Microsoft’s Brad Smith admits that the company has not always been decisive in securing its products in the past and promises change.

Smith, CEO of Microsoft, was subpoenaed by the US Department of Homeland Security. Last year, Chinese hackers managed to break into the mail servers of American government employees via Microsoft Exchange Online. The government took the incident seriously and issued a scathing report to Microsoft. Smith had to come on behalf of Microsoft to explain how this could have happened.

In his written testimony, Smith had already issued a mea culpa before the trial began. “Microsoft accepts responsibility without question and without hesitation for each of the issues raised in connection with the Exchange hack,” Smith wrote. During the hearing, Smith also admitted that his company had been short-changed in this incident.

Business comes before safety

The recent hack on Exchange is far from the only thing Microsoft is struggling with. Security industry experts have been criticizing the software giant’s sometimes lax security policies for years. It’s no coincidence that ProPublica published a detailed statement from a former employee on Thursday about Microsoft’s questionable role in the infamous SolwarWinds hack in 2020.

Andrew Harris worked on Microsoft’s security team until a few months before the hack. At the time, it was a low-paying job, according to Harris’ testimony. In 2016, he reportedly discovered a potentially serious vulnerability in Azure AD FS, a Microsoft product for logging into the Azure cloud. Harris warned company executives that the vulnerability would give intruders the key to breaking into customers’ cloud environments via an on-premises server.

The warning, however, had no effect. At the time, Microsoft was transforming itself into a “cloud-first” company under the impetus of CEO Satya Nadella and wanted to compete with the US government for a lucrative contract. Fearing that admitting the vulnerability would jeopardize the reputation of the then-young cloud division, the vulnerability was covered up.

After four years of trying in vain, Harris quit in August 2020 and joined CrowdStrike, frustrated that Microsoft was putting its business interests above security. Not much later, the SolarWinds bomb would explode. Smith had to represent himself before the American Congress as early as 2021, but managed to turn it into a positive story about how quickly Microsoft responded to the hack.

safety first

This time, Smith was more modest and admitted that Microsoft had made mistakes. Microsoft, too, is said to have learned from these mistakes and made the transition to a “security first” company. “We are fully committed to implementing every recommendation and using this report as an opportunity and foundation to strengthen our cybersecurity across the board,” Smith said.

These do not seem to be empty words. CEO Satya Nadella has already sent a memo to employees with the following message: “When faced with a trade-off between security and another priority, the answer is clear: keep it secure.” The recent furore surrounding the Windows recall raises doubts as to whether Microsoft has learned its lesson.