Microsoft president Brad Smith stood up for his company over its handling of an attack by a Chinese threat actor in 2023.
Speaking to the U.S. House Committee on Homeland Security, Smith said that the company admittedly failed when it allowed China-based hackers to access security keys resulting in the intrusion of multiple email accounts belonging to U.S. diplomats and government officials.
Smith, speaking on behalf of the software giant, fessed up to a security breakdown in the leadup to the attack in which hackers were able to exploit a race condition and seize encryption secrets that ultimately led to Microsoft 365 accounts for government officials, including Secretary of Commerce Gina Raimondo, being compromised.
Members of Congress were more than eager to take Smith to task over the incident, as representatives from both sides of the isle grilled the Microsoft exec over its failure to protect government officials from outside attackers.
Rep. Mark Green, R-Tenn., called the attack “extremely concerning” due to the relative simplicity with which the keys were extracted.
“By any means, this intrusion was not sophisticated,” said Green.
“Instead [Chinese hackers] Storm 0558 exploited basic well-known vulnerabilities that could have been avoided with basic cyber hygiene.”
Rep. Bennie Thompson, D-Miss., also took Smith to task for Microsoft’s failure to hunt down the attackers in a timely manner, noting the company’s responsibilities as a government contractor to look after its own affairs.
“It is not our fault to find the culprits,” Thompson noted.
“That is what we pay you for.”
Smith, meanwhile, sought to defend Microsoft’s handling of the matter and its operations in China. The Microsoft president noted that while the company does have certain obligations with its operations in the country, it is far from beholden to the PRC when it comes to day-to-day operations.
The Microsoft exec balked at the notion that it capitulates to the demands of the authoritarian regime, instead claiming that it has the ability to defy government orders to hand over data and credentials on demand.
“We do run some datacenters for our services for the benefit of companies that do business in China, we want their American data secrets to be used in an American cloud when they are in China,” Smith said.
“You have to be prepared to look people in the eye and say no to them. We do.”
