Microsoft’s president told Congress on Thursday that the company was responsible Major security failures that allowed China-linked hackers to penetrate federal government computer networksbut defended his company’s presence in China.
Brad Smith appeared humble in his testimony before the House Homeland Security Committee, promising that the tech giant would patch security holes in its products widely used by federal agencies.
Republican lawmakers, however, have focused on Microsoft’s operations in China, questioning how the company can strengthen its cybersecurity while operating in a country where the government demands access to data from businesses and other organizations.
Microsoft operates data centers and cloud services in China, mostly for American and other non-Chinese corporations, and helps protect its trade secrets, Smith said. Smith also said that Microsoft’s China business accounts for only 1.4% to 1.5% of the company’s revenue.
Rep. Rep. Carlos Gimenez, R-Fla., then asked, “Is it really worth it?”
Smith said his company was not in compliance with China’s 2017 national intelligence law, which requires firms to hand over information requested by the government, and that his company had rejected some requests from Beijing, but did not provide details.
Gimenez asked how Microsoft could challenge the law: “Do you have a waiver from the Chinese government that you have to comply with this law?”
Smith said there are countries that do and don’t enforce every law they pass, and China is in the latter category.
He added: “I’ll tell you, Microsoft gets asked questions and they come across my desk and I say, ‘No, [the company] some things won’t do”.
Lawmakers opened the hearing in April after a scathing government report found “a number of errors” by Microsoft that allowed state-backed Chinese hackers to break into email accounts used by government employees and senior officials. Hackers were able to penetrate the State Department’s network and hack email Commerce Secretary Gina Raimondo.
The report of the Cyber Security Review Board established by the Department of Homeland Security in 2022 has been concluded. the breach was “preventable”. and blamed “a number of Microsoft operational and strategic decisions that point to a corporate culture that prioritizes enterprise security investments and rigorous risk management.”
Smith said Microsoft has fully accepted the report’s findings and is implementing its recommendations. The company has deployed nearly 34,000 engineers to focus on security in what it calls “the single largest cybersecurity engineering project in the history of digital technology.”
Asked several times whether Microsoft had forgotten the importance of security, Smith said that was not the case. But he said a large part of the workforce relies heavily on a broad group of security professionals to deal with potential cyber threats, which he sees as a collective responsibility.
“It became possible to think that they could only rely on these people to do something that we all have to do together,” Smith said.
Lawmakers recently received a classified briefing on security breaches linked to Microsoft’s failures, sources with direct knowledge of the matter told NBC News.
On Wednesday, an official at the federal government’s top cybersecurity agency responded to a letter from Sen. Rick Scott, R-Fla., telling him that CISA has “made great progress” in strengthening U.S. cyber defenses. Scott asked the Cybersecurity and Infrastructure Security Agency about ongoing hacking by Russian state actors against Microsoft and other companies contracted by the federal government.
“CISA will continue to act with urgency to protect federal networks and critical infrastructure from our adversaries,” wrote Charles Abernathy, CISA’s director of legislative affairs. “This work will require investments in technology, people and partnerships.”
In Thursday’s hearing, Democrats said the government’s heavy reliance on Microsoft has made federal agencies more vulnerable to cyberattacks and espionage. Sen. Ron Wyden, D-Ore., has proposed legislation designed to make information technology contracts more competitive and make software from tech firms work with other companies’ products.
“It’s time to break the stranglehold of big tech companies like Microsoft on government software, set high cybersecurity standards, and reap the many benefits of a competitive marketplace,” Wyden said as he introduced the bill.
Sen. John Cornyn, R-Texas, previously told NBC News that Microsoft had “a strong economic incentive” to address its security concerns. “It has a reputation to protect,” he said.