Microsoft’s Security Scrutinized Following Chinese Cyber-Attack.

The recent Chinese cyber intrusion has ignited a significant debate about the responsibility of cloud service providers in ensuring the security of their customers. Microsoft’s top-tier cloud service, which seemingly offers better security, has become a focal point, with Biden administration officials and Senator Ron Wyden criticizing the company for not making crucial logging information available to all users.

Logging software plays a pivotal role in detecting and investigating cyber-attacks, keeping track of all server activity. However, this incident revealed that the critical logging data required to identify the attack was exclusively available to customers of Microsoft’s premium cloud service, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) officials.

The disclosed hack affected nearly two dozen organizations across the globe, with the State and Commerce departments among the victims. The attack was not just an average breach; it involved an unusual degree of technical sophistication, targeting specific victims, emphasizing the stakes in play for cybersecurity in our digital age.

The State Department first identified the intrusion, reporting it to Microsoft the previous month. However, the tool used to discover the breach is not included in all Microsoft 365 packages. This tool forms part of Microsoft’s highest-tier Microsoft 365 licensing package, known as E5, which comes at a price approximately 60% higher than the E3 package, providing a broader range of features. For government entities, these packages are identified as G5 and G3, respectively.

In the wake of the hacking episode, Biden administration officials on Wednesday expressed that Microsoft needs to make such vital information broadly accessible. A senior Cybersecurity and Infrastructure Security Agency (CISA) official during a press call discussing the incident emphasized that “Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity.”

Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box to reasonably detect malicious cyber activity.

-Senior CISA official

In parallel, an investigation is underway to determine whether Microsoft adhered to federal cybersecurity stipulations for cloud providers. Senator Ron Wyden, an active figure on the Senate Intelligence Committee in cybersecurity and technology policy matters, criticized the practice of charging extra for essential security features. He likened it to selling a car and then charging additional fees for seatbelts and airbags.

In response to the mounting pressure, Microsoft announced it was exploring potential solutions. A Microsoft spokesman stated on Thursday, “We are evaluating feedback and are open to other models. We are actively engaged with CISA and other agencies on this.”

The discovery of this widespread hacking campaign was thanks to the State Department’s security specialists, who, armed with the logging tools, noticed unusual activity on their network in June. After being informed of the situation, Microsoft managed to identify victims, even those who hadn’t subscribed to the premium service.

The crux of the matter lies in the log files, which are digital records tracking activity on Microsoft’s cloud. These logs contain invaluable information, such as the browser and operating system used to access the system, crucial for tracing criminal activity post-hack.

The complexity arises with the advent of cloud computing, where responsibilities get divided between cloud operators like Microsoft and their customers. Providers argue that retaining vast volumes of such data can be pricey, while customers often are unaware of the necessity of these logs until a hack occurs, at which point it may be too late to retrieve them.

Volexity, a cybersecurity firm, shed light on a specific instance where the limited logs from a customer’s less-expensive Microsoft 365 E3 license could not reveal evidence of the attack. This issue underscores the importance of comprehensive logging capabilities and raises questions about whether premium security features should be accessible to all users.

As cloud computing becomes more prevalent, the onus is on both cloud service providers and customers to ensure that adequate measures are in place to detect and mitigate cyber-attacks. This incident serves as a stark reminder of the gaps that can exist in cybersecurity infrastructure and the importance of taking a comprehensive approach to digital safety.