The Microsoft president is questioned by lawmakers over China ties and repeated breaches.

Facebook
X
LinkedIn
Pinterest
Threads
Email

The company was defended by Brad Smith at a time of growing concerns about whether the tech giant is sufficiently prioritizing security.

Microsoft President Brad Smith confronted sharp inquiries from officials Thursday over the tech giant’s presence in China when his organization and U.S. foundation is going under increasing attack hackers connected to Beijing.

At a hearing to look at a progression of breaks at Microsoft that have raised worries about its security pose, House Homeland Security Committee individuals more than once gotten some information about consistence with a 2017 national safety regulation that requires organizations working in China to help out Chinese intelligence agencies.

Smith said the cloud business Microsoft does in China is meant to ensure that an American company operating there keeps their trade secrets in an American data center and told Chairman Mark Green, R-Tenn., that China has no access to those centers.

Smith testified “Every time there’s anything remotely  close to a request, I always ensure we say ‘no,’”

Smith’s answer was criticized by Rep. Carlos Gimenez, R-Fla., in the afternoon’s most contentious exchange: “You operate in China, and you’re sitting there telling me you don’t have to comply with the laws in China?”

It was said by Smith that there are two kinds of countries in the world: “Those that apply every law they enact, and those that enact certain laws but don’t always apply them. And in this context, China, for that law, is in the second category.”

Smith said that he has clarified to the Chinese government that to sue somebody, they ought to sue him, yet Gimenez replied, “In China they don’t sue you, man. They arrest you.” Smith said Microsoft workers in China don’t have the position to settle on the choices that could lead their arrest.

“For some reason I just don’t trust a word you’re saying to me,” Gimenez said. “You have a cozy relationship in China. … I can’t believe they’re going to say ‘yeah, OK, no problem, you don’t have to comply with our law, but everybody else does.’” 

Thursday’s hearing comes on the heels of a report by the Cyber Safety Review Board examining how Chinese hackers were able to steal a signing key and use it to steal emails belonging to senior U.S. officials. That report concluded that the breach was the result of “a cascade of security failures at Microsoft” and that the company has fostered a culture that deprioritizes security.

One of the additional confounding components of the Chinese operation is that Beijing’s hackers had the option to take a purchaser signing key and use it to approve tokens in an enterprise environment, and Democrat Bennie Thompson of Mississippi said he stays unsatisfied with Microsoft’s clarifications for why the stolen key had the option to give the hackers such boundless access.

In an opening statement, it was said by Thompson, the committee’s ranking member, that Microsoft’s explanations about why the key was still active in 2023 and why it worked for both consumer and enterprise accounts have not been competent. The company was faulted for its lack of transparency over a number of security problems. It is still not known to this day how the threat actor accessed the signing key.

Smith was questioned by numerous lawmakers over a ProPublica story published Thursday that featured allegations from a whistleblower that Microsoft failed to address a known security issue — known as the Golden SAML vulnerability — which was later exploited by Russian hackers in the SolarWinds breach.

Smith said he hadn’t read the article yet and largely avoided answering questions regarding the article. “A week from now, I’ll bet we can pull together information and have a much more informed conversation about this, and I would welcome that opportunity,” Smith told Rep. Delia Ramirez, D-Ill.

Smith said Microsoft was only one casualty of the SolarWinds break, which was done by sophisticated hackers upheld by the Russian government, and that the SAML issue was an industry-wide one.

Smith said the federal government needs to specify “red lines” in cyberspace that foreign nation-backed hackers cannot cross and how the government would respond when they do. The government also needs to share information about threats more efficiently, Smith said.

Despite intrusions affecting government agencies, Smith said his company should still be a go-to for government clients.

Smith told Rep. Anthony D’Esposito, R-N.Y.“We are going to work harder than anybody else to earn the trust of our government and other allied governments every day, and we are making the changes that we need to make,” Smith told Rep. Anthony D’Esposito, R-N.Y.

Microsoft has as of late declared a few changes to how it approaches security, incorporating focusing on it in the improvement of items and binds worker pay to security measurements.

Rep. Seth Magaziner, D-R.I., addressed whether those changes would convey huge security gains, noticing that occasionally cyber mistakes aren’t found until some other time. He said Microsoft ought to consider an approach to retroactively “claw back” some pay.

Smith said he couldn’t say with certainty, either, how much of the total compensation package for senior executives would be tied to the individual performance element. “More than enough to get people’s attention, for sure,” he said.

The idea was welcomed by Magaziner, but the effectiveness of such a policy is argued to be in the details. “The individual performance element sounds good, but it depends on how big the individual element is as a part of the whole,” was said by Magaziner. “If it’s 10% of the total compensation package, cyber would only be 3% of the total package and would potentially count less toward the total than revenue targets or profitability targets.”

Never Miss An Update
Never miss any important news. Subscribe to our newsletter.
Latest News

Subscribe to our newsletter

Sign up for newsletter and receive exclusive cyber news regularly