairman Green’s opening statement.


As prepared for delivery:

Each and every day, the U.S. Government depends upon Microsoft cloud services, productivity tools, and operating systems to carry out an array of critical missions. Microsoft is deeply integrated into our nation’s digital infrastructure—a presence that carries heightened respect and heightened responsibility. 
 
We are holding this hearing because of the latest Department of Homeland Security (DHS) Cyber Safety Review Board (“CSRB”) report. The report attributed last summer’s Microsoft Exchange Online hack, by Storm-0558, which is backed by the Chinese Communist Party, to “a cascade of security failures at Microsoft.”

These determinations were based on a number of findings detailed in the report. 
 
Specifically, Storm-0558 accessed the Microsoft Exchange accounts using authentication tokens signed by an inactive private encryption key that Microsoft created in 2016. The Beijing-backed actor obtained tens of thousands of individual U.S. Government emails by compromising the Microsoft Exchange email accounts of U.S. officials working on national security matters relating to China.
 
The CSRB concluded that this intrusion would have been prevented if Microsoft had cultivated a strong security culture, which the CSRB said “requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” 
 
By any measure, this cyber intrusion was not sophisticated. It did not involve advanced techniques or cutting-edge technologies. Instead, Storm-0558 exploited basic, well-known vulnerabilities that could have been avoided through basic cyber hygiene practices. In other words, this was avoidable.
 
This is extremely concerning, and it falls to this committee to do the due diligence and determine just where Microsoft sits as a company, and how it has taken this report to heart.  
 
Our goals today are simple. We want to give the company we put so much faith in as a government, the opportunity to discuss lessons learned, actions taken, and of course to share where they feel the report could be wrong.
 
To be clear, the U.S. government would never expect a private company to work alone in protecting itself against nation-state attacks. 
 
We need to do more work to define roles and responsibilities for public and private sector actors in the event of nation-state attacks on our networks. Our nation’s adversaries possess advanced cyber capabilities and substantial resources, often exceeding the defensive cybersecurity measures available to even the most sophisticated companies.
 
However, we do expect government vendors to implement basic cybersecurity practices.
 
Since this is not the first time Microsoft has been the victim of an avoidable cyberattack, and in light of the CSRB’s report, it is now Congress’s responsibility to examine Microsoft’s response to this report. We must restore the trust of the American people, who depend upon Microsoft products every day. We must also address broader questions regarding the mitigation of economic and national security risks. 

This hearing aims to shed light on these issues and ensure that Microsoft has implemented the CSRB’s recommendations to safeguard against future breaches.
 
As we dive into these issues, we need to keep three themes in mind.
 
First, closing the cyber workforce gap—my top priority for the Committee this year. The security challenges we face as a nation are compounded by the persistent shortage of cybersecurity professionals. As Microsoft continues its work to invest in our cyber workforce, we must harken back to the lessons from the CSRB report. Our cyber professionals must be trained to think of security first. We must equip them with the right skills to protect our networks and to build our systems securely.
 
Second, we need to define the role of public and private sector entities in protecting our networks against nation-state actors. 
 
These attacks have become increasingly common, rather than anomalies. We need clearly defined responsibilities so that we can effectively respond to nation-state attacks on our networks.
 
Finally, we must address a fundamental issue: the economic incentives that drive cybersecurity investments. As the CSRB’s report recently revealed, underinvestment in essential security measures exposed critical vulnerabilities. 
 
Changing the economic incentives for cybersecurity investment is not about imposing onerous regulations or stifling innovation. It is about creating an environment where the costs of neglecting cybersecurity are outweighed by the potential benefits of comprehensive security measures. 
 
Today, we will explore the steps Microsoft is taking to strengthen its security culture through its Secure Future Initiative. While I commend Microsoft for announcing steps to reform its security practices, I want to hear about Microsoft’s follow through on its stated commitments in the long term—based largely on its past responses to other significant cyber incidents, such as SolarWinds.
 
One of my biggest concerns is Microsoft’s presence in China—our nation’s primary strategic adversary and the regime responsible for the hack we are discussing today. Over the years, Microsoft has invested heavily in China, setting up research and development centers, including its Microsoft Research Asia Center in Beijing. Microsoft’s presence in China creates a set of complex challenges and risks that we must also talk about today as part of our discussion about a strong security culture. 
 
Mr. Smith, as a long-time, key leader within Microsoft, I anticipate that you will help us understand the gaps that enabled these recent cyber intrusions. The American people, as well as the numerous federal agencies that depend on Microsoft, deserve assurances that their data and operations are protected.
 
Mr. Smith, we appreciate your presence here today and look forward to your testimony.
 
I also would like to let the members of the committee know, that should their question require an answer that would necessitate movement to a secure location, Mr. Smith will be the only one who knows that once the question is asked.  
 
Look, China and Russia are watching this right now. The last thing we want is to empower our adversaries in any way.  
 
Members, if Mr. Smith says the answer would require a secure facility, please accept this and ask another question. The committee staff will determine the best mechanism to get you the answers you ask in a classified manner.