Post

Eric Geller

Jun 13 • 163 tweets • 22 min read • Read on X

The House Homeland Security Committee is beginning its hearing with Microsoft President @BradSmi about the company's "cascade of security failures":

Background reading for those catching up: homeland.house.gov/hearing/a-casc…
dhs.gov/news/2024/04/0…

Chair Mark Green calls the CSRB report's findings "extremely concerning."

"It falls to this committee to do the due diligence and determine just where Microsoft sits and how it's taken this report to heart."

Green: "We want to give the company we put so much faith in as a government the opportunity to discuss the lessons learned, the actions taken, and, of course, to share where they feel the report could have been wrong."

Green: "The U.S. government would never expect a private company to work alone in protecting itself against a nation-state actor. … However, we do expect government vendors to implement basic cybersecurity practices."

Green: "We must restore the trust the American people who depend on Microsoft products every day. We must also address broader questions regarding the mitigation of economic and national security risks."

Green says there are three bigger themes to keep in mind.

"First, closing the cyber workforce gap — my top priority for the committee this year. The security challenges we face as a nation are compounded by the persistent shortage of cybersecurity professionals."

"Our cyber professionals must be trained to think security first," Green says. "We must equip them with the right skills to protect our networks and to build our systems security."

Second, Green says, "We need to define the roles of public and private sector entities in protecting our networks against nation-state actors. ... These attacks have become increasingly common, rather than anomalies. We need clearly defined responsibilities..."

Third, "We must address a fundamental issue: the economic incentives that drive cybersecurity investments. … It's about creating an environment where the costs of neglecting cybersecurity are outweighed by the potential benefits of comprehensive security measures."

Green: "While I commend Microsoft for announcing steps to reform its security practices, I want to hear today what Microsoft's follow-through has been on those commitments."

Green: "One of my biggest concerns is Microsoft's presence in China, our nation's primary strategic adversary and the regime responsible for the hack we're discussing today."

Green warns committee members not to ask questions that could give adversaries a blueprint for future attacks and to respect Smith saying answering a question would require a closed briefing.

"China and Russia, Beijing and Moscow, are watching us right now," he says.

Ranking member Bennie Thompson: "At the outset, I want to be clear: this is not a ‘got-you’ hearing. It's not the committee's goal to shame, embarrass, or discredit the witness, Microsoft, or any other entity mentioned in the CSRB report."

Thompson: "It is incumbent on this committee to hold Microsoft, one of the federal government's most prominent IT vendors and security partners, accountable for the findings and recommendations in the report."

Thompson: "Microsoft deserves credit for cooperating with the board's investigation, but make no mistake, it's Congress's expectation that Microsoft or any similarly situated company would do just the same."

Thompson: "Any company with such a significant footprint in our federal networks has an obligation to cooperate with a government review of how a Chinese threat actor assessed sensitive information by exploiting vulnerabilities in one of their products."

Re: China targeting cloud identity systems since Operation Aurora in 2009, Thompson says, "For over a decade, every technology provider in the world has been on notice and should have stepped up their approach to securing identity and authentication accordingly."

Re: the stolen signing key, Thompson says, "Microsoft's explanations about why the key was still active in 2023 and why it worked for both consumer and enterprise accounts have not been competent."

"To this day," Thompson notes, "we still do not know how the threat actor accessed the signing key."

https://twitter.com/ericgeller/status/1801281141401424087

Thompson mentions reading this article this morning and compares its reporting to Microsoft's inaccurate comments about its role in the SolarWinds campaign.

"Transparency is a foundation of trust, and Microsoft needs to be more transparent."

https://twitter.com/ericgeller/status/1801281141401424087

Thompson notes that Microsoft rolled out Recall, widely considered a cybersecurity and privacy nightmare, the same month that it touted an expansion of its Secure Future Initiative.

"I’ve been warned that the committee’s oversight of this incident will chill private-sector cooperation with the [CSRB] in the future," Thompson says. "That cannot and should not be the case."

