US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack

The US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior US government officials.

From the executive summary:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:

  1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed;
  2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed;
  3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not;
  4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021;
  5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction;
  6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and
  7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

The report includes a bunch of recommendations. It’s worth reading in its entirety.

The board was established in early 2022, modeled in spirit after the National Transportation Safety Board. This is their third report.

Here are a few news articles.

EDITED TO ADD (4/15): Adam Shostack has some good commentary.

Tags: , , , ,

Posted on April 9, 2024 at 9:56 AM16 Comments

Comments

Clive Robinson April 9, 2024 11:45 AM

@ Bruce, ALL,

Re : In spirit is not the same.

“The board was established in early 2022, modeled in spirit after the National Transportation Safety Board.”

The US “National Transportation Safety Board”(NTSB) although it does not have regulatory powers, it does have powers to actually protect people and uses them from time to time. It appears the “Cyber Safety Review Board”(CSRB) either does not, or has not chosen to use them.

Surprising to many NTSB investigations can be lengthy (the last time I looked they were still investigating 9/11). In a fast moving industry such as ICT lengthy investigations will be of little practical use if the investigation time is in multiples of the product life time.

Thus we need to decide of more effective ways to protect people effectively and in a timely way.

How to go about this is a bit of an open question. But based on the debacle that is Boeing currently I would say there are some lessons to be learnt from it. Not least of which is separation from the industry… Because “revolving door employment” rarely benefits those outside the industry in the short term and history shows does not benefit most people in the long term. Then of course is the legislator / lobbyist issues which can be seen to have been at work through the NTSB history.

But significantly even though told by the Rand Corp a quarter of a century ago –with evidence implicating Boeing– of the dangers of the “party system” the NTSB still uses it.

Rand had in fact found quite visible conflicts of interest inherent in the “party system”, and concluded in “administrative speak” that it,

“may, in some instances, threaten the integrity of the NTSB investigative process”

Both the NTSB and CSRB actually need some “longer teeth” to effectively deal with the respective industries in a timely manner.

Morley April 9, 2024 12:12 PM

Reminds me of web tech in the 90s-00s. Corporate culture is a disease we don’t learn to treat. Sigh.

Jim April 9, 2024 2:34 PM

The board’s recommendations to cloud providers is sorely lacking. They basically recommend what should have already been doing since computers were interconnected. Capturing activity in audit logs, really? How about advanced analytics, even AI applied to the logged data to filter anomalies? And where was the government’s responsibility to actually review the Exchange logs that existed?

“We need a report to make them look bad and us look smart.”

B April 9, 2024 5:50 PM

Anybody actually surprised by all this?

Companies have long since figured out that it’s cheaper to be hacked than to keep the hackers out, especially when the costs are born externally & the company lawyers have click-through licenses shielding the company from any liability.

Try suing Microsoft. See what happens.

You can’t log into your computer without agreeing to countless pages of legalize, in the primary and secondary and tertiary and so forth linked web of documents. Documents which can be changed at any time, and it’s your responsibility to discover the changes you’ve automatically agreed to by using your computer.

Sheesh.

echo April 9, 2024 6:05 PM

how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency.

Oh where to begin… I’ve seen it all before with other domains. Like a lot of these things it boils down to privilege, status, and ego. Not my problem. I don’t use Microsoft stuff and, yes, this is one of the reasons why not. If you have the same old lags commissioning or designing new solutions to old problems as a way out of the mess you just replicate the failure. I’ve seen that before too. There’s something to be said for getting motivated people in who know what they are doing and starting again assuming Microsoft doesn’t sabotage them. And, yes, I’ve seen that before too.

Of course the UK hasn’t had strategic government for 50 years plus so blew up its own IT industry and pretty much everything else too and has turned into a depressing hellhole so no solutions from there.

If I lived my life again I’d never go anywhere near computing. In fact I’d put computing in the top three of the worst mistakes I ever made in life. I’d rather do pottery.

