Microsoft May Finally Have To Quit Deflecting On Security: Analysis

While tough decisions lie ahead for the tech giant, the unequivocal criticism by a federal review board suggests the time has come for a true Microsoft security overhaul.

As criticism has mounted in the industry over Microsoft’s security practices, the tech giant has tried out a few different approaches while responding publicly over the years.

At times, Microsoft has tried to ignore the criticism. Other times the company has responded by offering up a generic description of how it does things, security-wise. Then last fall, Microsoft launched a highly publicized security “initiative.” (While the effort initially seemed like a step in the right direction, it has become harder to take seriously after the company seized the opportunity to hype it during a major breach disclosure in January.)

Then there’s this old favorite: Deflect.

There was, for instance, the time when Microsoft communications chief Frank Shaw responded to a critic at rival vendor CrowdStrike by arguing that security is a “team sport” and that, rather than criticizing each other, “fellow defenders must work together to make the world a safer place.”

More recently, Microsoft issued a statement last fall responding to critical comments by CrowdStrike CEO George Kurtz, which echoed Shaw’s prior argument: “We believe collaboration and partnership across the security industry is essential to stay ahead of expansive advanced threats and find the aggressive competitive framing of security issues unfortunate.”

Indeed, CrowdStrike is a competitor to Microsoft. But that doesn’t mean Kurtz and other members of the company’s leadership don’t have a point.

Meanwhile, internally at Microsoft, it would seem that deflecting has also remained a go-to when high-profile security issues arise — as an alternative to actually making the necessary tough decisions to root out the underlying architectural issues.

I’m basing this last statement on this week’s stunning rebuke of Microsoft’s security culture and practices by the U.S. Homeland Security-appointed Cyber Safety Review Board. Within its 34-page report on the 2023 Microsoft cloud email breach — which the review board pinned on a “cascade of Microsoft’s avoidable errors” — the CSRB disclosed some interesting details on how the company went about responding to the breach internally.

Following the China-linked attack, according to the CSRB report, “Microsoft developed 46 hypotheses to investigate, including some scenarios as wide-ranging as the adversary possessing a theoretical quantum computing capability to break public-key cryptography or an insider who stole the key during its creation.”

That's right, 46 hypotheses. One of which was quantum computers that can break encryption. Which don’t exist.

The report continues: “Microsoft then assigned teams for each hypothesis to try to: prove how the theft occurred; prove it could no longer occur in the same way now; and to prove Microsoft would detect it if it happened today.” However, “nine months after the discovery of the intrusion, Microsoft says that its investigation into these hypotheses remains ongoing.”

The fact that the largest security vendor in the world was unable to figure out how it was breached after nine months is troubling, for sure. But the disclosure also tells us something about Microsoft’s ideas on how to handle breaches, which maybe should worry us even more.

The reality is that, according to numerous experts I’ve spoken with over the years, the bulk of major security incidents at Microsoft go back in some way to the company’s identity infrastructure, which is a patchwork of legacy and modern technologies.

This is undoubtedly not an easy fix, CrowdStrike’s Adam Meyers told me.

“The problem is that if the issue is the underlying identity infrastructure, and they need to go back and fix that, that is going to break everything,” Meyers said. “Which is why, rather than do that, they come up with 46 theories and then assign a team to each of those theories.”

Put another way, rather than taking a hard look at how to fix its problems in a comprehensive manner, Microsoft appears to be focused on winning the public relations battle by showing that the latest incident-of-the-month won’t happen again. The tech giant seems to believe that if it can just find and fix these narrower issues, it’ll be able to steer attention away from the actual causes lying deep in its identity systems.

I’m not saying Microsoft shouldn’t try to figure out how a major breach happened and how to prevent its recurrence. But as the CSRB points out in the report this week, it’s not enough. And perhaps some of Microsoft’s hypotheses-probing resources could be reallocated — such as those aimed at proving the company was the victim of non-existent quantum technology. (As Meyers points out, that would be like telling a team of 50 people, “‘Go figure out if aliens did this.’”)

It remains to be seen whether Microsoft will maintain its strategy of deflection in the wake of the CSRB’s brutal and unequivocal criticism of its security. But perhaps the time has finally come for the Microsoft security overhaul that many in the industry have been calling for.

The company itself gave at least a hint of encouragement in its response to the CSRB report — saying in a statement that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.”

Regardless, at least they’re not trying to blame it on aliens — sorry, quantum computers — anymore.