Nadella To Microsoft: Prioritize Security Over New Features

Microsoft CEO Satya Nadella says in a memo sent to staff that ‘if you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.’

In a memo sent to employees, Microsoft CEO Satya Nadella responded to a recent scathing federal report on the company’s security practices by urging staff to prioritize security over new feature releases when necessary.

“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” Nadella wrote in the memo posted by The Verge Friday.

[Related: Microsoft Slammed By U.S. Board Over Cloud Email Breach: 5 Things To Know]

“In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems,” he wrote in the memo. “This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.”

In a statement provided to CRN Friday, Microsoft said that it “can confirm that Satya Nadella sent a company-wide email this morning about the Secure Future Initiative.”

The memo to Microsoft’s staff of more than 200,000 echoes Bill Gates’ famous 2002 memo to Microsoft employees on “Trustworthy Computing,” which set the tone for a new focus on security at the company in the years that followed.

Nadella's memo comes a month after a U.S. federal review board report on the 2023 Microsoft cloud email breach found that the China-linked attack was successful in large part because of lax security practices at the tech giant.

The U.S. Cyber Safety Review Board (CSRB), which was appointed by the Department of Homeland Security, ultimately found in the 34-page report that Microsoft needs to reprioritize its security in a much bigger way.

The Microsoft Exchange Online breach was first discovered in June 2023 and saw the compromise of email accounts belonging to multiple U.S. government agencies. The attack is known to have impacted the emails of Commerce Secretary Gina Raimondo and other officials in the Commerce Department.

A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, and the attackers “had access to some of these cloud-based mailboxes for at least six weeks,” according to the report.

The incident was attributed by Microsoft to a China-linked threat actor tracked as “Storm-0558.”

The CSRB’s report examined, in the authors’ words, a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”

The conclusion, according to the report, is that “Microsoft has drifted away from this ethos and needs to restore it immediately as a top corporate priority.” The report noted that the CSRB is “aware of Microsoft’s recent changes to its security leadership and the ‘Secure Future Initiative’ that it announced in November 2023.”

Microsoft said at the time that it would be rolling out an array of major changes to its software engineering process aimed at improving the security of its widely used platforms.

The cloud email breach last summer was just one in a series of major security incidents for Microsoft. Since the incident came to light, Microsoft has already seen another high-profile breach that has prompted even greater scrutiny—the hack of senior executive accounts disclosed in January.

Other widely felt attacks that have exploited alleged security shortcomings in Microsoft’s technology have included the SolarWinds Orion compromise of 2020 and the massive wave of Exchange Server attacks in 2021 that exploited critical zero-day vulnerabilities.