The US Congress grilled Microsoft President, Brad Smith, on the company’s ties in China amidst growing attacks on American infrastructure and multiple breaches by hackers linked to China.
According to a study from the Homeland Security Cyber Safety Review Board (CSRB),
Microsoft made mistakes that allowed China’s Storm-0558 group to launch a cyberattack.
Members of the House Homeland Security Committee repeatedly questioned Smith about compliance with a 2017 national security law that requires businesses operating in China to cooperate with Chinese intelligence agencies during a hearing to look into some Microsoft breaches that have raised questions about the company’s security posture.
At the hearing, Smith stated, “We accept responsibility for every finding in the CSRB report,” adding that Microsoft has started implementing most of the study’s recommendations.
Smith assured Chairman Mark Green, R-Tenn., that China has no access to the cloud centres that Microsoft operates in China.
He claimed that the purpose of Microsoft’s cloud business in China is to guarantee that an American company operating there maintains its trade secrets in an American data centre.
The fact that Beijing’s hackers were able to obtain a consumer signing key and use it to validate tokens in an enterprise setting is one of the more perplexing aspects of the Chinese operation.
Mississippi Democrat Bennie Thompson expressed dissatisfaction with Microsoft’s justifications for how the stolen key could have provided the attackers with such extensive access.
According to Thompson, the ranking member of the committee, Microsoft has not provided adequate explanations for why the key remained active in 2023 and why it was compatible with both consumer and enterprise accounts.
Thompson criticised the company for its lack of transparency regarding several security issues in her opening statement. “We are still unsure of how the threat actor obtained access to the signing key.”
Smith claimed that the SAML problem affected the whole industry and that Microsoft was only one victim of the SolarWinds intrusion, which was executed by experienced hackers supported by the Russian government.
We earlier reported that the Justice Department and Federal Trade Commission (FTC) have reached an agreement that permits them to move forward with investigations into the dominant positions that tech companies including OpenAI, Microsoft, and NVIDIA hold in the artificial intelligence (AI) industry.