Microsoft's President Brad Smith is set to address Congress on Thursday, openly accepting responsibility for the company's cybersecurity failings as outlined in a recent U.S. government-backed report. In his prepared testimony to the House Homeland Security Committee, Smith will concede that Microsoft "accepts responsibility for each and every one" of the issues identified, emphasizing the need for improved practices.
"We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted," reads Smith's testimony. The committee's hearing aims to evaluate the impact of Microsoft's cybersecurity shortfalls on homeland security.
Microsoft has been implicated in two major hacking campaigns within the last year, allegedly orchestrated by Chinese and Russian state actors. An April report from the U.S. Cyber Safety Review Board criticized Microsoft for a series of "avoidable errors" that facilitated Chinese hackers' access to the tech giant's network and subsequently the email accounts of senior U.S. officials, including the Secretary of Commerce.
Smith will outline how Microsoft has been revamping its cybersecurity protocols in response to the report, incorporating several recommendations from the Cyber Safety Review Board, which is composed of government and private cybersecurity experts led by the Department of Homeland Security.
The gravity of the situation is underscored by the broader context of declining trust among lawmakers, administration officials, and regulators in Microsoft's ability to secure its products. The company disclosed last July that a China-backed hacking group had breached the email accounts of multiple organizations, including federal offices. Notably, Commerce Secretary Gina Raimondo and several State Department officials were affected. Additionally, Russian intelligence hackers accessed emails from several federal agencies following a breach of Microsoft's systems, as confirmed by the Cybersecurity and Infrastructure Security Agency earlier this year.
In light of these incidents, Microsoft has faced intense scrutiny in Washington from both lawmakers and competitors. The Cyber Safety Review Board's report deemed the Chinese espionage campaign "preventable and should never have occurred." This scrutiny has extended to the Pentagon's reported plans to upgrade its suite of Microsoft products as part of its zero-trust transition, with senators expressing significant reservations.
In response to these challenges, Microsoft has been briefing federal security leaders on its new set of security principles, known as the Secure Future Initiative. This plan includes linking executives' pay to cybersecurity improvements and prioritizing security investments over rapid product development. Smith will highlight these measures in his testimony, presenting the Secure Future Initiative as a comprehensive strategy to address the issues identified in the advisory board's report.
Smith's prepared remarks indicate that Microsoft has invited the Cybersecurity and Infrastructure Security Agency (CISA) to its headquarters for a "detailed technical briefing" on the new initiative. He asserts that the advisory board's recommendations provide valuable guidance not only for Microsoft but for all corporations facing increasingly sophisticated cyberattacks.
The congressional hearing is particularly significant given the federal government's heavy reliance on Microsoft's products. Many agencies depend on Microsoft for their operating systems, email services, cybersecurity solutions, and office software. In a letter sent Wednesday, the Software & Information Industry Association-a trade group representing software vendors-urged agency leaders to explore ways to diversify beyond Microsoft to mitigate risk.
