Microsoft's president vows to instigate substantial alterations in the company culture, focusing on enhancement of security measures
Microsoft's President Brad Smith testified before the House Committee on Homeland Security on Thursday, discussing the company's plan to address security culture issues and encourage employees to report concerns.
The testimony was in response to a report from the U.S. Cyber Safety Review Board analyzing Microsoft's security culture following a hack in summer 2023. The hearing revealed long-standing concerns about Microsoft leaving product security in the rear-view mirror in comparison to rivals like Apple, Amazon, or Google.
One of the key elements of Microsoft's plan is enhancing employee reporting mechanisms. The company has historically emphasized the importance of secure communication channels for employees to report security concerns without fear of retaliation. This includes anonymous reporting tools and clearer internal policies that encourage transparency.
Microsoft is also strengthening internal oversight. The company employs multiple layers of supervision, including digital escorts especially for employees working in sensitive locations.
The company is also implementing comprehensive cybersecurity awareness programs to cultivate a culture of vigilance and responsibility among its employees.
In a bid to create a culture that encourages employees to look for problems, report problems, help fix problems, and learn from the problems, Microsoft is aiming to become part of the biannual review for all employees.
A significant aspect of Microsoft's plan is the tie-in of annual bonuses for senior executives, in part, to cybersecurity performance. One-third of a senior leader's bonus will be based on their cybersecurity-related performance starting from Microsoft's new fiscal year on July 1.
The hearing likely focused on expanding these efforts and may have included new commitments from Microsoft to improve whistleblower protections, increase training, and enhance monitoring to reduce insider risks and build a stronger security culture.
The hearing took place on Thursday, but specific statements and detailed plans presented at the hearing are not included in the available search results. For exact details from the House Committee on Homeland Security hearing, consulting the official hearing transcript or Microsoft disclosures related to that event would provide the most authoritative information.
During the hearing, Smith said he had not had a chance to review the ProPublica report as he had been at the White House prior to the hearing. The ProPublica report published a few days earlier detailed a whistleblower who alleged Microsoft ignored years of warnings from one of its own engineers about a vulnerability that led to the Sunburst attacks. The whistleblower, Andrew Harris, left Microsoft in 2020 and later joined rival CrowdStrike.
Microsoft accepted full responsibility for its security failures and is currently engaged in the largest engineering project focused on security in digital technology history. More than 34,000 full-time engineers are working on this security project.
Ryan Kalember, chief strategy officer at Proofpoint, made comparisons during the hearing, stating that by prioritizing product interconnectedness over building products that are secure by design, Microsoft continually compounds the security risks it creates.
Smith was also asked if he was aware of any similar vulnerabilities that could impact product security. Smith said he was not, but "everything we're doing is focused on finding every vulnerability that we can find."
- Microsoft's President Brad Smith acknowledged the concerns raised in the ProPublica report about a vulnerability that led to the Sunburst attacks, which allegedly went unheeded by the company for years.
- Recognizing the need for robust cybersecurity measures, Microsoft is investing heavily in securing its digital technology, with more than 34,000 full-time engineers currently working on the largest engineering project focused on security in digital technology history.