‼️ Thompson: "I want to put future subjects of CSRB investigations on notice: This committee will not tolerate refusals to cooperate with legitimate investigations undertaken by the board, particularly when federal networks are involved."

Thompson: "Any effort to obstruct CSRB investigations into cyber incidents would invite significant scrutiny by this committee and would certainly force expedited consideration of proposals to grant CSRB greater investigatory powers."

.@BradSmi takes the truth-in-testimony oath.

Smith begins his testimony.

"As you can imagine, as I listened to the two of you just now, it wasn't how I hoped I might spend an afternoon in June when the year began."

"We accept responsibility for each and every finding in the CSRB report," Smith says.

Smith: "When I sat down with [CEO] Satya Nadella ... we both resolved immediately that we would react without defensiveness, without equivocation, and w/o hesitation, and we would instead use this report to make Microsoft and the cybersecurity protection of this country better."

Smith says he often tells Microsoft employees, "No one ever died of humility. Use the mistakes you make so you can learn from them and get better."

"Of course, that only works if you actually use what you learn, and you do get better," Smith says.

Smith is testifying without notes, true to form. Here's how the ProPublica story describes his prior testimony.

Smith says Microsoft's board just approved two important changes: tying senior executives' annual bonuses to cybersecurity and making cyber part of every employee's biannual review.

Smith: "If we improve Microsoft alone, that won't be enough. We're dealing with four formidable foes in China, Russia, North Korea, Iran, and they're getting better. They're getting more aggressive. We should all expect them to work together."

Green: How deep into senior leadership does the compensation change go?

Smith: 16 most senior people at the company, including me and the CEO.

"With the new fiscal year, which starts July 1, one-third of the individual-performance element of our bonus will be about one thing and one thing only: cybersecurity."

So that's one-third of ... an unquantified portion.

Smith on making cyber a part of every performance review: "It gives every employee at Microsoft the opportunity to think, ‘What have I done? What could I do? How am I doing?’ and then be rewarded at the end of the year based on that."

Green asks about Microsoft's involvement in China and what data the company has to share with the Chinese government.

Smith says Beijing has no access to MSFT customers' China-stored data.

"If you're an American automobile company, an aircraft company, a pharmaceutical company, a coffee company, you need to use the cloud when you're in China," Smith says. "We want their American trade secrets to be stored in an American data center in China."

Green: What are you doing to prevent China from using that data center as a way into your systems?

Smith: "It involves having very direct understanding, yourself, of what your guardrails are, what your limits are, what you can do, and what you won't do."

Smith, cont'd: "You have to know your own mind. We do. Second, you've got to be prepared to look people in the eye and say no to them, and that's something I do myself."

Smith says he caught heat on his last visit to Beijing for Microsoft's comments about Chinese attacks on U.S. critical infrastructure.

"I said there are lines that we don't believe government should cross. We're going to be principled and we're going to be public."

Thompson, entering the ProPublica story into the record, asks if Microsoft has an employee ombudsperson to handle complaints about its security culture.

Smith: We’ve newly empowered our CISO. "So I would hope that that would address part of what you're referring to."

Smith: We’re also trying to learn from companies like Toyota in terms of Total Quality Management. "The basic process was to empower every employee to focus on continuous improvement & speak up. And that's what we're trying to do — empower every employee to be able to speak up."

Thompson: Why did the State Department detect the latest Russian intrusion before Microsoft did?

Smith: "First of all, you ought to give those folks a medal. In all seriousness, that is fantastic. That is real innovation and great professionalism at work."

Smith: "We're all going to see different things. And so when somebody else sees it, we should applaud and say, ‘Thank you,' not say, ‘Oh, I wish I had found it instead.’"

Thompson: "Because you are such a big customer of the government, we rely heavily on your product, and it's not our job to find the culprits. That's what we're paying you for. So don't switch that."

Smith: "I'm not switching it at all. I appreciate what you're saying, for sure."

Clay Higgins: "The American people, myself included — we have some issues with what has happened and how it happened and what has transpired since, and yet, there's no 'Plan B.'"

Seems to be saying there's no alternative to Microsoft.

