Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Microsoft

Congress Seeks Answers From Microsoft Boss After a 'Cascade' of Security Errors (washingtonpost.com) 59

Speaking of Microsoft, the House Homeland Security committee is grilling Microsoft President Brad Smith Thursday about the software giant's plans to improve its security after a series of devastating hacks reached into federal officials' email accounts, challenging the company's fitness as a dominant government contractor. Washington Post adds:The questioning followed a withering report on one of those breaches, where the federal Cyber Safety Review Board found the event was made possible by a "cascade of avoidable errors" and a security culture "that requires an overhaul." In that hack, suspected agents of China's Ministry of State Security last year created digital keys using a tool that allowed them to pose as any existing Microsoft customer. Using the tool, they impersonated 22 organizations, including the U.S. Departments of State and Commerce, and rifled through Commerce Secretary Gina Raimondo's email among others.

The event triggered the sharpest criticism in decades of the stalwart federal vendor, and has prompted rival companies and some authorities to push for less government reliance on its technology. Two senators wrote to the Pentagon last month, asking why the agency plans to improve nonclassified Defense Department tech security with more expensive Microsoft licenses instead of with alternative vendors. "Cybersecurity should be a core attribute of software, not a premium feature that companies upsell to deep-pocketed government and corporate customers," Sens. Eric Schmitt (R-Mo.) and Ron Wyden (D-Ore.) wrote. "Through its buying power, DOD's strategies and standards have the power to shape corporate strategies that result in more resilient cybersecurity services." Any serious shift in executive branch spending would take years, but Department of Homeland Security leaders say plans are in motion to add security guarantees and requirements to more government purchases -- an idea touted in the Cyber Safety Review Board's Microsoft report.

This discussion has been archived. No new comments can be posted.

Congress Seeks Answers From Microsoft Boss After a 'Cascade' of Security Errors

Comments Filter:
  • average age of congress is 58, they are not technical, nor have they lived in reality for decades .... what's the point of this? Ole Brad could spout lines from Star Trek and they would be none the wiser

    • by Anonymous Coward

      Damn your blasted Vulcan logic!

    • Exactly. It's going to take a breach that truly embarrasses those Congress critters before real action is taken. Imagine nudes of Nancy Pelosi or Donald Trump getting out. We would ALL be yelling for security reform at that point .. hell, maybe even Microsoft.

    • True, this type of stuff is the true mark of a politicians staff though as these people cannot be experts on everything so they're supposed to be prepped on what this stuff means.

      Ron Wyden though I would consider one of, if not the most "tech savvy" politicians we have, he always seems to be on the forefront of this type of legislation. He introduced a bill earlier this year to move the Federal government to have a standarized collaboration protocol.

      A new bill would try to make tools like Zoom and Teams wo [theverge.com]

    • by nightflameauto ( 6607976 ) on Thursday June 13, 2024 @03:21PM (#64547407)

      average age of congress is 58, they are not technical, nor have they lived in reality for decades .... what's the point of this? Ole Brad could spout lines from Star Trek and they would be none the wiser

      It's an election year and there are a lot of folks in the world grumbling about Microsoft. Time for a public flogging which will amount to absolutely nothing in the end. Nothing will change. But it'll be a fun spectacle for a day or two while congress pretends they're being real stern with one of their biggest sponsors.

    • plus, the reality is that all they really care about is re-election, everything else is just theater for the prole's.
    • Realistically there's no magic to computers and despite what you might think because your relatives annoy you with questions it's really not that hard at all for somebody in their 60s too understand enough about computers to direct this sort of investigation with the help of their staffs.

      The problem is nobody shows up for primary elections so we've got a ton of politicians who are just really fishing for extra donations this cycle. Most of them on the Republican side. Though the Democrats for their part
      • Re: (Score:3, Insightful)

        You're right that age isn't specifically the problem. The problem is that people can't think in concepts. I'm finding that people across a range of occupations and ages no longer understand what it means to log in to a website.... or how to login. The *always on* nature of cell phones that are logged into email at the point of sale has resulted in people not understanding how to login, and by extension, do anything. Most people outside this techie website have no idea of the difference between a web browser
    • by The Cat ( 19816 )

      News flash: People with an average age of 58 built the Internet.

    • Example question:

      When I click on the thing for mail, it goes all spinny. How can I have a check box installed to turn on the internet first so I don't get any of those sales things?

    • by dhaen ( 892570 )
      73 year old here. I'm not sure the average age is a useful metric. I come across people of all ages who just don't want to understand
    • by whitroth ( 9367 )

      Oh, I see, no one who's 56 or older is technical. Therefore I don't exist, being well past 65... and neither does my almost 40 year career as a programmer and sysadmin.

      And, of course, no one in Congress has staff that can cover this. No, no.

      Shut up and go away, idiot.

      • by Osgeld ( 1900440 )

        its amazing after all these years you never learned to read, they as in congress are not technical dipshit

  • Why the government of the United States insists on using a broken insecure mess of an operating system that is known to be chock full of security vulnerabilities is the real question. Maybe that's why the government spends $640 on a toilet seat; they think their ass is worthy of luxury accommodations.
    • by HiThere ( 15173 )

      I'm not sure it's the same toilet seat, but in the case I remember the company refused to do the associated paperwork until they upped the price that high.

