Republican lawmakers on Thursday questioned a top Microsoft executive about the company’s presence in China, about a year after Chinese hackers used the tech giant’s systems to launch a devastating attack on federal government networks.
Several members of the House Homeland Security Committee asked Microsoft Chairman Brad Smith during an hour-long hearing how a critical U.S. government contractor like Microsoft could maintain a commercial business in China, which he said Smith accounted for about 1.4 or 1.5 percent. of the company’s sales.
“Really worth it?” asked Rep. Carlos Gimenez, a Florida Republican.
Smith argued that Microsoft’s business in China served American interests by protecting the trade secrets of Microsoft’s American customers who operate there and learn from what is happening in the rest of the world.
He added that Microsoft had rejected requests from the Chinese government to hand over confidential information. “I’ll tell you there are days when they ask Microsoft questions, they come to my desk and I say, ‘No,’” he said.
The hearing was a response to a scathing March report from the Department of Homeland Security’s Cybersecurity Review Board. The report details how “a cascade of security flaws at Microsoft” allowed a hacking team called Storm-0558, which the report said was a spy group affiliated with the Chinese government, to infiltrate Microsoft email systems in May and June of last year.
The report criticized Microsoft for having “a corporate culture that deprioritized both enterprise security investments and rigorous risk management” and said the company’s cybersecurity practices were critical to national security because “products and Microsoft services are ubiquitous.
The hackers somehow obtained a digital key (what the report called “crypto crown jewels”) to Microsoft’s security mechanisms that allowed them to spoof other users’ credentials. They compromised the accounts of 22 organizations and more than 500 people around the world, including Commerce Secretary Gina M. Raimondo and US Ambassador to China Nicholas Burns. More than 60,000 emails were downloaded from the State Department computer network alone, which discovered the breach.
The intrusion “should never have happened,” according to the report. He said Microsoft did not yet know how the hackers had obtained the digital key. He also chastised Microsoft for making inaccurate public statements about the hack in the fall.
Microsoft has walked a delicate line in China. It has closed some businesses, such as the professional social network LinkedIn, but offers cloud computing services in China and also houses engineering teams and a prized research laboratory there.
Smith told the hearing that Microsoft had been reducing its engineering presence in China and last month offered to relocate 700 to 800 employees who “would have to move out of China to keep their jobs.”
The company’s top executives, including Smith and CEO Satya Nadella, have debated the future of the research lab and instituted barriers that restrict researchers from doing politically sensitive work, The New York Times reported in January.
Smith promised an urgent security effort within Microsoft through what he called “the largest cybersecurity engineering project in the history of digital technology.”
Despite the harsh report on Microsoft’s security failures, lawmakers at the hearing did not aggressively question Mr. Smith and instead focused on ways the government and private sector could work together.
“This is not a get-us-us hearing,” Rep. Bennie Thompson of Mississippi, the ranking Democrat on the committee, said in his opening remarks.
Smith surprised lawmakers when he described the magnitude of the challenge. He said Microsoft detected more than 300 million daily attacks on its customers.
In January, Microsoft revealed a separate attack, carried out by a group sponsored by Russian intelligence, that the report did not cover.
In November, Microsoft announced a top-to-bottom review of its security practices, its largest security initiative in two decades, and in May said it would tie the compensation of its top executives to the progress of the review.
Smith said the company’s board had approved a plan to tie a third of individual performance bonuses for top executives to cybersecurity. He also said that all Microsoft employees would be evaluated on cybersecurity in their twice-yearly performance reviews.
Microsoft’s competitors have taken advantage of its vulnerability. NetChoice, a trade group whose sponsors include Google, Amazon and Meta, released a voter survey criticizing the government’s reliance on Microsoft. NetChoice and several other competitor-backed trade groups sent letters to Biden administration officials calling for the government to use a wider variety of technology providers.
A public relations firm that lists Google as a client regularly emails journalists when negative stories about the Microsoft attacks break, and sometimes offers experts to talk to. This week, enterprise software company Salesforce sent a comment to reporters touting its security culture.
Amazon CEO Andy Jassy told investors in late April that security would be critical for customers choosing which AI services to use.
“If you just pay attention to what’s been happening over the last two years,” he said, “not all providers have the same track record.”
