Forcing change
The CSRB report on Microsoft’s cloud breach calls for dramatic changes to the company’s security culture. According to many experts, it’s time for the government to find its spine and compel those changes.
“Big, powerful companies in general don’t change their behavior unless they’re incentivized to do so,” Stanford University’s Grotto says.
The CSRB report recommends tough new requirements for cloud providers like Microsoft, including periodic security reviews after they receive federal contracts. Experts say those requirements could shift corporate incentives in favor of better security.
Microsoft seems to realize that its recent breaches have sparked a public relations crisis. “We expect and welcome fair scrutiny,” says Faehl. “As an industry leader we must be accountable for the security of our products and services.”
At the same time, he says, Microsoft “wouldn’t mind seeing some scrutiny” of its competitors who “seek to sow fear, uncertainty, and doubt about our position as a way to seek advantage for their own products.”
Taking on Microsoft would also be a way for the Biden administration to live up to the principles in its National Cybersecurity Strategy, which prioritizes shifting the burden of cybersecurity onto large, well-resourced tech vendors. “They make the point… that this balance needs to shift,” Grotto says. “The question now is, ‘Okay, what does administration do with that diagnosis?’”
There are signs that the administration is heeding this advice. During a briefing with reporters on Thursday about the possibility that Russian operatives stole government secrets through their latest Microsoft hack, Goldstein said that CISA and other agencies “are working closely with Microsoft, in alignment with the recommendations of the Cyber Safety Review Board, to drive further progress in Microsoft’s improvement plans with their broader security culture and enterprise.”
In the meantime, experts say, the status quo allows Microsoft to shirk responsibility for problems that it is uniquely capable of resolving.
“No harm comes from doing nothing, at least not to these companies,” Guerrero-Saade of SentinelOne says. “And that’s what’s going to destroy us.”
This story originally appeared on wired.com.
