Microsoft rolls out expanded logging six months after Chinese breach
When hackers working on behalf of the Chinese government stole a Microsoft signing key and used it to breach the email accounts of senior U.S. government officials last year, that operation was only discovered due to an expensive logging option in use at the U.S. State Department.
The fact that a security feature necessary to detect a Chinese hacking operation was marketed as an upgrade placed intense scrutiny on Microsoft’s decision to charge a premium for security features, and the company quickly said it would make logs more widely available.
On Wednesday, federal officials said they had made progress in making these expanded logs available to federal agencies. Since the breach was revealed more than six months ago, Microsoft has been working to make expanded logs available to a pilot set of agencies, the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, the Office of the National Cyber Director and Microsoft said in a statement Wednesday.
This month, expanded logging will be made available to all federal agencies, the statement added. Along with making more detailed logs available, Microsoft is also increasing the default period for which logs are retained from 90 to 180 days.
CISA’s executive assistant director for cybersecurity, Eric Goldstein, said in a statement that he was pleased to have “made real progress” toward making “the necessary logging available to federal agencies and the broader cybersecurity community.”
“We look forward to continued progress with our partners to ensure that every organization has access to necessary security logs,” he added.
Still, more than six months on from the discovery that Chinese hackers had managed to use a stolen signing key to read emails belonging to the secretary of commerce ahead of a key trip to Beijing, the expanded logs are not still not available to all federal agencies. Wednesday’s announcement did not specify when expanded logs would be rolled out across the federal government.
The Biden administration has pushed major technology vendors to implement security features by default — and Wednesday’s announcement that security logs will be made more widely available is an example of such a move.
But critics of Microsoft continue to argue that the company isn’t doing enough to prioritize security and that a string of security breaches has made it a liability to the U.S. government, which relies heavily on the tech giant for its IT services.
“Microsoft doesn’t deserve any praise for caving to pressure and announcing that it will no longer gouge its customers for additional fees for basic features like security logs,” Sen. Ron Wyden, D-Ore., said in a statement to CyberScoop. “Like an arsonist selling firefighting services, Microsoft has profited from the vulnerabilities in its own products and built a security business generating tens of billions of dollars a year. There is no clearer example of the need to hold software companies liable for their negligent cybersecurity.”