Loft April 9, 2024 10:58 PM

so the government ‘Cyber Safety Review Board’ asks MICROSOFT “What the hell Happened?”, since MICROSOFT is the only one with the basic forensic data and aleady conducted its own intense internal investigation

these federal bureaucrats then publish an ‘OFFICIAL REPORT’ rehashing the MICROSOFT response … pretending they did the critical investigative work

so no value-added from these indispensable government bureaucrats

Note also that the Federal Government itself has a terrible record of cybersecurity with many major breeches — so this Board should focus first upon their own Federalmess

MJ April 9, 2024 11:24 PM

I think what some are forgetting is the US Government has a lot of power here. They spend millions (Billions?) of dollars annually with Microsoft. That gives them power if they want to use it. You want us to buy, you fix this sh**t.

echo April 10, 2024 4:58 AM

@MJ

Standards bodies and Europe need to step up. Microsoft has long been a drain on Europe. The European economy is the same size as the US. Money spent at home is worth more than money spent abroad. More leverage too.

I’m not being nationalistic. If the US wants to market itself as the big boss it needs to make an effort and indulge in some give and take or have a middle-aged divorce experience. Fair’s fair.

Wannabe Techguy April 10, 2024 8:11 AM

@Loft
I had similar thoughts while reading this.
I don’t have much use for M.S. or the Feds.
and always laugh when the Feds make statements from on high.

lurker April 10, 2024 2:47 PM

.@MJ, AALL

With over forty years of festering, do you really think MS is now caapable of fixing it?

While abandoning MS to its own version of Hades might be a consummation devoutly to be desired, the US Govt has too much skin in the game. You or I might be able to switch tomorrow from MSWindows™ to OpenBSD+xfce and spend a week or ten sorting out apps to handle all those legacy file formats. But a stroke of the pen in the Oval Office would turn to wailing and gnashing of teeth out on the prairies. MS is so ingrained in the machnery of government it must be kept going. The cure will strike fear into the hearts of blueblooded Americans: the govt wil have take over MS to fiv it. Breaking it up and selling off the parts won’t fix it because the rest of the industry is also so dependent it is contaminated.

thirteenth colonial breadth April 10, 2024 9:08 PM

I remember when German leadership went public with a statement that MS winDOwS is basically “malware” to them. That really got my attention too.

Thanks for the article.
Linux, heiwa; look alive!

Clive Robinson April 11, 2024 7:54 AM

@ lurker, MJ, ALL,

Re : Can we fix it?

“With over forty years of festering, do you really think MS is now capable of fixing it?

The two questions to ask first are,

1, Is anyone capable of fixing it?
2, Does anyone of position want to fix it?

Whilst the answer to the first is a very guarded “maybe”… The answer to the second is almost certainly “no”.

That is Microsoft are shielded by those of position from the consequences of their incorrect and harmful choices and actions.

This is not something isolated to the ICT industry, it’s also rampant in the construction industry especially in the US.

It is the visible effects to “quick and dirty solutions”. Solutions that are incorrectly seen as “innovative and profitable”.

Whilst in the very short term there is some innovation, thus short term profit, in general it is not of solid foundation, thus it fails quickly and it fails harmfully.

So in the long term it’s a disaster. So why does Microsoft et al not go out of business due to the costs to reputation and “making good”.

Well the answer is “for innovation” previous legislators did not ensure that Microsoft et al picked up the cost of “making good”, as is usually insisted upon and backed up by legislation to protect “consumers and customers”.

It’s time we made Microsoft el al pick up the costs their deficient and knowingly negligent workmanship has produced.

The question is of course the very problematic “How?”

As has been oft noted in many ways,

“Actions have consequences”

That is for every cause there is a whole list of effects. And even the most carefully thought out actions fall prey to,

“The law of unintended consequences”

In the effects.

So either we do nothing or accept the effects of the unintended consequences… At the moment we are effectively “scared into inaction” by people dreaming up scare stories via whataboutism.

The problem with this is the real problems build until a veritable tsunami of harm is built up. Then at some point we cross over a tipping point and the industry players become,

“To big to fail”

Now I do not know if we have crossed that tipping point or not, but I do know it can only be crossed if we complacently let it happen…

Clive Robinson April 11, 2024 11:51 AM

@ lurker, MJ, ALL,

Re : Can we fix it?

One of those cases of “synchronisity” has happened on the blog again…

I answer a posters comments and just a little while later our host @Bruce posts a thread very related to it…

In this case,

https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html

The same thread also has a lot of commonality to a reply to @Winter.

It’s almost as if this is becoming a habit 😉

The reality I suspect is what is “bubbling up” at the time in the ICTsec news and community.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.