In late June, cybersecurity expert Steven Adair received an alert from one of his clients, informing him that an employee working on human rights issues had their email account compromised.
Adair, who previously worked in cyberdefense at NASA before establishing his own firm, Volexity, initiated an investigation but struggled to find any leads.
As it turns out, the hackers responsible for the breach were the same sophisticated cyber spies that Microsoft recently accused of stealing emails from senior US officials, including employees of the State Department and Commerce Secretary Gina Raimondo. Microsoft attributed the successful hacks to an undisclosed security vulnerability in their widely-used online email service, rather than computer hijacking or password theft.
Adair's client, however, lacked access to Microsoft's premium security suite, which meant detailed forensic data was unavailable. This lack of information left Adair unable to determine what had transpired. He is now advocating for Microsoft to provide this additional data to its clients free of charge. Adair's campaign has gained momentum in the aftermath of the breach, with concerns over the software giant's security practices circulating within government circles.
US Senator Ron Wyden joined the chorus of criticism, stating that Microsoft should offer all customers comprehensive forensic capabilities. Wyden likened charging for essential security features to selling a car and then demanding extra payment for seatbelts and airbags.
At the time of reporting, Microsoft had not responded to requests for comment regarding Adair's experience, Wyden's statement, or other criticisms regarding its security measures.
In a blog post released on Tuesday that outlined the recent hack, Microsoft asserted that "accountability starts with us" and acknowledged the need for ongoing self-evaluation, learning from incidents, and strengthening their defenses.
For years, individuals, organizations, and governments have migrated their emails, spreadsheets, and other data from local servers to Microsoft's platform, benefiting from cost savings and integration with the company's suite of office tools. Simultaneously, Microsoft has championed the use of its own security products, prompting some clients to abandon what they deemed redundant antivirus programs.
This migration of data and services to major tech companies is often referred to as "moving to the cloud." It can enhance security, particularly for small organizations lacking the resources to maintain their own IT or security departments.
However, Microsoft's competitors, feeling squeezed by its security offerings, are sounding the alarm about the risks associated with entrusting large swaths of industry and government data to a single provider.
"Organizations need to invest in security," warned Adam Meyers of cybersecurity company CrowdStrike in an email distributed to journalists. "Relying on one monolithic vendor responsible for all of your technology, products, services, and security can lead to disaster."
Furthermore, frustration is growing with Microsoft's licensing structure, which charges customers extra for access to detailed forensic logs like the ones Adair was unable to obtain. This issue has been a point of contention between the company and the US government since the disclosure of the SolarWinds hack in 2020.
Adair acknowledged that Microsoft's premium security product aims to generate revenue. However, he argued that enabling more parties to identify cyber threats would benefit both the company and its customers. He highlighted that the hackers, referred to by Microsoft as Storm-0558, were only caught because a State Department employee, armed with Microsoft's top-of-the-line logging capabilities, detected an anomaly in their forensic data.
"Empowering customers and security companies to collaborate further is perhaps the best approach for Microsoft," Adair concluded. Photo by Coolcaesar, Wikimedia commons.