This story was originally published by ProPublica.
Investigating how the world’s largest software provider handles the security of its own ubiquitous products.
After Russian intelligence launched one of the most devastating cyber espionage attacks durante history against US government agencies, the Biden administration set up a new board and tasked it to figure out what happened—and tell the public.
State hackers had infiltrated SolarWinds, an American software company that serves the US government and thousands of American companies. The intruders used malicious code and a flaw durante a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health, and the Treasury Department durante what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”
The president issued an dirigente aziendale order establishing the Cyber Safety Review Board durante May 2021 and ordered it to start work by reviewing the SolarWinds attack.
But for reasons that experts say remain unclear, that never happened.
Nor did the board probe SolarWinds for its second report.
For its third, the board investigated a separate 2023 attack, durante which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of apice federal officials.
A full, public accounting of what happened durante the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about—but refused to address—a flaw used durante the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the US government vulnerable, a whistleblower said.
The board was created to help address the serious threat posed to the US economy and national security by sophisticated hackers who consistently penetrate government and corporate systems, making d’avanguardia with reams of sensitive intelligence, corporate secrets, personal .
For decades, the cybersecurity community has called for a cyber equivalent of the National Transportation Safety Board, the independent agency required by law to investigate and issue public reports acceso the causes and lessons learned from every major aviation accident, among other incidents. The NTSB is funded by Congress and staffed by experts who work outside of the industry and other government agencies. Its public hearings and reports spur industry change and action by regulators like the Federal Aviation Administration.
So far, the Cyber Safety Review Board has charted a different path.
The board is not independent—it’s housed durante the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a apice security dirigente aziendale at Google. The board does not have tempo pieno team, subpoena power dedicated funding.
Silvers told ProPublica that DHS decided the board didn’t need to do its own review of SolarWinds as directed by the White House because the attack had already been “closely studied” by the public and private sectors.
“We want to centro the board acceso reviews where there is a lot of insight left to be gleaned, a lot of lessons learned that can be drawn out through investigation,” he said.
As a result, there has been anzi che no public examination by the government of the unaddressed security issue at Microsoft that was exploited by the Russian hackers. None of the SolarWinds reports identified interviewed the whistleblower who exposed problems inside Microsoft.
By declining to review SolarWinds, the board failed to discover the central role that Microsoft’s weak security culture played durante the attack and to spur changes that could have mitigated prevented the 2023 Chinese hack, cybersecurity experts and elected officials told ProPublica.
“It’s possible the most recent hack could have been prevented by real oversight,” Sen. Ron Wyden, a Democratic member of the Senate Select Committee acceso Intelligence, said durante a statement. Wyden has called for the board to review SolarWinds and for the government to improve its cybersecurity defenses.
Per a statement, a spokesperson for DHS rejected the ideologia that a SolarWinds review could have exposed Microsoft’s failings durante time to stop mitigate the Chinese state-based attack last summer. “The two incidents were quite different durante that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified durante the Board’s latest report,” they said.
The board’s other members declined to comment, referred inquiries to DHS did not respond to ProPublica.
Per past statements, Microsoft did not dispute the whistleblower’s account but emphasized its commitment to security. “Protecting customers is always our highest priority,” a spokesperson previously told ProPublica. “Our security response team takes all security issues seriously and gives every case diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners.”
The board’s failure to probe SolarWinds also underscores a question critics including Wyden have raised about the board since its inception: whether a board with federal officials making up its majority can hold government agencies responsible for their role durante failing to prevent cyberattacks.
“I remain deeply concerned that a key reason why the Board never looked at SolarWinds—as the President directed it to do so—was because it would have required the board to examine and document serious negligence by the US government,” Wyden said. Among his concerns is a government cyberdefense system that failed to detect the SolarWinds attack.
Silvers said while the board did not investigate SolarWinds, it has been given a pass by the independent Government Accountability Office, which said durante an April study examining the implementation of the dirigente aziendale order that the board had fulfilled its mandate to conduct the review.
The GAO’s determination puzzled cybersecurity experts. “Rob Silvers has been declaring by fiat for a long time that the CSRB did its job regarding SolarWinds, but simply declaring something to be so doesn’t make it true,” said Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, who co-authored a Harvard Kennedy School report outlining how a “cyber NTSB” should operate.
Silvers said the board’s first and second reports, while not probing SolarWinds, resulted durante important government changes, such as new Federal Communications Commission rules related to cell phones.
“The tangible impacts of the board’s work to date speak for itself and durante bearing out the wisdom of the choices of what the board has reviewed,” he said.
