Microsoft president Brad Smith has testified before a US House panel on homeland security, fielding questions about its security practices and ties to China a year after Chinese hackers spied on federal emails by hacking into the tech giant.
China-linked hackers stole 60,000 US State Department emails by breaking into the tech giant’s systems last summer, while a Russian group separately spied on Microsoft’s senior staff emails this year, according to the company’s disclosures.
Lawmakers grilled Smith for Microsoft’s inability to prevent both those hacks that they said did not use sophisticated means and repeatedly put federal networks at risk.
The Microsoft emails Russian hackers accessed also “included correspondence with government officials,” Democrat Bennie Thompson said.
“Microsoft is one of the federal government’s most important technology and security partners, but we cannot afford to allow the importance of that relationship to enable complacency or interfere with our oversight,” he added.
The hearing drew on the findings of a scathing report in April by the Cyber Safety Review Board (CSRB) – formed by US Secretary of Homeland Security Alejandro Mayorkas – which slammed Microsoft for its lack of transparency over the Chinese hack that it said was preventable.
“We accept responsibility for each and every finding in the CSRB report,” Smith said in his opening statement, adding that the company had already begun working on a majority of the report’s recommendations.
He said cyberattacks had increased and become sophisticated over time, and public-private partnerships were critical in defending against them.
“We’re dealing with formidable foes in China, Russia, North Korea, Iran, and they’re getting better,” said Smith. “They’re getting more aggressive … They’re waging attacks at an extraordinary rate.”
When questioned about why Microsoft couldn’t discover the Chinese intrusion and it was the State Department that did, Smith said: “That’s the way it should work. No one entity in the ecosystem can see everything.”
But Congressman Thompson wasn’t convinced.
“It’s not our job to find the culprits. That’s what we’re paying you for,” Thompson told Smith.
Lawmakers also probed Smith for details on Microsoft’s business and presence in China.
“Over the years, Microsoft has invested heavily in China setting up research incentives, including the Microsoft Research Asia centre in Beijing,” said Congressman Mark Green from Mississippi, chairman of the homeland security panel.
“Microsoft’s presence in China creates a mix of complex challenges and risks. We have to talk about that today.”
Smith said around 1.5 percent of the company’s revenue came from China, and that it was working on reducing its engineering presence there.
The world’s biggest software-maker and a key vendor to the US government and national security establishment, Microsoft has faced heightened criticism from its security industry peers over the past year over the breaches and lack of transparency.
Following the board’s criticisms, Microsoft had said it was working on improving its processes and enforce security benchmarks.
In November it launched a new cyber security initiative and said it was making security the company’s top priority “above all else – over all other features.”