Microsoft under fire after hacks of US State and Commerce departments
Sign up now: Get ST's newsletters delivered to your inbox
Microsoft is facing criticism of its security after a number of US officials were hacked and had e-mails stolen.
PHOTO: REUTERS
Follow topic:
WASHINGTON – In late June, one of cyber-security expert Steven Adair’s clients got an alert from Microsoft: One of the client’s employees working on human rights issues had their e-mail account compromised. The client wanted to know if Mr Adair could get to the bottom of it.
Mr Adair, who used to work in cyber defence at US space agency National Aeronautics and Space Administration before setting up his own firm, Volexity, immediately launched an investigation – and hit a brick wall.
“We pored over every detail related to this user’s behaviour,” Mr Adair told Reuters on Thursday. “We couldn’t turn up anything.”
The hackers who broke into his client’s e-mails were the same set of sophisticated cyberspies Microsoft this week blamed for stealing e-mails from senior US officials, Commerce Secretary Gina Raimondo.
Microsoft said the hacks worked not by hijacking computers or stealing passwords but by taking advantage of a still-undisclosed security issue with the company’s ubiquitous online e-mail service.
Because Mr Adair’s client – whom he declined to identify – was not paying Microsoft for its premium security suite, detailed forensic data was unavailable and Mr Adair had no way to figure out what had happened.
“We basically became a spectator at that point,” he said.
Mr Adair is now pushing for Microsoft to provide the additional data to its clients free of charge, a campaign that has picked up steam in the wake of the breach amid disquiet with the software giant’s security practices in government circles.
US Senator Ron Wyden said Microsoft should offer all its customers full forensic capabilities, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags”.
Microsoft did not immediately return messages seeking comment on Mr Adair’s experience, Senator Wyden’s comment, or other criticism of its security.
In a blog post that first outlined the hack late on Tuesday, Microsoft said that “accountability starts with us” and that it was “continually self-evaluating, learning from incidents” and strengthening its defences.
A storm in the cloud
For years individuals, organisations and governments have been moving their e-mails, spreadsheets and other data off their own servers and onto Microsoft’s, taking advantage of cost savings and the integration with the Redmond, Washington-based company’s suite of office tools. At the same time, Microsoft has promoted the use of its own security products, prompting some clients to abandon what they saw as redundant antivirus programs.
The process of migrating an organisation’s data and services to a big technology company is sometimes called “moving to the cloud”. It can boost security, especially for small organisations that lack the resources to run their own information technology or security departments.
But competitors squeezed by Microsoft’s security offering are sounding the alarm over how wide swathes of industry and government are effectively putting all their eggs in one basket.
“Organisations need to invest in security,” Mr Adam Meyers of cyber-security company CrowdStrike said in an e-mail distributed to journalists on Wednesday. “Having one monolithic vendor that is responsible for all of your technology, products, services and security can end in disaster.”
Frustration is also building with Microsoft’s licensing structure, which charges customers extra for the ability to see detailed forensic logs like the ones Mr Adair could not access. The issue has been a point of contention between the company and US government ever since a hack of business software company SolarWinds was disclosed in 2020.
Mr Adair said he understood that Microsoft wanted to make money from its premium security product. But he said having more eyes open to cyber threats would be a win-win for the company and its customers. He noted that the hackers – which Microsoft nicknames Storm-0558 – were caught only because someone at the US State Department with access to Microsoft’s top-of-the-line logging noticed an anomaly in its forensic data.
“Having Microsoft further empower customers and security companies so they can work together is probably the best way,” Mr Adair said. REUTERS