Higgins: Why didn’t Microsoft quickly update its blog post to correct inaccurate info about China’s Exchange hacking campaign?

Smith: "I appreciate the question. It's one that I asked our team when I read the CSRB report. It's the part of the report that surprised me the most."

Smith: "We had five versions of that blog ... And when I asked the team, they said the specific thing that had changed — namely, a theory, a hypothesis, about the cause of the intrusion — changed over time, but it didn't change in a way that [customers] could apply.”

Higgins: "That answer does not encourage trust. And regular Americans listening are going to have to [roll] the tape back — on a Microsoft [machine] — and listen to what you said again."

Higgins: "You're Microsoft. You had a major thing happen, and the means by which you communicate with your customers was not updated for six months."

Higgins: Why did you say, on a trip to China, that Microsoft was committed to helping Beijing achieve technological advancements?

Smith: "That was not my statement. I chose my words more carefully. That was the statement ... by an official of the Chinese government."

Eric Swalwell: Are you aware of any as-yet-undisclosed but internally reported vulnerabilities in Microsoft products that would affect government systems?

Smith: "I'm not, sitting here today, aware of anything that fits your description."

Swalwell: What would you do differently today with updating blog posts on an attack?

Smith: "We updated that particular blog four times. It was at least one time too few. We should have updated it again. ... The lesson learned is ... it's hard to over-communicate."

Swalwell asks Smith about ransomware risks. Smith clearly came prepared — he starts talking about a recent ransomware attack in Thompson's district in Mississippi.

Smith: "This is a scourge. And the number one vulnerability right now — and it's just, I think, so disconcerting — is that ransomware operators are focused on hospitals, rural hospitals."

Smith: "We have to find a way, as a country, to create a deterrent reaction. Because right now, it's open season on the most vulnerable people in our country, and we have to find a way to change that."

Carlos Gimenez holds up his phone to show Smith that he's using AI to fetch a summary of China's 2017 National Intelligence Law, opening a line of questioning about the risks of Microsoft operating in China.

Gimenez: Do you comply with China’s 2017 National Intelligence Law?

Smith: No.

Gimenez: How do you get away with that? Do you have a waiver?

Smith: No. But China doesn’t always enforce that law.

Gimenez: I sit on the China committee, and we've been told that every company has to comply. You're saying you don't?

Smith: "I will tell you that there are days when questions are put to Microsoft, and they come across my desk, and I say no. We will not do certain things."

Gimenez: But your Chinese employees are at risk for Microsoft’s violations of that law.

Smith: “I always make sure that it's clear to the Chinese government that, if the Chinese government wants to sue somebody, they need to sue me.”

Gimenez: “It's not about suing. In China, they don't sue you, man. They arrest you.”

Smith: “We make clear that there's no point in arresting people who have no authority to do these things.”

Gimenez: “Your employees in China are subject to Chinese law.”

Smith: “But they don't have the ability to make these decisions. We've taken that out of their hands.”

Gimenez: “I'm sorry. I just — for some reason, I just don't trust what you're saying to me.”

Gimenez: “For 1% of your income, is it really worth it to be in Communist China, especially when you have such a law that says you have to comply with their intelligence agencies and the PLA?”

Lou Correa: What do I tell my constituents about how easy Microsoft made it for China to hack in?

Smith doesn't directly answer, except to say that Microsoft sees its customers attacked all day every day.

Correa: How can the government help you do your job better?

Smith: More federal investment in cybersecurity jobs training and more federal aid to help critical infrastructure organizations upgrade their technology.

Smith: “The last comment made with our board of directors yesterday was by the senior engineer leading what we call the Secure Future Initiative, and her last words to our board were, ‘We want you to know, our engineers are energized by this.’”

Correa: “Are you going to strengthen up? Are you going to do a better job over there?”

Smith: “Absolutely. … I would hope that you would share with your constituents: We never take their trust for granted.”

August Pfluger: How can the government help you?

Smith: CISA is “a critical agency.” The CSRB “plays an important part in this.” “We would benefit from finding more ways to keep working together” across industry, USG, and allies. “Nobody can do it by themselves."

