world's largest Sellers of cybersecurity products are having trouble with their own cybersecurity.
In recent years, Microsoft has been hit by a series of embarrassing hacks that put corporate and government customers at risk. Earlier this month, the U.S. Cyber Security Review Board released a scathing report documenting the company's failure to prevent hackers linked to the Chinese government from stealing the email boxes of U.S. officials. The report's authors called on Microsoft to take urgent reforms.
Amid mounting criticism, the company has promised its most ambitious security overhaul in 20 years. Among other measures, Microsoft says it will respond faster to cloud vulnerabilities, make it harder for hackers to steal credentials, and automatically enforce multi-factor authentication for employees.
The security reboot is a major effort, but critics question whether Microsoft has enough incentive to make deep and lasting changes. Customers are so dependent on the company's software that they cannot easily switch to other providers. Meanwhile, Microsoft's cybersecurity business generates more than $20 billion in annual revenue, making it one of the company's fastest-growing revenue streams. Many of the anti-hacking tools are sold bundled with Microsoft software, and some critics have accused the company of anti-competitive business practices.
U.S. Sen. Ron Wyden on April 8 introduced a bill that would require the government to set mandatory cybersecurity standards for collaboration software, citing Microsoft's “terrible cybersecurity.” Democrats said the government is spending “huge amounts” on insecure software due to “vendor lock-in, bundling and other anti-competitive practices.”
“unacceptable”
Referring to the Cyber Review Board's assertion that Microsoft is not focused on security, Wyden said: “This is unacceptable for a company that is entrusted with a lot of sensitive government information, especially one that makes tens of billions of dollars in revenue from cybersecurity alone. Relying on technology vendors has been a failing strategy for decades.”
Microsoft declined to comment on Wyden's bill or remarks. The company described the cybersecurity landscape as more challenging than ever and said it has a “unique role to play in keeping the world safe.”
In an interview earlier this month at Microsoft's Seattle-area headquarters, security chief Charlie Bell described the company as “ground zero” for hackers working on behalf of foreign governments. Part of the reason is that Microsoft dominates the market for enterprise productivity and desktop operating system software.
Read: Microsoft claims breakthrough in quantum computing
Recent attacks have hit surprisingly close to home. Earlier this year, a Russian state entity was accused of combing the email accounts of Microsoft executives, prompting the company to redeploy thousands of engineers to mitigate intrusions and accelerate security updates. . In May, a group of hackers linked to the Chinese government stole one of Microsoft's access tools and used it to access the email accounts of hundreds of people, including U.S. Secretary of Commerce Gina Raimondo and Ambassador to China Nicholas Burns. He was charged with trespassing. Cyber Review Board Investigation.
“They're very good at collecting data over time, gathering and gathering momentum, and thinking about how to translate that into more success,” Bell said. “It's very difficult to defend.”
After this onslaught, executives said, “Well, let's take a step back,'' Bell said.
The result is the Secure Future Initiative, announced in November. It's a company-wide security reboot that executives say will allow Microsoft to better address not only current threats, but also future threats that may be powered by artificial intelligence. . This effort is being led by his advisor Brett Arsenault, vice president and chief cybersecurity officer, who served as Microsoft's chief information security officer for 14 years. Asked why the company didn't address cyber issues sooner, he said the rise of AI and current hacking trends were among the reasons for a more comprehensive security review.
“Sometimes there are certain turning points or changes in circumstances that make you reconsider how you want to do things,” he said, later adding that company officials “put their energy into delivering on the initiative’s promises.” I'm focused,” he added. Most of what the government wants. ”
Microsoft says it will leverage AI and automation to make its software more secure, as well as increase its reliance on programming languages considered to be more secure. The company says it is tightening its security protocols to make it harder for hackers to use stolen credentials or access tools to steal data. It also promises faster response to security vulnerabilities, including mitigating cloud-based issues 50% faster.
This is a difficult task, given Microsoft's size and the complexity of its product portfolio. The company offers his Windows, Office, Exchange email, and other products via the cloud, but continues to use its own servers to serve its customers. In the latter case, Microsoft provides “patches” for so-called legacy system flaws and relies on customers to install them and maintain security protocols. Efforts to end support for older operating systems such as Windows XP and Windows 7 caused an uproar, with customers not always compliant. That's because many operating systems were built into ATMs, hospital hardware, and other critical systems.
“There’s so much stuff out there that needs to be cleaned up,” Bell said. “And that's increasing over time.”
Microsoft is accelerating its efforts to remove old and inactive accounts, as well as applications that are no longer supported by software updates or no longer meet new security standards. To date, the company has removed more than 1.7 million IDs associated with old or unused accounts and 730,000 apps that are expired or don't meet security standards, but how many IDs and It wasn't clear whether the app fit that description.
Crisis 2.0
Microsoft is also increasing its use of multi-factor authentication, automatically applying it to more than 1 million accounts across the company, including accounts used for development, testing, demo, and production. Arsenault said.
The company is now requiring video calls between employees or vendors and managers who create digital IDs and issue short-lived credentials to new employees or vendors. This is a measure designed to make it harder for attackers to impersonate someone or steal your identity. Even users with advanced administrator privileges can no longer turn off multi-factor authentication when creating new accounts, Arsenault said.
Read: Microsoft faces competition investigation in South Africa
If Microsoft's current woes sound familiar, it's because the company went through a similar crisis in the early 2000s. At the time, computer worms were destroying computers running Windows. In January 2002, co-founder Bill Gates released a “Trusted Computing” memo urging software developers to prioritize security.
“So when faced with a choice between adding functionality or solving a security problem, we must choose security,” Gates wrote. “Our products need to be security-focused right out of the box.”
Microsoft halted development of new Windows features for months to fix the flaws and try to create a more security-focused culture among its software engineers.
Looking back, Arsenault says it was a simpler time. Microsoft released a version of Windows every few years, so a pause was possible. This is no longer the case, since Microsoft and its rivals update their software multiple times a day on the cloud. “It’s just another company,” Arsenault said.
In the years that followed, Microsoft lagged behind Google in search, Apple in mobile devices, and Amazon in cloud-based services. The pressure to keep up has led the company to prioritize speed over security. Microsoft wasn't alone. Many tech companies, eager to capitalize on Silicon Valley's explosive growth, have adopted an ethos epitomized by Facebook's slogan at the time: “Move fast and break things.” Ta.
Microsoft belatedly began its move to the cloud around 2010. This move allows the company to directly fix security flaws instead of requiring customers to install patches. However, cloud services present new security challenges, as revealed by recent breaches.
Given the sophisticated technology and resources of state-sponsored hackers, it may be impossible to completely stop them. Microsoft's security overhaul will help, but critics say the company needs to delay new product releases again to be more resilient going forward. The Cyber Commission last week called on Microsoft to “deprioritize feature development across its cloud infrastructure and product suite until security is significantly improved.”
In fact, Microsoft is rushing to capitalize on its early advantages in generative artificial intelligence. Bell said customers are already asking how all new AI programs will be secured. He has the answers to them. That means buying more Microsoft security software.
The cybersecurity department also found bugs in AI and launched an assistant for security professionals to help detect and thwart hacking attempts. In recent weeks, executives have been touring the United States to show off a tool called Copilot for Security. According to Vasu Jakkal, Microsoft vice president of security, early customer feedback for the AI assistant has been overwhelmingly positive.
“I’ve never seen so much interest in security tools,” she said. — Andrew Martin and Dina Bass, (c) 2024 Bloomberg LP