Revising the Cyber Monoculture Risk – Takeaways and Considerations from the CRSB Report
Earlier this month, the Cyber Safety Review Board (CSRB) released its “scathing” report on the Summer 2023 Microsoft Exchange Online Intrusion. In July 2023, a People’s Republic of China threat actor (“Storm-0558”) compromised Microsoft’s cloud systems to gain access to the email accounts of 22 federal agencies and senior U.S. officials including Commerce Secretary Gina Raimondo and the U.S. Ambassador to China. The Board, an independent body composed of public and private experts, is tasked with investigating incidents that affect U.S. government systems.
The CSRB has previously issued reports with technical details and recommendations regarding the Log4J vulnerability and the cyberattacks by the threat group known as “Lapsus$”. While this report also included similar details the Board highlighted that this incident was noticeably different. Specifically, the Board concluded that the “intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.”
The Report and Board’s conclusions provide the United States government with an important opportunity to address the growing but well-known concerns about the monoculture vulnerability within government systems and its serious risk to U.S. national security.
To be clear, the federal government should continue to support and encourage the efforts taken by the private sector to strengthen U.S. cybersecurity. Cybersecurity is already a Sisyphean task—organizations facing an uphill battle to protect and mitigate against dynamic and evolving threats in this asymmetrical cyber environment (often referred to as the “Defender’s Dilemma”). This is why responsible companies continue to rely upon a mix of technical (i.e. use of encryption and MFA) and non-technical (i.e. personnel training) measures to maintain a strong cybersecurity posture. For example, companies have begun exploring the use of AI to reverse the power imbalance facing cyber defenders and help protect public institutions.
Despite these efforts, organizations will inevitably suffer a breach as the Board also notes. However, the criticism and concerns specific to Microsoft are not a result of the intrusion but an assessment of the organization’s overall security record, which as the Board describes reflects a “corporate culture that does not prioritize security.” The Board reached this conclusion after identifying “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” Normally, a single vendor’s security failures would not be too concerning but Microsoft’s larger role in the security of both the public and private sector compounds these concerns as their inactions can spread to the larger digital ecosystem.
For example, the Storm-0558 intrusion was only discovered after a customer (the State Department) had detected and reported the compromise to Microsoft. The State Department was only able to detect this compromise because it had paid for the premium subscription plan that included basic security features and invaluable tools for security incident detection, investigation, and response. Notably, many other affected organizations did not pay for the premium plan, meaning they were unable to detect this compromise.
Lawmakers have previously criticized Microsoft for failing to raise the floor for their customers’ security. During a 2021 hearing about the Solarwinds intrusion, former House Homeland Security Chair Bennie Thompson (D-MS) raised concerns about “making basic security features an ad on” and Rep. Jim Langevin (D-RI) questioned why Microsoft charges extra for service tiers that include basic security.
More recently, the intrusion by a Russian-based threat actor known as“Midnight Blizzard” (or “Cozy Bear”) revealed the same failures “to implement basic security defenses.” The threat actors were able to take advantage of a string of security failures to access corporate email accounts and then hack into federal government email accounts:
- A test account was given extensive permission that was not removed after testing was complete;
- The account was not protected from basic spraying attacks; and
- The account was not deactivated after testing had been completed.
Microsoft’s decision to not implement basic industry practices has had a significant and negative impact on the cybersecurity of the federal government and the U.S. digital economy. Lawmakers have begun exploring options to address these concerns as Sen. Ron Wyden (D-OR) recently announced legislation that would restrict the federal government from purchasing collaborative technologies that do not meet certain interoperability and cybersecurity requirements.
Although organizations do have a responsibility to protect the legacy products they sell and support, the Administration can already take actions without additional legislation that would improve its security and address these concerns. Namely, the government can use its existing procurement power to hold a vendor accountable and impose systemic change. Security can no longer be an afterthought and needs to be a priority for any vendor to the federal government.
