John Tuyen

Adventures of Functional Mediocrity

16 Jun 24

Microsoft Chooses Profit over Security

Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says

The product, which was used by millions of people to log on to their work computers, contained a flaw that could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.

But Harris was most concerned about the federal government and the implications of his discovery for national security. He flagged the issue to his colleagues.

They saw it differently, Harris said. The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. Not only could Microsoft lose a multibillion-dollar deal, but it could also lose the race to dominate the market for cloud computing.

Frustrated by Microsoft’s inaction, he left the company in August 2020.

Within months, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in U.S. history.

The perspective changed once Solarwinds incident happened and another with the stolen MSA key that allows access to any enterprise mailbox. This cascade of incidents lead to a response of internal culture shift on focusing security first but we all know how that will go, culture is not cultivated overnight. As an example, the initial impressions of the new Recall feature was under heavy scrutiny due to the lack of security features by storing sensitive data in an unencrypted SQLite. Although, it was an pre-release ARM version of Recall but these design choices are not forgivable if security needs to be prioritized. I get it, doing actual security work does take time and money but it's more important than ever in this digital age.