Cybersecurity boost

Cyber Safety Review Board Urges Reforms on Microsoft Organization, Products

The Department of Homeland Security’s Cyber Safety Review Board has recommended that Microsoft develop and publish a plan instituting security-focused reforms across its organization and products to prevent a repeat of the Summer 2023 Microsoft Exchange Online breach traced to Chinese hackers.

The CSRB’s recommendation, along with other preventive measures, are contained in a report released on Tuesday reviewing the incident. Microsoft cooperated fully with the board on its seven-month independent review, which also involved 19 other companies, the DHS said.

The board’s 29-page report pointed out that the summer 2023 hacking incident “was preventable and should never have occurred.” It described as “inadequate” Microsoft’s security culture and that it needs an overhaul, particularly the company’s centralized technology ecosystem wherein customers entrust their data and activities.

“Implementation of the board’s recommendations will enhance our cybersecurity for years to come,” said DHS Secretary Alejandro Mayorkas, a past Wash100 winner.

The other recommendations in the CSRB report include the implementation of modern control mechanisms, informed by a robust threat model, across cloud service providers’ digital identity and credential systems to significantly reduce system-level intrusions.

The Cybersecurity and Infrastructure Security Agency now plans to convene major CSPs to develop cloud security measures aligned with the CSRB’s recommendations, including a process to regularly demonstrate compliance.