Microsoft ties executive pay to security after multiple failures and breaches

A PC with Windows 11.
Enlarge / A PC with Windows 11.

It’s been a bad few years for Microsoft’s security and privacy efforts. Misconfigured endpoints, fraudulent security certificates, and weak passwords have all caused or compromised the exposure of sensitive data, and Microsoft has been criticized by security researchers, U.S. lawmakers, and regulators for the way it responded to and disclosed these threats.

The most notable of these breaches involved a China-based hacking group called Storm-0558, which breached Microsoft’s Azure service in mid-2023 and collected data for more than a month before being discovered and expelled. After months of uncertainty, Microsoft announced that a series of security flaws allowed Storm-0558 to access an engineer’s account, allowing Storm-0558 to collect data from 25 of Microsoft’s Azure customers, including US federal agencies.

In January, Microsoft announced another breach, this time by Russian state-sponsored hacking group Midnight Blizzard. The group was able to “compromise an outdated, non-production test tenant account” to gain access to Microsoft’s systems for “as long as two months.”

This all culminated in a report (PDF) from the US Cyber ​​Safety Review Board, which excoriated Microsoft for its “inadequate” security culture, its “inaccurate public statements” and its response to “preventable” security breaches.

To try to turn things around, Microsoft announced something it called the “Secure Future Initiative” in November 2023. As part of that initiative, Microsoft today announced a series of plans and changes to its security practices, including some changes that have already been implemented. made.

“We make security our top priority at Microsoft, above all other functions,” wrote Charlie Bell, Executive Vice President of Microsoft Security. “We are expanding the scope of SFI, integrating the CSRB’s recent recommendations and our learnings from Midnight Blizzard to ensure our cybersecurity approach remains robust and can adapt to the evolving threat landscape.”

As part of these changes, Microsoft will also make Senior Leadership Team compensation partially dependent on the company “achieving our security plans and milestones,” although Bell did not specify how much executive compensation would be contingent on achieving those security goals.

Microsoft’s message describes three security principles (“secure by design”, “secure by default” and “secure operations”) and six “security pillars” intended to address various weaknesses in Microsoft’s systems and development practices. The company says it plans to secure 100 percent of all its user accounts with “securely managed, phishing-resistant multi-factor authentication,” enforce least privilege access for all applications and user accounts, improve network monitoring and isolation and keep all system security logs. for at least two years, among other promises. Microsoft also plans to place new deputy chief information security officers on various technical teams to track their progress and report to the executive team and board of directors.

As for the concrete solutions Microsoft has already implemented, Bell writes that Microsoft has “deployed automatic enforcement of multifactor authentication by default across more than 1 million Microsoft Entra ID tenants across Microsoft,” and removed 730,000 old and/or insecure apps. to date in production. and enterprise tenants,” expanded security logging and adopted the Common Weakness Enumeration (CWE) standard for security disclosure.

In addition to Bell’s public safety pledges, The Verge has obtained and published an internal memo from Microsoft CEO Satya Nadella that reemphasizes the company’s publicly stated commitment to safety. Nadella also says that improving security should be prioritized over adding new features, something that could impact the constant stream of tweaks and changes Microsoft releases for Windows 11 and other software.

“The recent findings from the Department of Homeland Security’s Cyber ​​Safety Review Board (CSRB) regarding the Storm-0558 cyber attack, as of summer 2023, underscore the severity of the threats facing our company and our customers faced, as well as our responsibility to defend ourselves against it. increasingly sophisticated threat actors,” Nadella wrote. “When faced with the trade-off between security and another priority, your answer is clear: Practice security. In some cases, this means prioritizing security over other things we do, such as releasing new features or providing ongoing support for legacy systems.”

Leave a Comment