Microsoft’s role in government email hack under cyber-inquiry scrutiny

Priya Walia

Cybersecurity Microsoft Azure Domain Fronting

In a recent development that rattled the cyber world, Microsoft found itself in the crosshairs of a U.S. cyber inquiry after a breach of government officials’ email accounts. The planned investigation by a cybersecurity advisory panel will include an examination of the software giant’s role in the hack, which is suspected to be done by Chinese hackers.

The Cyber Safety Review Board, under the Biden administration, is set to focus broadly on risks to cloud computing infrastructure, Bloomberg reported.

According to a Department of Homeland Security official, as quoted by Bloomberg, the board will delve into identity and authentication management, looking into all relevant cloud service providers.

The cyber breach gave rise to vocal criticism from lawmakers like Senator Ron Wyden, who wrote to Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan, and Director of the Cybersecurity and Infrastructure Security Agency Jen Easterly.

In his letter, Senator Wyden firmly suggested that Microsoft’s cybersecurity procedures were sloppy and required a thorough investigation.

The public scrutiny surrounding Microsoft’s cybersecurity practices isn’t new. Recently, the company faced increasing criticism from computer security experts and government agencies who questioned the adequacy of its customer protection measures against breaches.

The email hack resonated powerfully because it occurred shortly before Secretary of State Antony Blinken’s planned trip to meet President Xi Jinping of China. Additionally, the hack utilized a Microsoft consumer signing key, which enabled the hackers to penetrate the networks and obtain entry to the officials’ emails.

In response, Microsoft committed to making 31 critical security logs accessible to licensees of the company’s lower-cost cloud services from September onwards to tighten their cybersecurity measures. The company also plans to extend the retention period for security logs from 90 to 180 days.

This tale underpins the need for relentless vigilance and rigorous security protocols in our increasingly connected world. It serves as a stern reminder of how even the giants of the tech world can stumble when it comes to cybersecurity.