In a sharply worded letter sent to key federal agencies, Senator Ron Wyden called for multiple investigations into Microsoft Corporation following the hacking of U.S. officials’ email accounts by actors linked to China.
In the letter, addressed to the heads of the Cybersecurity and Infrastructure Security Agency, the Department of Justice, and the Federal Trade Commission, Wyden stated that Microsoft “bears significant responsibility for this latest incident.” The senator also criticized the company for its role in the SolarWinds attack revealed in 2020, when Russian hackers breached computer networks in the federal government and private sector.
The breach of U.S. officials’ email accounts, which included those of Commerce Secretary Gina Raimondo and State Department staff, occurred shortly before Secretary of State Antony Blinken traveled to China to meet with President Xi Jinping. The incident was described by Rob Joyce, a senior official at the National Security Agency, as “China engaging in espionage.”
The breach stood out not for what happened, but for how the hackers gained access. They did so by obtaining a Microsoft consumer signing key, which allowed them to access officials’ email despite security measures. Microsoft has not yet disclosed how the key was obtained.
“Government email was stolen because Microsoft made another mistake,” wrote Wyden, a Democrat from Oregon, in his letter. “Microsoft should not have had a single key that, in the event of inevitable theft, could be used to forge access to private communications of different customers.”
A Microsoft spokesperson said the incident “demonstrates the growing cybersecurity challenges in the face of sophisticated attacks.”
“We continue to work directly with government agencies on this issue and remain committed to sharing information through the Microsoft Threat Intelligence blog,” the spokesperson said.
The Wall Street Journal previously reported on Wyden’s letter.
Wyden said that Jen Easterly, Director of CISA, should task the Cyber Safety Review Board with investigating the incident. This body, established by order of the Biden administration, reviews cybersecurity incidents and issues reports.
The SolarWinds hack was originally supposed to be the first investigation conducted by the board, according to the order establishing it. However, that investigation never took place.
Wyden said he was denied in his efforts to have CISA and the Department of Homeland Security direct the board to examine the SolarWinds data breach. “Had that review taken place, it is likely that Microsoft’s poor data protection practices regarding encryption keys would have been identified, and this latest incident could have been prevented,” he said.
The letter also asks Attorney General Merrick Garland and FTC Chair Lina Khan to investigate whether Microsoft violated federal laws, including those related to unfair and deceptive business practices.
Source: Bloomberg