Ron Wyden, a leading US Senator, blames Microsoft for the Chinese hack of Exchange Online. On Thursday, he called on the Department of Justice and a couple of other agencies to launch separate probes into the tech giant’s “negligent cybersecurity practices“, which he believes led to the cyberattacks. The high-level attack by Chinese hackers targeted the highest echelons of the US presidential cabinet.
The intrusion took place between May and June, just ahead of a crucial Sino-US meeting.
During the attack, the hackers managed to access Microsoft-powered emails of Secretary of State Antony Blinken, Commerce Secretary Gina Raimondo, and top China envoys.
Why Does Wyden Blame The Giant?
Senator Ron Wyden, D-Oregon, happens to be the chair of the powerful Senate Finance Committee. In his letter to the Department of Justice, Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission on Thursday, he accused Microsoft of enabling the cyberattacks through major security failures.
Chinese hackers managed to steal an encryption key used for Microsoft account (MSA) services, which enabled them to carry out the attack. Wyden argued in his letter that the tech giant failed its customers by using only a single encryption key – one that could be used to forge access into email accounts of major government agencies.
Government emails were stolen because Microsoft committed another error.Wyden’s letter
Although the stolen encryption keys were for customer accounts, hackers were able to forge tokens for Microsoft-hosted accounts for government agencies due to “a validation error in Microsoft code”, he added.
Wyden went on to add that engineers at Microsoft shouldn’t have deployed systems violating such basic cybersecurity principles in the first place. Even after deployment, Microsoft’s internal and external security audits failed to detect these “obvious flaws”, he wrote.
Adding to his accusations against Microsoft for the company’s alleged negligence, Wyden pointed out that such high-value encryption keys should have been stored in a hardware security module.
Besides Microsoft, Wyden also blamed the Biden administration for the cyberattacks, accusing them of not studying the SolarWinds hack properly.
The most shocking part about the attack, however, is that the stolen security key was still usable despite expiring in 2021. “Authentication tokens signed by an expired key should never have been accepted as valid,” Wyden pointed out in the letter.
The senator wants CISA director Jen Easterly to have the Cyber Safety Review Board investigate the incident and scrutinize how Microsoft’s missteps were overlooked during the external audits mandatory for government contractors.
FTC chair Lina Khan was urged to investigate whether Microsoft violated federal privacy and data security laws, including a cybersecurity consent decree, through its poor handling of the incident. Attorney General Merrick Garland was met with a similar request too.
Microsoft Responded and Offered Concessions
A Microsoft spokesperson released an official statement, announcing that the company will continue to work with government agencies and maintain their “commitment to continue sharing information at Microsoft Threat Intelligence blog“.
The tech giant offered its customers some concessions to mitigate the impact of the breach. It remains to be seen if the agencies would decide to investigate Microsoft following Wyden’s accusations.