Microsoft’s president told Congress on Thursday that the company accepted responsibility for serious security flaws that allowed China-linked hackers to penetrate federal computer networks but defended its presence in China.
Brad Smith struck a humble tone in testimony before the House Homeland Security Committee, promising that the tech giant would fix security flaws in its products that are widely used by federal agencies.
But Republican lawmakers focused on Microsoft’s activities in China, questioning how the company can strengthen cybersecurity while operating in a country where the government demands access to data from companies and other organizations.
Smith said Microsoft operates data centers and cloud services in China primarily for U.S. and other non-Chinese companies, which helps protect the companies’ trade secrets, and that Microsoft’s China operations account for just 1.4% to 1.5% of the company’s revenue.
Republican Rep. Carlos Gimenez of Florida then asked, “Is it really worth it?”
Smith said his company has not complied with China’s 2017 National Intelligence Law, which requires companies to provide information requested by the Chinese government, and has rejected some of the requests from Beijing, but did not provide details.
Jimenez asked how Microsoft was able to ignore the law: “Does it have a waiver from the Chinese government that means it doesn’t have to comply with this law?”
Smith said some countries enforce all of the laws they enact and others don’t, and China falls into the latter category.
He added: “Some days, questions come to Microsoft and they land on my desk, and I say, ‘No. [the company] “I don’t do anything specific”
Lawmakers held the hearing after a damning government report was released in April that found that a “series of errors” by Microsoft allowed government-sponsored Chinese hackers to gain access to the email accounts of government employees and officials, including the State Department network and Commerce Secretary Gina Raimondo’s email.
A report from a cybersecurity review board established by the Department of Homeland Security in 2022 concluded that the breach was “preventable” and blamed “a series of operational and strategic decisions at Microsoft that collectively point to a corporate culture that disregards corporate security investments and rigorous risk management.”
Smith said Microsoft fully embraces the report’s findings and is implementing its recommendations. The company has deployed about 34,000 engineers to focus on security, which he called “the largest cybersecurity engineering project in the history of digital technology.”
Asked repeatedly whether Microsoft had lost sight of the importance of security, Smith said it hadn’t, but he said many employees had become too reliant on large teams of security experts to deal with potential cyberthreats and had stopped seeing security as a collective responsibility.
“It’s allowed us to think that we can rely solely on these people to do the work that we all need to do together,” Smith said.
Lawmakers recently received a confidential report on security breaches linked to Microsoft’s failures, a source with direct knowledge of the matter told NBC News.
Officials at the federal government’s top cybersecurity agency responded to a letter from Sen. Rick Scott (R-Fla.) saying CISA has “made great progress” in strengthening America’s cyber defenses. Scott questioned the Cybersecurity and Infrastructure Security Agency about the hacks by Russian state actors against Microsoft and other companies that have federal contracts.
“CISA will continue to act with urgency to protect federal networks and critical infrastructure from adversaries,” wrote Charles Abernathy, CISA’s director of legislative affairs. “This work requires investments in technology, people, and partnerships.”
Democratic lawmakers said at a hearing Thursday that the government’s heavy reliance on Microsoft makes federal agencies more vulnerable to cyberattacks and espionage. Sen. Ron Wyden, R-Oregon, is proposing legislation that would make information technology contracts more competitive and require tech companies to ensure their software works with other companies’ products.
“The time has come to end the stranglehold that big tech companies like Microsoft have on government software, set high cybersecurity standards, and reap the many benefits of a competitive marketplace,” Wyden said when introducing the bill.
Sen. John Cornyn (R-Texas) earlier told NBC News that Microsoft has a “strong economic incentive” to fix its security problems. “The company has a reputation to protect,” he said.
