Microsoft President Bows Down in Congress, Takes Responsibility for 'Chain' of Cybersecurity Errors

Action
Microsoft President Bows Down in Congress, Takes Responsibility for 'Chain' of Cybersecurity Errors

Congress is now setting Microsoft up for a thorough moxie for what a government report calls a "cascade" of "avoidable mistakes." The net result of Microsoft's screw-up is that last year Chinese hackers broke into the giant tech company's network and gained access to the e-mail accounts of U.S. officials, including the Secretary of Commerce.

Before the U.S. House Homeland Security Committee (via CNN), Microsoft President Brad Smith formally prostrated himself before lawmakers and acknowledged all the failures highlighted in the U.S. Cyber Security Review Commission report.

"Microsoft takes responsibility for each and every one of the issues identified in the CSRB report," Smith said.

"Microsoft acknowledges that it bears responsibility for each and every one of the problems highlighted in the CSRB's report.

According to reports, the hack involved agents of China's Ministry of State Security, who created digital keys that allowed them to pose as existing Microsoft customers. They then impersonated several organizations, including the U.S. State Department and Commerce Department, and gained access to Commerce Secretary Gina Raimondo's emails.

Not surprisingly, there are growing calls to stop contracting with Microsoft and choose an alternative vendor. However, Smith argued that operating multiple vendors brings its own risks, as hackers could attack the "seams" where rival systems connect.

It is unclear exactly what "taking responsibility" means in this context. It may be too much to hope that Microsoft will refund fees or decline future contracts. Such would be the only thing that would truly be taking responsibility.

Somewhat wildly, Smith reportedly cited the farcical rollback of key features planned as part of the "Copilot+" AI initiative for Windows as an example of Microsoft's revitalized efforts to improve security

Recall.

The recall will, well, no doubt be recalled, but all PCs with Copilot+ functionality (actually, currently only laptops with Qualcomm's new Snapdragon X chip, but Intel- and AMD-based laptops later this year ) will be restricted to a narrower user base that is a member of the Windows Insider program.

"Leveraging the expertise of the Windows Insider community, we are adjusting Recall's release model to ensure that this experience meets our high standards for quality and security. This decision is rooted in our commitment to provide a trusted, secure and robust experience for all our customers and to seek further feedback before offering this feature to all Copilot+ PC users," Microsoft explained.

Subsequently, there was outcry from security experts that, among other actions, the Recall feature, which basically takes a screenshot of everything a PC user does every few seconds, would provide a treasure trove of information to someone who had access to a PC through malicious means.

Microsoft has already had to change the way it stores recall data in response to criticism. One of the major changes is that all Recall screenshots are now encrypted, but the fact that they thought the ability to screenshot everything in the background and store raw images without such obvious protections as encryption was a good idea probably says a lot about the security and says a lot about the company's attitude toward privacy.

Microsoft says it intends to roll out Recall to all Copilot+ PC users "soon," but does not give a date for that rather ominous eventuality.

Categories