Sen. Wyden: ‘Hold Microsoft Responsible for Its Negligent Cybersecurity Practices’

Senator Ron Wyden is calling on the Department of Justice to "hold Microsoft responsible for its Negligent cybersecurity practices."...
Sen. Wyden: ‘Hold Microsoft Responsible for Its Negligent Cybersecurity Practices’
Written by Staff
  • Senator Ron Wyden is calling on the Department of Justice to “hold Microsoft responsible for its Negligent cybersecurity practices.”

    Microsoft has been under fire since Chinese hackers compromised the company’s cloud email service, including US government email accounts. Critics accused the company of placing critical security features behind its most expensive plans, making it all but impossible for customers on lower-priced plans to have any indication they were compromised.

    The company has also faced ongoing accusations that it is not divulging the full extent of the breach, especially in regard to questions about encryption keys that were compromised.

    Senator Wyden is one of those who is not happy with Microsoft’s official line, and the senator wants answers. In a letter to US Attorney General Merrick B. Garland, FTC Chairwoman Lina Khan, and CISA Director Jen Easterly, Senator Wyden calls for an investigation into Microsoft’s lapses.

    I write to request that your agencies take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.

    Senator Wyden then goes on to demonstrate that Microsoft has a history of not taking appropriate safeguards to protect its customers, citing the company’s involvement in the Solar Winds incident as an example before tying it to this latest incident.

    Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident. First, Microsoft should not have had a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications. Second, as Microsoft pointed out after the SolarWinds incident, high-value encryption keys should be stored in an HSM, whose sole function is to prevent the theft of encryption keys. But Microsoft’s admission that they have now moved consumer encryption keys to a “hardened key store used for our enterprise systems” raises serious questions about whether Microsoft followed its own security advice and stored such keys in an HSM. Third, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021. Federal cybersecurity guidelines, industry best practices, and Microsoft’s own recommendations to customers, dictate that encryption keys be refreshed more frequently, for the very reason that they might become compromised. And authentication tokens signed by an expired key should never have been accepted as valid. Finally, while Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits. That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.

    Senator Wyden is calling for an investigation to determine “whether Microsoft’s negligent practices violated federal law,” as well as whether the company violated a 20-year consent decree pertaining to cybersecurity. Although the decree expired in December 2022, it is possible that Microsoft’s action may predate the expiration of that agreement.

    Senator Wyden has a well-deserved reputation as a tech-savvy lawmaker with a focus on cybersecurity and privacy protection. As a result, Microsoft should be concerned that he, of all senators, is taking aim at the company.

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Advertise with Us

    Ready to get started?

    Get our media kit