Microsoft’s Contract With Government Agencies Under Fire Following Chinese Cyber Attacks

By Bryan Jung
Bryan Jung
Bryan Jung
Bryan S. Jung is a native and resident of New York City with a background in politics and the legal industry. He graduated from Binghamton University.
July 14, 2023Updated: July 14, 2023

After Chinese hackers were able to hack into U.S. government email accounts last week, Microsoft’s security systems are now under fire from Congress.

A cyber gang based in China was accused of stealing emails from senior U.S. officials in a major security breach through a weakness in Microsoft MSFT.O software.

The attacks were allegedly able to access the email accounts of top State Department employees and U.S. Commerce Secretary Gina Raimondo, the Cybersecurity and Infrastructure Security Agency announced on July 12.

Federal agencies detected a breach in the two agencies’ accounts “fairly rapidly” and managed to prevent further breaches, White House National Security Adviser, Jake Sullivan, told ABC’s “Good Morning America.”

Chinese Hackers Breach US Government Databases

Microsoft said that the breach took advantage of a still-undisclosed security issue with the company’s online email service and not through hacking computers or stealing passwords.

The tech firm accused “Storm-0558,” a  Chinese hacking outfit, of forging digital authentication tokens to access email accounts running on the firm’s Outlook service starting in May.

The group has also focused on espionage against governments in Europe and has accessed the cloud-based Outlook email systems of 25 organizations, including multiple government agencies in the EU.

Beijing’s embassy in the U.K. told Reuters that the latest accusations are “disinformation” and called the United States “the world’s biggest hacking empire and global cyber thief.”

The CCP normally denies involvement in hacking operations in China, even if actual evidence or context is presented.

Microsoft acknowledged the hack in a July 11 blog post, admitting that “accountability starts with us” and that it was “continually self-evaluating, learning from incidents,” and improving its cyber defenses.

Congress Concerned About Microsoft’s Contract With Federal Agencies

Members of Congress have been raising concerns for months over government departments’ increasing reliance on Microsoft for cybersecurity tools and services.

“The Senate Intelligence Committee is closely monitoring what appears to be a significant cybersecurity breach by Chinese intelligence,” he said in a statement, said  Sen. Mark Warner (D-Va.), chairman of the Senate Select Committee on Intelligence, who called for heightened efforts to counter the cyber threat posed by China following the hack.

“It’s clear that the PRC is steadily improving its cyber collection capabilities directed against the U.S. and our allies. Close coordination between the U.S. government and the private sector will be critical to countering this threat,” said

Senator Ron Wyden (D-OR) said that Microsoft should offer all its customers full forensic capabilities, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags.”

Congressional legislators have also complained that the move shuts out other vendors and use of off-the-shelf security software could pose a risk.

Last month, Newsweek reported that several key leaders in the Department of Defense had opposed a decision last year to scrap an existing cybersecurity program that was open to competition.

The Pentagon replaced the program with Microsoft’s in-house security tools, which are typically offered with its business software packages and cost taxpayers $543 million.

According to a February 13 letter obtained by Newsweek, Rep. C.A. Ruppersberger (D-Md.) of the House Appropriations Committee wrote to Secretary of Defense Lloyd Austin, questioning whether the decision to give Microsoft the sole contract was the best use of taxpayers’ dollars.

The Maryland congressman also asked whether the deal made the U.S. military dependent on a single IT provider, whose software may be inferior to rivals, while the operational costs rise over time.

“It is critical that DOD pursue a fair and open competition that ensures procurements for cybersecurity solutions are based on technical merits and are not limited to a single one-size-fits-all enterprise solution,” Ruppersberger wrote in the February 23 letter, a copy of which was obtained by Newsweek.

The Pentagon’s Chief Information Officer, John Sherman, responded, telling Mr. Ruppersberger that the department shared similar concerns about the possible anticompetitive effects of major agency-wide bundled contracts.

“We share this concern, and we’re working towards a long-term balanced strategy,” wrote Mr. Sherman.

The Epoch Times reached out to Microsoft for comment.

More Companies and Governments Look to Microsoft for Security Needs

Private individuals, companies, and governments for years have been using Microsoft to manage their emails, spreadsheets, and other data off their own servers.

The Redmond, Washington-based tech company’s suite of office software has been touted as cost-effective and easy to integrate at the same time.

Microsoft has been promoting the use of its own in-house security products and encouraging its customers to abandon what they see as expensive and redundant antivirus programs.

The process of transferring an organization’s data and services to a big tech firm has been termed by the industry as “moving to the cloud.”

Cloud systems have been welcomed by small organizations that lack the resources to run their own IT or security departments.

However, smaller competitors have accused Microsoft of squeezing them out of the market through lucrative contracts and creating a monopoly over the cybersecurity sector.

Rival firms warn that the company’s growing lock on the market and the favoritism that it receives from the private and public sectors are putting too many eggs into one basket and endangering security.

“Organizations need to invest in security,” CrowdStrike’s Adam Meyers wrote to CNBC.

“Having one monolithic vendor that is responsible for all of your technology, products, services and security can end in disaster.”

Amit Zavery, a Google VP and head of Google’s Cloud division and who happens to work for one of Microsoft’s chief rivals, called on the U.S. government to rethink its deal with the  tech giant.

“Security is a team sport, but it’s hard to defend when only one team is giving up goals. “Monoculture” in govt productivity software creates an easy attack surface. I hope this latest in a series of incidents pushes the U.S. govt to look at alternatives, said Zavery, in a post on Twitter. 

Reuters contributed to this report.