    • by LazarusQLong ( 5486838 ) on Thursday June 13, 2024 @03:43PM (#64547459)
      used to be a contractor selling crap to the feds. a $640 toilet seat, not sure that that exists outside of mythology, but if it does exist in reality, here is how we used to have to sell the gov something. First off, the government had specifications we must not only meet, but PROVE we meet. So, the wood the toilet seat was made of had to be maple... that might be a specification. It may also specify a certain amount of resistance to shape change due to moisture absorption, you don't want your toilet seat developing splinters do you? so that would point toward the rock maple tree... and maybe there would be a similar specification concerning growth ring sizes... so we would have to find an old growth habitat where we could buy these types of trees. It would need to be inspected by a gov inspector to ensure we weren't trying to screw over the government with fake/cheap product. Then we would have to guarantee a certain level of surface smoothness and a certain shpae and size, these would need inspectors too. Oh, did i forget shipping? there would have to be a way to prove that the inspected wood, had been reliably shipped to the facility for making it into a toilet seat, and that would need inspecting as well, and at every step of the way would be a shipping inspection, and a receiving inspection. Now it is time to coat the toilet seat with a particular paint, that there are specifications for as well and the appropriate inspections to go along with it.

      Got it? that is only a small percentage of the needed inspections and each of those inspectors and the contractor qa with them is getting paid as a degreed professional.

  • by DaMattster ( 977781 ) on Thursday June 13, 2024 @03:19PM (#64547405)
    Systems and networks handling classified or sensitive material should not be outsourced. They should be built using open source software and run in-house.
    • by nightflameauto ( 6607976 ) on Thursday June 13, 2024 @03:25PM (#64547421)

      Systems and networks handling classified or sensitive material should not be outsourced. They should be built using open source software and run in-house.

      Until open source can find a way to shovel truckloads of cash into congress critter pockets? Ain't happening. Not to mention that if they did in-house for government systems, when they had a breach they'd have to blame themselves. And if there's one thing our government will not do, it's blame themselves for anything. They need someone they can blame. Preferably someone with deep pockets to make that lobbying / campaign cycle purr.

    • by taustin ( 171655 ) on Thursday June 13, 2024 @04:44PM (#64547593) Homepage Journal

      Systems and networks handling classified or sensitive material are not supposed to be connected to "insecure networks" at all. That includes the internet.

      • That's not true. I work doing INFOSEC for a DoD contractor, handling CUI. You can, and are actually expected to, eventually connect SIPR and NIPR networks together, there are tons of documents around the proper way to perform these interconnections, However, there are TONS of various security controls that must be met before connecting, maintained, monitored, evaluated etc per NIST RMF. DISA's EVVM (enterprise voice video and messaging) STIGs have many controls around interconnections. There is no "classifi
  • Microsoft has such a strangle hold on computer software that it's a national security issue when they get extra lazy with security
  • Brad Smith is fucking useless. It says more about you if you are asking him questions than it does about him.

    • by taustin ( 171655 )

      Brad Smith is President of Microsoft. Satya Nadella is CEO, who actually runs things. Best I can tell, the primary duty of the President there is to be Blame Boy, while the real executive get on with things.

      It's like Iceland, which as a Prime Minister (who is the chief executive of the government) and a President, whose main job is to shake hands with the tourists and smile for the cameras.

      • by boulat ( 216724 )

        I've met Brad Smith. I heard him talk. I know what he does. He is fucking useless.

        • by taustin ( 171655 )

          He is also irrelevant. The fact that he, and not Nadella, is in front of Congress is a public admission that nobody, not Microsoft, and not Congress, is taking this seriously. It's all theater to get votes.

          Why help them with it by nattering about about something, and someone, who doesn't matter?

  • Considering that the powers to be in government procurement have already hitched their wagon to Microsoft. Wondering if the security guarantees they got from Microsoft are worth anything now seems pointless.
    What is the government going to do? Admit they were to stupid to see the truth and got sold a lie.
    • by gweihir ( 88907 )

      Eventually they will have no choice but to move away from Microsoft. But not yet. See also Boeing.

  • Business as usual for Microsoft.
  • The solution is to encrypt the confidential data. Use S/MIME but do not use Intune for key deployment as that just defeats the purpose. Use Microsoft Information Protection (MIP) but with Double Key Encryption (DKE) so that you manage the second keys yourself.
  • This is more congressional theater meant to appear like Congress is concerned about computer security, but that will once again amount to nothing. If anything happens at all, it will be to give Microsoft a truckload of money as a reward for its incompetence.

  • Without exception, you always start to examine the email system, and working out from that point. Email is by far the biggest security hole in any company. You want to hold Microsoft, or any other major company accountable, demand they start encrypting and signing all email communication, and forcing it on by default. Once the email systems are secure, start demanding Microsoft build signature support into all their products, so that when I get an email from X@example.com, I can absolutely be confident, X
    • You don't start with any specific systems. You start by mapping the data flow of the information requiring protection. True, in normally comes in via email, but it might be coming in via FTP, actual paper being scanned into a file system, or a variety of ways. The email system will most likely be scoped as a classified asset, for processing/transmitting/storing sensitive data; but it's not the starting point usually. And one can't just "secure email", one also first must identify the people who need acces
      • All your points are good, and I've done DoD work in the past. My point was to focus on email, get that cleaned up, and then start investigating. In my personal experience, email is 99.999% (or just vastly) the first problem point. I always start with email, get that fixed up and secured, then sit back and do the bird's eye view. That way as I investigate, at least the emails are safe enough, and I've done DoD work, where you'd do a spit take at the lack of security on email, and how carelessly things
  • A bunch of wrong-wing idiots who don't believe in government.

    Real old-time readers of slashdot might respond with SP800-53 https://csrc.nist.gov/pubs/sp/... [nist.gov]

No spitting on the Bus! Thank you, The Mgt.

Working...