Microsoft President Testifies Before Congress

On June 13, Microsoft Vice Chair and President Brad Smith testified before the House Homeland Security Committee to discuss Microsoft’s cybersecurity measures.

The hearing comes amid increased scrutiny over cybersecurity in general, and for Microsoft in particular, as it is a major contractor for the US government – 3% of the US federal IT budget goes to Microsoft.

Rep. Bennie Thompson, a Democrat, said: “Microsoft is one of the federal government’s most important technology and security partners, but we cannot afford to allow the importance of that relationship to enable complacency or interfere with our oversight.”

In 2023, hackers suspected of being linked to China gained access to 60,000 State Department emails by breaking into Microsoft’s systems. Earlier this year, Russia-linked hackers were also able to access the emails of Microsoft’s senior staff, including correspondence with government officials.

The hearing follows a report published in April by the Cyber Safety Review Board (CSRB), an expert panel created by the Department of Homeland Security. The report harshly criticized Microsoft, describing the China-linked hack as preventable and saying Microsoft failed to provide full transparency on the issue.

Smith acknowledged the report in the hearing, saying: “We accept responsibility for each and every finding.” In his written testimony, posted on the Microsoft blog, Smith says that Microsoft is “taking action to address every one of the CSRB’s recommendations applicable to Microsoft.”

The post explains how Microsoft is focusing more on cybersecurity, launching a program called the Secure Future Initiative. This multi-year program aims to change how Microsoft creates and runs its products and services.

The post also claims Microsoft will address all 16 of the CSRB report’s recommendations and additional threats it has identified through the Secure Future Initiative. The company says it is redirecting resources equivalent to 34,000 full-time engineers to focus on cyber security.

Smith says the company’s leadership has worked over recent months “reviewing the security culture we have and re-defining the world-class security culture we want to foster.”

Smith’s comments mark a contrast from his response to the 2021 SolarWinds attack, which saw Russia-linked hackers gain access to federal workers’ data. In hearings after the hack, Smith assured Congress that no vulnerabilities in Microsoft’s products were exploited. ProPublica reports that a Microsoft employee and independent analysts had raised concerns about a vulnerability in the run-up to the hack but were ignored.