Congress questions Microsoft boss after a 'cascade' of security errors

Microsoft has outlined several specific improvements to enhance its security following the recent hacks involving federal officials' email accounts. These improvements include:

1. Transforming the way Microsoft develops software with automation and AI: Microsoft will apply systematic processes to continuously integrate cybersecurity protection against emerging threat patterns as engineers code, test, deploy, and operate systems and services2.

2. Strengthening identity protection against highly sophisticated attacks: Microsoft will protect against these threats by applying advanced identity protection through a unified and consistent process that will manage and verify the identities and access rights of users, devices, and services across all products and platforms.

3. Migrating to a new and fully automated consumer and enterprise key management system: This new system will have an architecture designed to ensure that keys remain inaccessible even when underlying processes may be compromised.

4. Pushing the envelope in vulnerability response and security updates for cloud platforms: Microsoft plans to cut the time it takes to mitigate cloud vulnerabilities by 50% and encourage more transparent reporting in a more consistent manner across the tech sector.

5. Instituting "rapid cultural change" within Microsoft: CEO Satya Nadella and the board will institute rapid cultural change, including publicly sharing "a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."

6. Focusing on secure by design, secure by default, and secure operations principles: These principles will govern every facet of Microsoft's software development and security practices2.

7. Implementing more secure default settings for multifactor authentication (MFA) out-of-the-box: This will expand Microsoft's current default policies to a wider band of customer services, with a focus on where customers need this protection the most.

These improvements are part of Microsoft's Secure Future Initiative (SFI), which aims to advance cybersecurity protection across both new products and legacy infrastructure.

The suspected agents of China's Ministry of State Security exploited Microsoft's tools by creating digital keys that allowed them to pose as any existing Microsoft customer. They used a tool that granted them access to 22 organizations, including the U.S. Departments of State and Commerce. By impersonating these organizations, they were able to gain access to sensitive emails, including those of Commerce Secretary Gina Raimondo and other federal officials. This exploitation highlighted vulnerabilities in Microsoft's security measures and raised concerns about the company's fitness as a dominant government contractor.