In the most-damning set of accusations against a major technology company this analyst has seen in 40 years, a federal cybersecurity watchdog group has reported that Microsoft’s cloud cybersecurity has massive and wide-ranging shortcomings ranging from failed technology to a “security culture” that is “inadequate and requires an overhaul.”
The report and the widespread publicity it is appropriately receiving will no doubt raise huge questions in the minds of Microsoft Cloud customers and prospects about how vulnerable they might be to the increasing volume and sophistication of cyberattacks by cybercriminals who are aggressively enhancing their malicious work with AI capabilities.
And how worried should customers and prospects be about the state of Microsoft’s cybersecurity? Based on this excerpt from the report about an intrusion that occurred last year in China, they should be very worried: “In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world [boldface emphasis added]. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key.”
While the entire report from the federal government’s Cyber Safety Review Board (CSRB) serves as a devastating critique of Microsoft’s cybersecurity capabilities, mindset, technologies, and approaches, the following excerpt clearly illuminates the challenges Microsoft faces in regaining the trust of business leaders evaluating if they still can and should trust the safety of their business to the Microsoft Cloud:
“Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
Look once more at that part about “a corporate culture that deprioritized…enterprise security investments,” and bear in mind that for its most recently reported quarter, Microsoft generated $62 billion in total revenue and net income of $21.9 billion, with Microsoft Cloud contributing more than half — $33.7 billion — of that revenue. Despite those extraordinary financial resources at Microsoft’s disposal, the federal watchdog group said, the company’s “corporate culture…deprioritized both enterprise security investments and rigorous risk management.”
Ask AI Ecosystem Copilot about this analysis
So let me highlight once again three statements from the CSRB report that will certainly cause many Microsoft Cloud customers and prospects to demand some explanations and perhaps even begin evaluating alternative products and services from competitors:
“…when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world”;
Microsoft does not know how or when Storm-0558 obtained the signing key”; and
“corporate culture…deprioritized both enterprise security investments and rigorous risk management.”
Any one of those three conclusions would represent a devastating portrayal of an enterprise cybersecurity provider. But the CSRB report unequivocally states that all three of those findings apply simultaneously to Microsoft.
Plus, those are just three very short examples of extremely concerning revelations contained throughout the 30-plus-page report.
Microsoft’s cloud competitors — primarily Amazon Web Services and Google Cloud, but also and to a lesser extent Oracle — will no doubt share the entire report with key customers and prospects to make the case that those businesses ought to consider alternative cloud vendors. Indeed, on pages 24-25 of the report, it breaks out specific steps that those three cloud providers have taken to avoid some of the cybersecurity challenges that Microsoft has failed to adequately address.
For Microsoft, the potential damage to its reputation is enormous. In a moment, I’ll provide many more-detailed excerpts from the report — including its bold conclusion that this crisis can only be overcome via the direct and very much hands-on involvement of Microsoft CEO and chairman Satya Nadella — but first some quick background on who the CSRB is and what led the group to issue this report.
Billing itself as “America’s Cyber Defense Agency,” the CSRB was formed in 2022 as part of the Department of Homeland Security. Its website says it provides “a unique and valuable collaboration of government and private sector members,” and the report on Microsoft’s cybersecurity failings speaks glowingly of the cooperation the board received from Microsoft and other cloud companies in compiling its conclusions.
The flashpoint for the creation of the report was a Microsoft cybersecurity disaster that took place last year in China. From the report: “When a hacking group associated with the government of the People’s Republic of China, known as Storm-0558, compromised Microsoft’s cloud environment last year, it struck the espionage equivalent of gold. The threat actors accessed the official email accounts of many of the most senior U.S. government officials managing our country’s relationship with the People’s Republic of China.
“As is its mandate, the Cyber Safety Review Board (CSRB, or the Board) conducted deep fact-finding around this incident. The Board concludes that this intrusion should never have happened” [emphasis added].Against that backdrop, let’s consider a few key points:
Microsoft has frequently touted the size and scope of its security business, and has occasionally released revenue figures indicating that Microsoft’s annual cybersecurity revenue is now probably more than $15 billion and could be approaching $20 billion.
Every cloud and technology vendor faces relentless cybersecurity attacks and it is inevitable that sometimes the bad guys will get in. In that context, the upshot of the CSRB report is not so much that Microsoft Cloud cybersecurity was not perfect — no one’s is — but that the company failed on so many fronts to provide fundamental measures that would have prevented the China disaster.
