July 27, 2023

Wyden Requests Federal Agencies Investigate Lax Cybersecurity Practices by Microsoft That Reportedly Enabled Chinese Espionage

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., today requested the Justice Department, Federal Trade Commission and Cybersecurity and Cyber Safety Review Board investigate whether lax security practices by Microsoft enabled the recent Chinese government hack of multiple U.S. government agencies and high-ranking federal officials.  

The hack came two years after separate cybersecurity failings by Microsoft contributed to the massive SolarWinds hack of several federal agencies. However Microsoft faced little scrutiny for its cybersecurity practices over the past two years. 

“Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017. It blamed its customers for using the default logging settings chosen by Microsoft, and then blamed them for not storing the high-value encryption keys in a hardware vault,” Wyden wrote, in a letter to DOJ, the FTC and the Cybersecurity and Infrastructure and Security Agency today. 

Wyden highlighted four significant cybersecurity failures by Microsoft that led to the most recent hack: 

  • Employing a single encryption key that could be used to forge access to consumer, commercial and government customers’ private communications
  • Microsoft’s blog post about the hack suggests it did not store high-value encryption keys in a Hardware Security Module, as the company had advised its customers to do, and is essential to protecting valuable encryption keys,
  • Using an encryption key that was valid for 5 years, and was still accepted by Microsoft’s software, even though it had expired in 2021, two years before the hack, inconsistent with established cybersecurity best practices, and 
  • Neither internal nor external security audits detected the security weaknesses that enabled the hack. 

Wyden urged federal agencies to undertake the following investigations of the incident: 

  • A Cyber Safety Review Board investigation of the most recent hack, including whether Microsoft stored hacked encryption key in a Hardware Security Module,
  • The Department of Justice should use civil enforcement tools to examine whether negligent practices at Microsoft violated federal contracting laws,
  • The FTC should investigate whether Microsoft’s privacy and security practices violated FTC regulations, or violated a consent decree Microsoft agreed to stemming security failures from a previous sign-on product known as Passport. 

Read the full letter here.


Press Contact: Keith Chu