Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended
'It's not our job to find the culprits – That's what we're paying you for' lawmaker scolds Brad Smith
Lawmakers on Thursday grilled Microsoft president Brad Smith about the Windows giant's businesses dealing in China — and the super-corp's repeated security failings — at a time when Beijing-backed spies are accused of breaking into Microsoft-hosted email accounts of American government officials.
A US House committee hearing was held in response to the Homeland Security Cyber Safety Review Board's (CSRB) report which found that a "cascade of Microsoft's avoidable errors" allowed Beijing's Storm-0558 spy crew to steal tens of thousands of sensitive emails from the cloud-based Microsoft Exchange Online inboxes of US Secretary of Commerce and high-ranking officials at the Department of State, among others.
That theft was enabled by a cryptographic key stolen from a crash dump file on Microsoft's internal corporate network.
"Microsoft accepts responsibility for each and every one of the issues cited in the CSRB's report," Smith said in his opening statements before the House Committee on Homeland Security.
But then, in response to questioning, Smith also tried to say the fact that the US State Department — not Microsoft — discovered the digital intrusion into its officials' inboxes wasn't exactly a security failure on Redmond's part, but rather "the way it should work."
Quite frankly, we're still not sure what Jedi-mind trick Smith thought he was pulling with that statement.
Indeed, challenging that move, House Rep Bennie Thompson (D-MS) told Smith, "Microsoft didn't find the problem. It was the State Department that found the problem. Help us out."
Smith responded in a way that brazenly tried to offload the blame to others:
That's a great question. And the one thing I'd ask all of us to think about is that's the way it should work. No one entity in the ecosystem can see everything, so we all need to work together.
Give us a break.
Thompson didn't let Smith off the hook with that answer, and pointed out that Microsoft provides about 85 percent of the productivity software used by the federal government. Plus, Redmond is a major security and cloud services provider to the Feds.
"Because you are such a big customer of government, we rely heavily on your product, and it's not our job to find the culprits," the ranking committee member said. "That's what we're paying you for."
- Pentagon 'doubling down' on Microsoft despite 'massive hack,' senators complain
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
- Chinese snoops stole 60K State Department emails in that Microsoft email heist
- US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products
Other congress members interrogated Smith about Microsoft's presence in China, and whether Redmond could be forced to hand over code or customers' sensitive data to comply with Beijing's national security laws.
Smith told lawmakers that Microsoft's business in China represents about 1.5 percent of his company's revenue, and that it recently told some 800 engineers in the country that they needed to move out of China to keep their positions.
Representative Carlos Gimenez (R-FL) pointed to a 2017 national intelligence law in the Middle Kingdom that can be used to force people and organizations operating in the country into assisting Chinese intelligence agencies. Their exchange then went like this:
Gimenez: Do you operate in China?
Smith: Yes, we do.
Gimenez: Do you comply with this law?
Smith: No, we do not.
Gimenez: How is it you got away with not complying with the law? Do you have a waiver from the Chinese government saying that you don't have to comply with this law?
Smith: No we do not.
"I just don't trust what you're saying to me," Gimenez said. "You're operating in China. You have a cozy relationship in China. You're there. They allow you to be there, and I don't believe that they're going to say, 'Yeah, okay, no problem. You don't have to comply with our law that everybody else does.' Every other foreign company has to, but not Microsoft."
Rep Marjorie Taylor Greene (R-GA) used her five minutes of questioning to advance her conspiracy theories about the CSRB, which was established under President Joe Biden's Executive Order 14028 on "Improving the Nation's Cybersecurity," and is housed within the US Cybersecurity and Infrastructure Agency (CISA).
"CISA also has a bad reputation, especially among Republicans. They colluded with big tech and social media companies stripping Americans of their First Amendment rights," Greene said.
The Register reached out to Greene's office to help us decode that claim, and did not receive a response. ®