Congress grills Microsoft President over cyber security failures

Congress’ members pressured Microsoft on Thursday to improve the way it addresses security vulnerabilities in its widely used products following a wave of cyberattacks that targeted the federal government.

Rep. Bennie Thompson questioned Microsoft President Brad Smith about the company’s process for addressing security concerns. Smith stated that Microsoft is now focusing on empowering employees to identify, report, and fix security issues. He acknowledged that previously, business goals were prioritised over security.

Members of the House Homeland Security Committee voiced their disapproval in response to a recent ProPublica investigation that revealed Microsoft consistently ignored a company engineer’s warnings, starting in 2017, that a product flaw left millions of users—including federal employees—vulnerable to attack. Later, in a well-publicised cyberattack known as SolarWinds, one of the biggest in American history, Russian hackers took advantage of that vulnerability.

The federal Cyber Safety Review Board also criticised Microsoft’s security culture, calling it “inadequate” and in need of an overhaul. Smith admitted these issues and stated that executive bonuses and employee performance reviews will now include security considerations.

During the hearing, the committee pressed Smith about the ProPublica report, with Rep. Delia Ramirez calling it a “bombshell.” Smith was asked if his previous testimony about the flaw’s discovery was incorrect, to which he responded that he hadn’t read the report yet. He noted that while the flaw existed in other companies’ software, Microsoft’s version was widely used, including by the government.