Smith nods at Microsoft's eager competitors.

“Somebody said there's no Plan B. I think about two-thirds of the folks who are sitting behind me in this room are trying to sell Plan B to you in one way or another. And that's okay. But there's a higher calling here as well.”

Smith: "When shots are being fired, people ... take their turn being the patient in the back of the ambulance. Everybody else — you're either going to be an ambulance driver or you're going to be an ambulance chaser. Let's be together."

Pfluger: What are the biggest gaps in how our national security agencies defend themselves?

Smith: Agencies keep info in silos and it doesn't get shared fast enough. "There's a lot of work being done to address this, but...that needs to be advanced more quickly."

Troy Carter: Talk about your new cyber aid program for rural hospitals.

Smith: We’re “giving them security tools at the lowest possible price” — sometimes 75% off, sometimes free for a year. Also helping them implement security tools & use tech to address staffing shortages.

Carter: Why did it take so long to make log data free?

Smith: "I wish we had moved faster and had gone farther. I think there was a focus on the real costs associated with keeping and retaining logs..."

Smith: "...but we should have recognized sooner — especially as the threat landscape changed — that we would be best served — I think as we are now — by not just retaining but providing these logs for free."

Carter: Would you agree that it’s as important for Microsoft's customers to have these logs as it is for Microsoft to have them?

Smith: "Yes."

Marjorie Taylor Greene: Is it true that Microsoft is not represented on the CSRB?

Smith: Yes.

MTG: Are any of your competitors on the board?

Smith: “Yes, they are.”

Whoa: Smith says "I think it's probably a mistake to put on the board people who work for competitors of, say, a company that is the subject of a review."

Smith: "The spirit of [the CSRB] ... was to create a community of people who could learn together. … I just worry [about] where people want to take it in the future and just make hay out of others’ mistakes, and I'm just not sure that's going to do us that much good."

MTG: Did the CSRB tell Microsoft what their competitors said about their own security practices?

Smith: "I don't believe so. I don't know. I don't believe so. I could be wrong, but I don't believe so."

Smith: “The words that I would offer — and I'll offer it to the folks in the back who work for our competitors, because there's a bunch of them here — it's fine. Go tell people that you have something better. But we have to have a higher cause here."

Smith: "We are not the adversaries with each other. The adversaries are our foreign foes."

👀 Smith: "Let's try to exercise a little self-restraint about how we work in these processes, because I don't think that the next company that gets an invitation from the CSRB is likely to be necessarily as willing as share everything [as we were]."

MTG's questioning has been the most useful so far, in that it's gotten Smith to say something interesting and unexpected.

But as she ends, she tells Smith that she was interested in the CSRB's functioning because of its connection to CISA, which she says censored conservatives.

Shri Thanedar asks Smith to elaborate on the Secure Future Initiative.

"It's a multifaceted effort," Smith says. "The more time I spend with my colleagues, the more encouraged I am."

Smith: "Fundamentally, it's about taking security and making it part of the engineering process and every process. Treat it like quality. And the cultural change — and several of you have commented about this — I just think it's so important."

Smith: "We want a culture that encourages every employee to look for problems, find problems, report problems, help fix problems, and then learn from the problems. That's what we need to do. And we need to do this in a way that doesn't put security in its own silo."

Tony Gonzalez: How do you regain the trust of people at DoD and other agencies that don't trust Teams?

Smith: "I feel comfortable talking with the DoD or others on Teams. I want them to feel comfortable, and I want them to know that we are not stopping where we are."

Gonzales: How will you ensure that your security efforts keep your tools user-friendly and accessible?

Smith: We want software to be "not only effective, but easy for people to use and easy for people to know what is happening. So we're focused on all of those things."

Seth Magaziner, having been handed a note, follows up on Smith's conversation with MTG: “Microsoft's competitors were recused from the findings, the final report, and the recommendations of the CSRB’s Microsoft investigation.”

Magaziner brings up Smith telling Senate Intel that Microsoft first learned about SAML token issue in 2017. New ProPublica story revealed that a MSFT employee had discovered it a year earlier. So was Smith's testimony incorrect?

