Republican lawmakers on Thursday questioned Microsoft executives about the company’s presence in China, nearly a year after Chinese hackers used the company’s systems to launch a devastating hack of federal government networks.
During the hours-long hearing, members of the House Homeland Security Committee questioned Microsoft President Brad Smith about how the company, a major contractor to the U.S. government, can maintain commercial business in China, which Smith said accounts for about 1.4 to 1.5 percent of the company’s sales.
“Is it really worth it?” asked Republican Rep. Carlos Gimenez of Florida.
Smith argued that Microsoft’s operations in China serve U.S. interests by protecting the trade secrets of its U.S. customers doing business there and by learning from what is happening in other parts of the world.
He added that Microsoft has refused requests from the Chinese government for classified information. “Some days, questions are asked of Microsoft, they land on my desk, and I say, ‘No,'” he said.
The hearing was in response to a scathing report issued in March by the Department of Homeland Security’s Cybersecurity Review Board that detailed how a “series of security failures at Microsoft” allowed a hacking team known as Storm 0558, an espionage group with ties to the Chinese government, to break into the company’s email systems in May and June of last year.
The report criticized Microsoft for having a “corporate culture that disregards both corporate security investments and rigorous risk management,” and said the company’s cybersecurity practices are critical to national security because “Microsoft’s products and services are ubiquitous.”
The hackers somehow obtained the digital keys for Microsoft’s security mechanisms (what the report calls the “jewel in the cryptographic crown”) and used them to forge credentials for other users. The hackers compromised the accounts of 22 organizations and more than 500 individuals around the world, including those of Commerce Secretary Gina M. Raimondo and U.S. Ambassador to China Nicholas Burns. More than 60,000 emails were downloaded from the State Department’s computer network alone, where the intrusion was discovered.
The report said the intrusion “should never have happened” and that Microsoft still doesn’t know how the hackers even got hold of the digital keys. It also criticized the company for making inaccurate public statements about the hack in the fall.
Microsoft has walked a delicate balance in China: It has shut down some of its operations, including the professional social network LinkedIn, but it offers cloud-computing services there and also maintains engineering teams and valuable research labs there.
Smith told the hearing that Microsoft was downsizing its engineering base in China and last month offered to redeploy 700 to 800 employees who “needed to leave China to keep their jobs.”
The New York Times reported in January that the company’s top executives, including Smith and CEO Satya Nadella, had discussed the lab’s future and laid out guardrails to limit researchers from conducting politically sensitive research.
Smith pledged to implement immediate security measures within Microsoft through what he called “the largest cybersecurity engineering project in the history of digital technology.”
Despite the damning reports about Microsoft’s security failings, lawmakers at the hearing did not actively question Smith, instead focusing on ways the government and the private sector can work together.
“This is not a hogwash hearing,” Rep. Bennie Thompson of Mississippi, the committee’s ranking Democrat, said in his opening remarks.
Smith stunned lawmakers by describing the scale of the challenge: He said Microsoft detects more than 300 million attacks a day against its customers.
Microsoft disclosed a separate hack by a group backed by Russian intelligence in January, but that was not covered in this report.
In November, Microsoft announced a comprehensive overhaul of its security measures, its biggest in two decades, and in May said it would base pay for its top executives on the review’s progress.
Smith said the company’s board has approved a plan to allocate a third of senior executives’ individual performance bonuses to cybersecurity, and that all Microsoft employees will be evaluated on cybersecurity in their twice-yearly performance reviews.
Microsoft’s competitors have jumped on the company’s vulnerabilities. NetChoice, a trade group backed by Google, Amazon and Meta, released a poll of voters criticizing the government’s reliance on Microsoft. NetChoice and other trade groups backed by competitors have written to Biden administration officials urging the government to use a broader range of technology vendors.
One public relations firm that lists Google as a client regularly emails reporters after negative stories about the Microsoft hack, sometimes offering them the opportunity to speak with experts. This week, business software company Salesforce sent a commentary to reporters touting its security culture.
Amazon CEO Andy Jassy told investors in late April that security will be crucial for customers as they choose which AI services to use.
“You only have to look at what’s happened over the last year or two to see that not all providers have the same track record,” he said.
