The US Department of State has been working with a range of security vendors beyond Microsoft since China-linked hackers stole tens of thousands of the department’s emails by breaching the tech giant’s network last year, a senior official said.
That hack, which compromised some 60,000 State Department emails, including those of commerce secretary Gina Raimondo, was one of the worst in recent years against a federal agency and triggered much criticism of Microsoft.
The Cyber Safety Review Board slammed the company last month for its lack of transparency.
“It’s not even that the software they gave me wasn’t secure. It’s that the keys to the kingdom were in the corporate network and their corporate network wasn’t secure,” Kelly Fletcher, the department’s chief information officer said on the sidelines of the RSA Conference in San Francisco.
“We’re seeing this sort of across the ecosystem … that these corporate networks are really important,” she said in an interview.
“I’m counting on all my vendors, not just Microsoft, not only to sell me software that’s secure, but to have a secure corporate network.”
A hacking group Microsoft calls Storm-558 had gained access to a digital key that allowed it to break into several government inboxes, the tech firm earlier said.
The incident strained an already tense US-China relationship as the Chinese embassy in Washington dismissed allegations that Chinese government-linked hackers were behind it.
“Microsoft is an important part of (the State Department’s) ecosystem, absolutely. But they’re not my only cloud vendor,” Fletcher said, adding that the department would continue using multiple vendors. Some of them are Palo Alto, Zscaler, and Cisco, she added.
Microsoft eventually revoked the hackers’ access by invalidating the stolen digital key, but Fletcher said the breach could have had a much wider impact.
“At the time I did not imagine that it was actually that they could access anything they wanted in the Microsoft Office 365 environment for almost any organisation in the world, but that was in fact the case,” she said, referring to the company’s proprietary software.
The department has since implemented various security measures including multifactor authentication and widening data encryption, Fletcher said.
“Four years ago, five percent of our systems had these sort of cyber security fundamentals. Today, it’s 95 percent,” she added.
Microsoft has faced sharp criticism from several of its security industry peers too, especially since it disclosed this year that hackers linked to Russia’s foreign intelligence breached into its senior staff’s corporate emails.
The State Department analysed all its email communications with the tech firm following that, and found none of them were sensitive, said Fletcher, adding: “We think we’re in good shape.”