Smith: I haven’t read the article yet.

Magaziner: How much of the total compensation package for senior executives does the individual performance element account for?

Smith: It depends on the person and the year.

Magaziner: Ballpark?

Smith: I don’t know.

Magaziner: Is this portion of compensation provided as stock or something that can be clawed back?

Smith: TBD.

Magaziner: Have you considered tying product managers’ compensation to cybersecurity goals?

Smith: Yes, through the change we made to performance reviews.

Magaziner: But what about a direct connection to the compensation structure?

Smith: "It won't be as formulaic," but "everybody knows" that compensation is based on those reviews.

Magaziner: “I do believe it is a positive and good example that we are integrating cyber into compensation packages. I want to make sure that we're doing it in a way that that is really going to be impactful.”

Andrew Garbarino: What do you expect from future corporate cooperation with CSRB requests for information?

Smith: I hope people will remember that we gave CSRB everything it asked for and that "I came here today — and we acted as a company — with a real spirit … of humility."

Garbarino asks Smith about secure-by-design, saying his House Homeland cyber subcommittee will probably hold a hearing on the topic soon.

Smith: We’re trying to make security a part of everyone’s job. That requires “constant role-modeling and practice.”

Smith: “Some of you have asked about this Recall feature. I think it's a great lesson. I mean, we're trying to apply it as a lesson learned. So if somebody's creating the Recall feature, they need to think about the security aspects of the Recall feature.”

Glenn Ivey asks about combating AI deepfakes.

Smith says tech companies should create guardrails, use AI to detect AI, and have processes to quickly delete content.

Ivey: What about for young and vulnerable people? What’s available to help them fight these things?

Smith: “Probably not as much as we need.”

Smith: "Let me take it back and let me ask our folks, what could we create for more people that would empower them to do what every candidate can now do — namely, report a deepfake about themselves?"

Ivey: Is there a good process in place to coordinate responses to election mis/disinformation?

Smith: We’re working with @NASSorg and @NASEDorg so they can protect their infrastructure and be prepared to educate voters about deepfakes.

@NASSorg @NASEDorg Mike Ezell asks about AI's impact on cyberattacks.

Smith says we will see adversaries try to use AI for more sophisticated attacks, but AI is also already helping with defense.

Ezell urges Microsoft to build connections with local law enforcement who need help investigating AI deepfakes that can ruin children's lives.

Smith: "Yes, we will, and you're right."

Delia Ramirez asks Smith about Microsoft's delay in addressing the SAML token issue. She notes that Smith told Correa that Microsoft addresses vulnerabilities immediately. She asks what his definition of "immediately" is.

Smith: "It’s ‘right away.’"

Smith goes after ProPublica:

"This is the classic, 'Let's have an article published the morning of a hearing so we can talking about it, then by a week from now, I'll actually have a chance to go back and learn about everything in it.'"

Smith again deflects (and, some would say, obfuscates) re: SolarWinds: “That SolarWinds intrusion was by the Russian government into a SolarWinds Orion product, not a Microsoft product.”

Ramirez: How would that Microsoft employee’s concerns have been addressed today?

Smith: It would be “woven into our engineering processes … and … people will be evaluated based on how they did.”

Smith on SAML and the ProPublica story: "A week from now, I'll bet we can pull together information and have a much more informed conversation about this, and I would welcome that opportunity."

Ramirez: How do you ensure that your software bundling practices don’t limit your customers’ security practices?

Smith: "I'm not aware of any so-called ‘bundling practices’ that limit what our customers can do in terms of cybersecurity protection."

Smith says there is a "robust" market for managed security services and that Microsoft only accounts for "about 3% of the federal IT budget."

"What that tells you is that there's 97% that's being spent elsewhere."

For my money, I think Ramirez is in the top five for most useful round of questions so far, especially on how Microsoft will handle employee security warnings now and how Microsoft's bundling policies affect customer security.

Anthony D'Esposito asks about discovery of the Storm-0558 intrusion.

