After the CSRB report, Microsoft must eschew marketing hyperbole while apologizing for its cavalier security practices, communicating its remediation plan, and report honest metrics to the security community as it proceeds.
On March 20 of this year, the Cyber Safety Review Board (CSRB), an organization under the Cybersecurity and Infrastructure Security Agency (CISA) that was established pursuant to President Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’, published a report titled: “Review of the summer 2023 Microsoft Exchange Online Intrusion.“
As the title suggests, the report was a thorough assessment of the 2023 security breach that compromised the MS Exchange mailboxes of 22 organizations and over 500 individuals, including government agencies and high-ranking US government officials.
After reviewing all the details, the CSRB came to these (among other) pointed conclusions:
- Microsoft failed to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify some technology (and potentially security) anomalies.
- Microsoft was not observing the same level of security standards and best practices employed by other cloud service providers (CSPs).
- Microsoft admitted to the board that its initial public statements about the breach were inaccurate, but it didn’t correct them until just before the report was published.
- Microsoft’s corporate culture deprioritized both enterprise security investments and rigorous risk management.
Context is important in understanding the report on Microsoft breach
The report also concludes that Microsoft did not employ secure software development best practices and it didn’t patch software vulnerabilities in a timely manner. Strong words.
Now, before I discuss the ramifications of these serious issues, it’s important to put them in context. Unfortunately, security lapses like those described in this report are not unusual. Leading companies with world-class CISOs and ample resources, anchored by best practices, often find that one division, business unit, or geography is minimizing or even ignoring strong cybersecurity. Perhaps this one group is lazy, feels like security disrupts the business, or remains blissfully ignorant of security threats. Who knows? It just happens.
I know for a fact that Microsoft really does take security seriously, and most of the company is moving in the right direction. That said, the security problems revealed in the CSRB report are shocking and completely unacceptable for a technology company with the size, control, and power of Microsoft.
Remember, too, that after intense criticism from the cybersecurity community since the 1990s, Microsoft revved up its marketing machine several times, trumpeting security initiatives like Trustworthy Computing in 2002 (based on a publicly disclosed memo from Bill Gates himself), and the 2023 Secure Future Initiative, with the distinct purpose of bolstering Microsoft cloud security.
What’s next for Microsoft in the wake of the report?
Okay, so what happens next for Microsoft, its customers, and the security industry? Here are a few of my suggestions:
- Microsoft should abandon its marketing hype around security. Along those lines, it should tear up its planned presentations for the RSA Conference next month and take the opportunity to communicate clearly and simply what happened, what it intends to do, and when it will do it.
- Microsoft should routinely update the security community on its progress and metrics. In short, Microsoft should operate in a continuous state of damage control as it may take a generation before cybersecurity professionals really trust the company.
- CISOs should write their own summary reports in language that non-technical executives will quickly understand. This is what they call a ‘teachable moment’ for the C-Suite and board.
- Every cybersecurity professional should read the report from cover to cover. It’s educational and will help them understand what a mature security posture should look like.
Despite its significant cybersecurity contributions over the past few years in areas like threat intelligence, takedowns, and technology innovation — heck, even its security products have become competitive with market leaders in many categories — Microsoft shouldn’t get a pass on the CSRB report. The company has a long journey and a lot of work ahead of it. I hope it does the right thing with humility, transparency, and candor.