Ron Wyden, a US senator, thinks it’s Microsoft’s fault that Chinese hackers broke into Exchange Online. He wants three different government agencies to start investigations and “hold Microsoft responsible for its negligent cyber security practices.”
In a letter sent Thursday to the Department of Justice, the Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission, Wyden said that Microsoft let the attack happen by making four different security mistakes.
Chinese hackers were able to get into Microsoft’s managed email service because they stole an encryption key used for Microsoft account services.
Wyden says that Microsoft let down its customers by using only one encryption key that could be used to fake entry to customer accounts, including those of US government agencies.
He also says that Microsoft was careless when it didn’t keep high-value encryption keys in a hardware security module. He is also worried that both internal and external security checks didn’t find the security flaws that let the hack happen.
Wyden said in his letter that the fact that the stolen security key had an expiration date of 2021 but could still be used was the worst part. “Authentication tokens signed by an expired key should never have been accepted as valid,” the senator yelled.
Wyden also said that the Biden administration was partly to blame for the attack on Microsoft that was linked to China. He said that the SolarWinds hack wasn’t looked into enough by the Biden administration. He said that this new mess could have been avoided if more had been done.
Wyden wants the CISA to set up a review board to look into the hack. He also thinks that the DoJ should use civil enforcement tools to find out if Microsoft may have broken federal contract law by being negligent.
