In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.

The Cyber Safety Review Board, created in 2021 by executive order, describes shoddy cybersecurity practices, a lax corporate culture and a lack of sincerity about the company’s knowledge of the targeted breach, which affected multiple U.S. agencies that deal with China.

It concluded that “Microsoft’s security culture was inadequate and requires an overhaul” given the company’s ubiquity and critical role in the global technology ecosystem. Microsoft products “underpin essential services that support national security, the foundations of our economy, and public health and safety.”

  • Optional@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    7 months ago

    If, as I think you’re saying, there was a thought that engaging with China in the free market would create more democratic-like conditions there but the US Gov’ts involvement in the open-market of email services (Micro$oft) has had the opposite effect and possibly taught them to not hand over everything to the free market for problems exactly like this, then, yeah, that’s ironic.

    However - and this should not be glossed over - any organization be it private, state, federal, nonprofit - whatever - who doesn’t maintain their own email servers and connectivity is essentially abandoning its security posture to other companies.

    That’s standard practice of course, and one of Micro$oft’s big selling points: “we’ll handle everything, just sign here”. But of course they’re average at it, and they can’t be everywhere at once. Most people are average-to-awful at it, because computer security is amazingly complicated once you dig into any given aspect of it. Not letting Micro$oft off the hook - they absolutely made bad trade-offs and opened the government up to Chinese hackers - just that anyone who thinks you can just contract someone else to do your information security and all is well is really not making a good decision.

    We’ve outsourced everything and the stupid electronic agreements that say what the conditions are don’t mean a damned thing. What, is Micro$oft going to pay a fine equal to ten minutes of their profits?

    And here’s the point - it was always the case. We argued against signing everything over to Micro$oft for decades and here we are. It’s never been any different. No one should be surprised at all. We were always going to end up here, sooner or later.