The CSRB report does a commendable job of putting the China attack and intrusion in the proper context relative to the extraordinarily vital and strategic position that Microsoft and other major cloud providers have earned: “It is not an exaggeration to say that cloud computing has become an indispensable resource to this nation, and indeed, much of the world. Numerous companies, government agencies, and even some entire countries rely on this infrastructure to run their critical operations, such as providing essential services to customers and citizens. Driven by productivity, efficiency, and cost benefits, adoption of these services has skyrocketed over the past decade, and, in some cases, they have become as indispensable as electricity. As a result, cloud service providers (CSPs) have become custodians of nearly unimaginable amounts of data. Everything from Americans’ personal information to communications of U.S. diplomats and other senior government officials, as well as commercial trade secrets and intellectual property, now resides in the geographically-distributed data centers that comprise what the world now calls the “cloud.”
And the biggest and most-influential of all those cloud providers on which the world has become so dependent is Microsoft, which has been #1 on my Cloud Wars Top 10 rankings for the past several years. In every quarterly earnings call, both CEO Nadella and CFO Amy Hood state that in cloud category after cloud category, Microsoft is “taking share” from competitors. In its fiscal Q2 ended Dec. 31, Microsoft Cloud revenue grew a whopping 24% to $33.7 billion. So there’s no question that Microsoft’s presence and reach in the cloud marketplace are growing, and the company appears to be getting even stronger as the AI Revolution unfolds.
Nadella on the Microsoft Security Business
In that fiscal-Q2 earnings call in late January, Nadella — as he does each quarter — offered updates on the company’s various cloud-product segments. And in his discussion of Microsoft’s security business, he appeared to refer indirectly to the China intrusion before going on to describe a new companywide effort to bolster Microsoft’s cybersecurity capabilities (pages 11-12 of transcript). “Recent security attacks—including the nation-state attack on our corporate systems we reported a week and a half ago—have highlighted the urgent need for organizations to move even faster to protect themselves from cyber threats. It’s why last fall, we announced a set of engineering priorities under our Secure Future Initiative, bringing together every part of the company to advance cybersecurity protection across both new products and legacy infrastructure. And it’s why we continue to innovate across our security portfolio, as well as our operational security posture, to help customers adopt a Zero Trust security architecture.”
While this could be perceived as the beginning of the massive overhaul of Microsoft’s corporate culture for which the CSRB’s report advocates so strenuously, we have to bear in mind that Nadella made these remarks in late January and that the CSRB report was not released until late March. So I would expect that when Microsoft’s fiscal-Q3 earnings call takes place near the end of this month, Nadella’s overview of his company’s security business will be significantly different.
After all, while the CSRB certainly isn’t the boss of Microsoft, I don’t think Nadella can possibly afford to overlook the extremely critical nature of its report and its potential for causing significant harm to Microsoft in a marketplace filled with competitors that are aggressive, hungry, wealthy, and all too eager to pounce on any perceived weakness in mighty Microsoft.
Nadella’s Choice
Citing the “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed,” the board offered this assessment of what it believes Nadella needs to do:
“To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products. The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed.”
So my take on that counsel is that Satya Nadella has to decide whether he wants to pursue some, most, or all of the items on the To-Do list from the CSRB:
Create and share with the public a sweeping plan to address and fix its widespread cybersecurity weaknesses — both technological and cultural.
Hold senior executives accountable for fixing this mess, particularly in the corporate culture. And while CSRB did not mention Nadella, I think he should be at the very top of that accountability roster. For all of his extraordinary successes at Microsoft over the past decade, Nadella must take full and complete responsibility for acknowledging and fixing this multi-layered disaster.
Cut investments in other areas to fund the badly needed “substantial security improvements.”
Make security the top criterion for all new features of all Microsoft Cloud products and services.
Final Thought
Some people believe that adversity builds character. That’s certainly possible, and in some cases that can lead to a big victory.
But I believe that adversity, more than building character, reveals character. And nothing in Nadella’s stellar decade at the top of one of the world’s most powerful and successful and wealthy corporations has come anywhere close to the adversity he and his company face today in the wake of the devastating revelations from the CSRB report.
So I believe that beginning with Nadella’s commentary on the fiscal-Q3 earnings call later this month and extending forward for at least the following 12 months, we will all be afforded the opportunity to gain unprecedented insights into the character of Nadella and of Microsoft.
Join us at the AI Ecosystem Summit on December 11-12, 2024, in Scottsdale, AZ. This exclusive 2-day event brings together industry leaders, vendors, partners, and customers to co-create and accelerate industry-specific innovation through AI.
