The Department of Homeland Security (DHS) on Thursday said the newly created Cyber Safety Review Board (CSRB) will investigate Microsoft’s July email breach and focus on general risks to cloud computing infrastructure.
The July breach was reported to the Cybersecurity and Infrastructure Agency (CISA), which said hackers operating on China’s behalf took advantage of a coding flaw — accessing high-level government accounts, including those of US Commerce Secretary Gina Raimondo and senior State Department diplomats.
After the breach, Oregon Senator Ron Wyden asked the Federal Trade Commission (FTC), CISA, and the Justice Department to “take action” against Microsoft after the hack. The CSRB is an advisory panel established by the Biden Administration to work under the DHS to investigate major cybersecurity threats and events.
“The CSRB will assess the recent Microsoft Exchange Online intrusion … and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs [cloud service providers] and their customers,” the DHS statement read, noting that its decision to have CSRB review the breach was made “immediately upon learning of the incident in July.”
CSRB has completed two reviews, including the Log4j vulnerabilities exploited in 2021 and activities associated with the hacking group Lapsus$. Companies like Microsoft now face increased scrutiny over security concerns for their widely adopted cloud offerings after high-profile attacks.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” Secretary of Homeland Security Alejandro N. Mayorkas said in a prepared statement. “Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience.”
The CSRB does not have regulatory powers. But the DHS statement says the group’s purpose is to “identify relevant lessons learned to inform future improvements and better protect our communities.”
In an interview with InformationWeek, former Microsoft CIO Jim Dubois said he believes the company will learn more from the attack itself than the CSRB’s probe. “All companies are doing everything they can do to be secure,” he said. “I don’t think there’s any negligence. With the growing capabilities of nation-states, it’s not something you’re going to be able to protect against completely. It’s a question of how long you can keep them out.”
He added, “Every time something happens, they’re going to learn and find better ways to secure things.”
Important Lessons for IT Leaders
According to Statista, the US had more than 1.3 million companies using Office 365 as of February 2023. The widespread use of cloud is a growing concern for enterprise IT leaders.
Brian Fricke, CISO for City National Bank of Florida, tells InformationWeek that this new heightened level of attention should become standard practice. “Like the National Transportation Safety Board (NTSB), the CSRB subject matter experts should be executing a methodical review of the technical details and anatomy of security control failures related to this and other breaches,” he said in an email.
However, he notes, established advisory boards like the NTSB have an advantage over a new group like CSRB. “NTSB can reference years of regulatory and engineering standards, tests, and reports for repeatable, scientifically proven processes against predictable forces.”
The threat landscape is different as well. “While Cyber is a domain of the sciences, the forces against it are an art, and despite all ‘best’ efforts, and major investments (Microsoft) can make, the forces and threats are reasonably anticipated but impossible to prevent.”
CSRB Chair and DHS Under Secretary for Policy Rob Silvers thinks the board’s efforts will give organizations more support to defend against attacks — especially in cloud environments. “We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” he said in a statement.
Fricke tells InformationWeek that while burden of resilience is a shared responsibility, businesses are relying on software companies, which he says, “must build inherently secure, and resilient services. Technology companies (and the cyber industry workforce) must be supported and provided security standards balanced with the latitude to innovate.”