Smith says State Dept found it first. “I remember, 7:30 in the morning, I was notified about this on a Saturday morning, and I was on the phone with Satya Nadella, our CEO, probably within 30 to 60 minutes.”

D'Esposito: Do you wish you'd found it first?

Smith: You always want to be first to find something like that, but I just want to celebrate that we're all collaborating.

D'Esposito: Are you confident that Microsoft can quickly detect and response to the next intrusion?

Smith: “I feel very confident that we have the strongest threat detection system that you're going to find in quite possibly any organization, private or public."

Smith: "I feel very good about what we have, and I feel very comfortable about what we're building."

D'Esposito: Do you know how big your government contracts are?

Smith: “The U.S. government has many choices when it comes to cybersecurity services, and I think it takes advantage of them, and we're one of them. I don't, frankly, know how we compare to some of the others.”

Why should the government buy from Microsoft?

Smith: “Because we are going to work harder than anybody else to earn the trust of our government and other allied governments every day, and we are making the changes that we need to make."

Smith: "We are learning the lessons that need to be learned. We're holding ourselves accountable. We will be transparent, and I hope that people will then look at what we've done [and] say this is something that they want to do with us. But I know we have to earn their trust."

Rob Menendez: Does your CEO’s recent memo telling employees to prioritize security indicate that Microsoft had drifted away from that mantra since Bill Gates first ordered it in 2002?

Smith: No.

Smith says that, as Microsoft hired more and more cybersecurity employees, "it became possible for people who were not in the cybersecurity teams to think that they could rely on those people alone to do a job that we all needed to do together."

^ This is the official Microsoft diagnosis of its problem: Its product designers trusted The Cyber People to fix problems they might be unintentionally leaving in products, rather than trying to avoid leaving those problems there in the first place.

Menendez: Who decides when and how to escalate concerns that are voiced?

Smith: “I would have to go get the precise answer to that … We need to create an environment where bad news travels fast. That’s what we aspire to do.”

Menendez: “Does Microsoft plan to make significant changes to the architecture of its core digital identity systems?”

Smith: Yes.

Laurel Lee: You say you're prioritizing security over product development. What will that look like in practice?

Smith: "We have reallocated resources, we’ve moved people, we've told them to reprioritize."

Smith: "By definition, that means that other things may have slowed down or stopped so this can speed up, and that's the right thing to do."

Lee: Has this affected your revenue projections?

Smith: “So far, I’m not aware of it changing any of our revenue projections.”

Smith says he was recently in Stockholm meeting with government and corporate customers.

"They asked a lot of tough questions, as you all are. Bad news for the folks who want to sell Plan B — they don't want to switch. They want us to get it right."

Lee: What’s the status of Recall? How are you warning users of potential risks from using it?

Smith: “This product hasn't yet been launched. The feature hasn't yet been finished. And we've had a process to share information and take lots of feedback.”

Smith says Recall data stays on a users' computer and is encrypted.

"We're trying to take a very comprehensive approach to addressing all of the security and privacy issues."

Lee: How are you improving victim notifications?

Smith: We can easily warn large enterprises, but ordinary consumers don’t always believe that it’s really Microsoft emailing them. The CSRB recommended a cyber version of an AMBER Alert.

Tom Suozzi: What % of Microsoft’s business comes from govts?

Smith: “If I had to guess, it's less than 10% globally.”

Suozzi: What % of that is USG?

Smith: “Not that much. We love the federal government. It is a big customer, it's one of our biggest, and it's the one that we're most devoted to. But it’s not a big source of our revenue.”

Morgan Luttrell: Is there a way to flat-out prevent major breaches like this?

Smith: “This is probably, for the time being and until the geopolitical environment in the world changes, a bit of a forever war in cyberspace, with constant combat.”

Smith: “At Microsoft, I...believe that, say, five years from now, we're going to have production systems, engineering systems, networking, identity systems that make it extraordinarily difficult and just beyond the economic reach..."

Smith: "...of our most sophisticated and well-resourced adversaries to attack and breach."

Luttrell: Does that involve moving to the cloud?

Smith: I think it does.

