Microsoft Vice Chair and President Brad Smith sought to ease government scrutiny during a House hearing Thursday by acknowledging the company’s shortcomings in allowing a recent China-backed hack to take place.
As the sole witness at a House Homeland Security Committee hearing, Smith faced pointed questions from both sides of the aisle about a hack that compromised emails of organizations and individuals, including U.S. government representatives working on national security matters.
Smith, in his opening statement and in response to the House panel, doubled down on Microsoft’s acceptance of its flaws and its commitment to improve.
The hearing followed a Cyber Safety Review Board (CSRB) report released in April that found a “cascade of failures at Microsoft” allowed the breach to occur.
Smith said Microsoft has included “everything” that the review board has asked for.
“[I] came here today and we acted as a company with a real spirit, I hope you will see, of humility, of accepting responsibility, of avoiding being defensive or defiance,” Smith said.
He also encouraged Congress to help Microsoft to encourage that “spirits of responsibility” in order to improve.
“We know our adversaries will get better, so we have to get better, to,” Smith said.
Lawmakers underscored the need to hold Microsoft accountable especially given how much of the government is using Microsoft’s services, and reliant on the company to address risks.
Committee Chair Mark Green (R-Tenn.) said the U.S. “depends upon Microsoft” every day to “carry out an array of critical missions.”
“Microsoft is deeply integrated into our nation’s digital infrastructure. A presence that carried heightened respond and heightened responsibility,” he said.
Ranking Member Bennie Thompson (D-Miss.) acknowledged Microsoft’s cooperation, but said it is critical for Congress to work towards ensuring accountability.
“It is incumbent on this committee to hold Microsoft, one of the federal government most prominent IT vendors and security partners, accountable for the findings and recommendations in the report. Microsoft deserves credit for cooperating with the boards investigation but make no mistake, it’s congress’s expectation that Microsoft, or any similarly situated company would, do just the same,” Thompson said.
The heat facing Microsoft during the hearing was amplified by a ProPublica report published Thursday morning about the Russian-backed SolarWinds hack of 2020. Former Microsoft employee Andrew Harris said his warnings about a flaw that worried could especially leave the federal government at risk were dismissed, ProPublica reported.
Harris left Microsoft in August 2020, and just months later U.S. officials confirmed reports that a state-sponsored team of Russian hackers carried out SolarWinds, one of the largest U.S. cyberattacks to date, ProPublica reported.
Smith pushed back on questions about the report and said he had not had time to read it.
“This is classic, article published morning of hearing and week from now I’ll have a chance to learn about everything in it,” Smith said.
In a statement to ProPublica, Microsoft did not dispute the report’s findings and said “protecting customers is always our highest priority.”
“Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with industry consensus,” the spokesperson added, according to ProPublica
During the hearing, Smith said Microsoft is going to “work harder than everyone else to earn the trust of our government and other allied governments every day.
“[We are] making the changes we need to make, learning the lessons we need to learn, holding ourselves accountable. We will be transparent. I hope people will look at what we’ve done and say this is something they want to do with us. We know we have to earn their trust every day,” Smith said.
