Sen. Ron Wyden, D-Ore., demanded that the Department of Justice (DoJ) and two civil regulators open separate probes into Microsoft’s cybersecurity practices after a high-level hack targeting the highest ranks of President Biden’s cabinet.
In a June 27 letter addressed to several Federal officials – Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, DoJ Attorney General Merrick Garland, and Chair of the Federal Trade Commission Lina Khan – Sen. Wyden asked that an investigation into Microsoft’s “negligent cybersecurity practices” be conducted.
According to Sen. Wyden, Microsoft’s “negligent cybersecurity practices” enabled the successful “Chinese espionage campaign against the U.S. government.”
Earlier this month, Chinese intelligence hacked into Microsoft email accounts belonging to two dozen government agencies – including the Department of State – in the United States and Western Europe. The hackers accessed the Microsoft-powered email accounts of top China envoys, Commerce Secretary Gina Raimondo, and Secretary of State Antony Blinken.
The intrusion occurred between May to June, ahead of a critical Sino-U.S. meeting.
According to Microsoft, hackers stole an encryption key that Microsoft had generated for its identity service, Microsoft Account (MSA), which validates a user’s identity. Because of this, the hackers could create fake authentication tokens to impersonate users and gain access to Microsoft-hosted consumer accounts, regardless of the protections in place.
In addition, a validation error in Microsoft code allowed the hackers to create fake tokens for Microsoft-hosted accounts for government agencies and other organizations and access those accounts.
“This is not the first espionage operation in which a foreign government hacked the emails of United States government agencies by stealing encryption keys and forging Microsoft credentials,” Sen. Wyden wrote, adding that the 2020 SolarWinds hacking campaign used a similar technique.
“Microsoft never took responsibility for its role in the SolarWinds hacking campaign. It blamed Federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017,” he added.
According to Sen. Wyden, Microsoft had known since 2017 that such keys could be quietly exfiltrated from customer servers running its software, but it failed to warn its customers – including government agencies – about this risk.
“Even with the limited details that have been made public so far, Microsoft bears significant responsibility for this new incident,” Sen. Wyden said, explaining that Microsoft should not have had a “single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.”
Federal cybersecurity guidelines, industry best practices, and Microsoft’s recommendations to customers dictate that encryption keys be frequently refreshed. In addition, authentication tokens signed by an expired key should never be accepted as valid.
However, the encryption key used in this latest hack was created by Microsoft in 2016, and it expired in 2021.
Sen. Wyden also pointed out that the executive branch also bears responsibility for the recent hack. He explained that the president’s cybersecurity executive order established the Cyber Safety Review Board, whose first task was to study the SolarWinds incident. That review never took place.
“Had that review taken place, it is quite likely that Microsoft’s poor data security practices around encryption keys would have come to light, and this most recent incident might have been averted. Holding Microsoft responsible for its negligence will require a whole-of-government effort,” Sen. Wyden said.
To that end, Sen. Wyden asks the following from Federal officials:
- That Easterly direct the Cyber Safety Review Board to investigate this incident and examine whether Microsoft stored the stolen encryption key in a Hardware Security Module;
- That Garland examine whether Microsoft’s negligent practices violated Federal law; and
- That Khan investigate Microsoft’s privacy and data security practices related to this incident to determine if Microsoft violated Federal laws enforced by the Federal Trade Commission.
