Lawmakers question Microsoft president over China ties, repeated breaches
Microsoft President Brad Smith faced sharp questions from lawmakers Thursday over the tech giant’s presence in China at a time when his company and U.S. infrastructure is coming under increasing attack by hackers linked to Beijing.
At a hearing to examine a series of breaches at Microsoft that have raised concerns about its security posture, House Homeland Security Committee members repeatedly asked Smith about compliance with a 2017 national security law that requires companies operating in China to cooperate with Chinese intelligence agencies.
Smith said the cloud business Microsoft does in China is meant to ensure that an American company operating there keeps their trade secrets in an American data center and told Chairman Mark Green, R-Tenn., that China has no access to those centers.
“Every time there’s anything remotely close to a request, I always ensure we say ‘no,’” Smith testified.
Rep. Carlos Gimenez, R-Fla., criticized Smith’s answer in the afternoon’s most contentious exchange: “You operate in China, and you’re sitting there telling me you don’t have to comply with the laws in China?”
Smith said there are two kinds of countries in the world: “Those that apply every law they enact, and those that enact certain laws but don’t always apply them. And in this context, China, for that law, is in the second category.”
Smith said that he has made clear to the Chinese government that if they want to sue someone, they should sue him, but Gimenez answered, “In China they don’t sue you, man. They arrest you.” Smith said Microsoft employees in China don’t have the authority to make the decisions that could lead to their arrest.
“For some reason I just don’t trust a word you’re saying to me,” Gimenez said. “You have a cozy relationship in China. … I can’t believe they’re going to say ‘yeah, OK, no problem, you don’t have to comply with our law, but everybody else does.’”
Thursday’s hearing comes on the heels of a report by the Cyber Safety Review Board examining how Chinese hackers were able to steal a signing key and use it to steal emails belonging to senior U.S. officials. That report concluded that the breach was the result of “a cascade of security failures at Microsoft” and that the company has fostered a culture that deprioritizes security.
One of the more puzzling elements of the Chinese operation is that Beijing’s hackers were able to steal a consumer signing key and use it to validate tokens in an enterprise environment, and Democrat Bennie Thompson of Mississippi said he remains unsatisfied with Microsoft’s explanations for why the stolen key was able to give the attackers such wide-ranging access.
“Microsoft’s explanations about why the key was still active in 2023 and why it worked for both consumer and enterprise accounts have not been competent,” Thompson, the committee’s ranking member, said in an opening statement that faulted the company for its lack of transparency over a number of security problems. “To this day we still do not know how the threat actor accessed the signing key.”
Numerous lawmakers questioned Smith over a ProPublica story published Thursday that featured allegations from a whistleblower that Microsoft failed to address a known security issue — known as the Golden SAML vulnerability — which Russian hackers later exploited in the SolarWinds breach.
Smith said he hadn’t read the article yet and largely avoided answering questions regarding the article. “A week from now, I’ll bet we can pull together information and have a much more informed conversation about this, and I would welcome that opportunity,” Smith told Rep. Delia Ramirez, D-Ill.
Smith said Microsoft was just one victim of the SolarWinds breach, which was carried out by sophisticated hackers backed by the Russian government, and that the SAML issue was an industry-wide one.
Green told CyberScoop his big takeaway from the hearing was “educating me on the nation-states having capabilities far beyond these companies” and the need for the government to act to help them. He said he was working on legislation to strengthen the industry-government partnership on cyber but that he was months away from filing a bill on the issue.
Smith said the federal government needs to specify “red lines” in cyberspace that foreign nation-backed hackers cannot cross and how the government would respond when they do. The government also needs to share information about threats more efficiently, Smith said.
Despite intrusions affecting government agencies, Smith said his company should still be a go-to for government clients.
“We are going to work harder than anybody else to earn the trust of our government and other allied governments every day, and we are making the changes that we need to make,” Smith told Rep. Anthony D’Esposito, R-N.Y.
Microsoft has in recent weeks announced several changes to how it approaches security, including prioritizing it in the development of products and tying employee compensation to security metrics.
Rep. Seth Magaziner, D-R.I., questioned whether those changes would deliver significant security gains, noting that sometimes cyber mistakes aren’t discovered until later. He said Microsoft should consider a way to retroactively “claw back” some pay.
Smith said he couldn’t say with certainty, either, how much of the total compensation package for senior executives would be tied to the individual performance element. “More than enough to get people’s attention, for sure,” he said.
Magaziner said he welcomed the idea, but argued the effectiveness of such a policy is in the details. “A third of the individual performance element sounds good, but it depends on how big the individual element is as a part of the whole,” Magaziner said. “If it’s 10% of the total compensation package, cyber would only be 3% of the total package and would potentially count less toward the total than revenue targets or profitability targets.”