U.S. government data security is again under scrutiny after a recent data breach by suspected Chinese hackers. Microsoft's role in protecting sensitive information will be examined following the cyber attack that compromised the email accounts of U.S. officials.
A U.S. cybersecurity advisory panel announced it will investigate potential risks in cloud computing, including Microsoft's role in the recent breach of government email systems. The Cyber Safety Review Board (CSRB) will examine risks related to cloud infrastructure.
The probe comes after suspected Chinese hackers exploited a vulnerability in Microsoft Azure's cloud email platform to access sensitive communications from the Departments of Commerce and State. The tech giant is among the major cloud providers that will be examined in the CSRB's investigation.
The hacks, believed to be part of a wider espionage campaign by actors affiliated with the Chinese government, compromised email accounts belonging to senior officials.
Microsoft has faced increased scrutiny over the incident, with Senator Ron Wyden calling on federal agencies last month to take action against the company. In a letter, Senator Wyden said:
Government emails were stolen because Microsoft committed another error. Although the stolen encryption key was for consumer accounts, a validation error in Microsoft code' allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organizations and thereby access those accounts.
The senator criticized Microsoft's handling of the hack, saying it failed to take responsibility for previous incidents like the 2020 SolarWinds campaign attributed to Russia.
The probe underscores growing concerns around security risks posed by third-party cloud services, which have become ubiquitous in government and corporate networks. Findings from the review could inform efforts to safeguard better sensitive data and critical systems hosted in the cloud.
The House Oversight Committee announced it is opening a separate investigation into China's suspected role in the Microsoft email system breaches last week. The CSRB plans to focus on identifying and mitigating cloud security risks.