The US Department of Homeland Security (DHS) has announced it will investigate Microsoft’s security practices in relation to the recent Chinese cyber-espionage campaign that enabled attackers to access the email accounts of US government officials.
Secretary of Homeland Security Alejandro N. Mayorkas said the Cyber Safety Review Board (CSRB) will analyze Microsoft’s data security during the time of the Chinese espionage campaign reported in July 2023. In this incident, threat actors forged authentication tokens using an acquired Microsoft encryption key to access customer email accounts, including employees from the Departments of Commerce and State, via Outlook Web Access in Exchange Online (OWA) and Outlook.com.
In addition, the CSRB will conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers (CSPs) and their customers.
Mayorkas said: “Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology.”
The announcement has come around two weeks after a US Senator published an open letter demanding that the White House holds Microsoft “responsible for its negligent cybersecurity practices” in relation to the espionage campaign.
CSRB Chair and DHS Under Secretary for Policy, Rob Silvers, commented: “The Cyber Safety Review Board is designed to assess significant incidents and ecosystem vulnerabilities and make recommendations based on the lessons learned. To do this work, we bring together the best expertise from industry and government. The Board will undertake a thorough review.”
CISA Director Jen Easterly highlighted the need for a “persistent focus” on potential systemic risks in cloud environments for an effective shared responsibility model. “Organizations around the world place trust in secure identity management and authentication infrastructure to provide essential functions and protect sensitive data,” she outlined.
This approach is advocated in the White House’s National Cybersecurity Strategy, published in March 2023, which aims to place a greater responsibility for cybersecurity onto technology firms.
Once concluded, the report will be transmitted to President Joe Biden through Mayorkas and Easterly.
On August 2, the House Committee on Oversight and Accountability announced a separate investigation into the espionage incident, which will focus on China’s suspected role in the breach and the extent of the damage caused.
On August 10, the CRSB published its report on the operations of the notorious extortion-focused hacker collective, Lapsus$.