Smith: “Let's say we do every single thing that the CSRB has recommended -- because that's what we are going to do. It won't be enough, because two years from now, our adversaries will have done more.”

Smith: “What we need to create is a process where we collectively always learn from what is happening [and] we do a better job of anticipating and predicting."

Smith: "I do think that AI will be one of the great game-changers, and we need to ensure that AI benefits the United States and our allies and the defense of people at a faster rate than it can be used by our foes to attack them.”

Robert Garcia: Does Microsoft support the CSRB’s recommendation of some kind of AMBER Alert system to warn people of widespread breaches?

Smith: Yes.

Smith: “I think it could be extraordinarily helpful for our entire industry, for everybody who uses technology, for consumers in particular. I hope that we will find a way to work together to make it a reality.”

Dale Strong: What are the risks to the DoD of reliance on a single vendor?

Smith: “I don't see the DoD moving to rely on anybody as a single source in the technology space. There's a lot of competition that's alive and well at the DoD.”

Smith: “Just as there is risk on in relying on one vendor, there's risks in relying on multiple vendors. I would still rely on multiple, so I don't want anybody to be thinking I'm saying something I'm not. But..."

Smith: "...when you have what we call a heterogeneous environment — meaning technology from lots of different suppliers — you create a lot of different seams, so then you need to have technology and people who can knit it all together.”

Smith says foreign intelligence agencies "look for the seams" in target networks, "because those are the places that are easiest for them to get in.”

Strong: What are the security implications of China having access to your network for such a long period of time?

Smith: “In some of the questions that were floating around this week, people suggested that because the Chinese had acquired this key in 2021..."

Smith: "...that they must have had access for two years. I think that, in fact, they kept it in storage until they were ready to use it, knowing that, once they did, it would likely be discovered quickly.”

Eli Crane: Is it true that some of your competitors are here?

Smith: “So I’ve been told.”

Crane: Is it fair to say that you understand the importance of “being strong and formidable today with some of your opponents or competitors in the room”?

Smith: "I don't know if I would use the words 'strong' or 'formidable.'"

Smith: "I think the reason we need to be responsible and resolute is because of our adversaries abroad, not so much the competition."

Crane says nobody wants to say it, but "one of the things that we can do to help you is actually get stronger leadership that's respected around the world. That's actually one of the big problems here."

Smith is visibly befuddled by Crane's line of questioning.

As the hearing moves toward conclusion, Smith reiterates that Microsoft understands the importance of Congress's oversight function, CISA's work, and the CSRB's report.

Regarding the report, he says "we are committed to addressing every part of it."

Thompson: Will Microsoft commit to being transparent with customers, especially the government, about vulnerabilities in its products?

Smith: Yes, but we need to do it in a way that protects that sensitive information from our adversaries.

Thompson: Will Microsoft commit to being transparent with customers about its investigations into cyber incidents?

Smith: Yes, with the same qualification as before, “and we are working to do that.”

Thompson: Will Microsoft commit to establishing timeframes for its implementation of the CSRB’s recommendations and "commit to proactively keeping this committee informed of its progress"?

Smith: Yes.

Thompson: "Will Microsoft commit to performing a transparent evaluation of risks associated with business ventures in adversarial nations?"

Smith: "Yes, I think we need to."

Thompson: “Cyber is, in everybody's opinion, a major threat. But you have to talk to us.”

Smith: “Believe me, I will.”

Green: “Sometimes government can kind of get in the way, too." He cites the SEC cyber incident disclosure rule. "We need help on understanding where the government also creates problems."

Green: “In this partnership, we need communication not just on the issues that are brought up here with this breach that was identified, but how we can make things better and work better on how we regulate and create compliance requirements and things like that.”

And with that, the hearing has ended.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Share this page!

Enter URL or ID to Unroll

Eric Geller

Try unrolling a thread yourself!

More from @ericgeller

Eric Geller

Eric Geller

Eric Geller

Eric Geller

Eric Geller

Eric Geller

Did Thread Reader help you today?

Don't want to be a Premium member but still want to support us?

Send Email!