In a move that underscores the high stakes of cybersecurity, Microsoft recently hired Andrew Harris, a distinguished expert known for his adeptness in defending against cyber threats. Harris, who previously served nearly seven years with the Defense Department, was engrossed in a perplexing breach in 2016 involving a major U.S. tech company. The breach involved the company’s cloud infrastructure, leaving minimal traces and raising significant concerns.
Harris retreated to his home office, meticulously analyzing possible scenarios. His focus zeroed in on a Microsoft application responsible for user authentication in cloud-based programs. After extensive research, he identified a critical flaw allowing attackers to impersonate legitimate users, gaining access to sensitive information without detection.
This discovery was particularly alarming given Harris's background. "The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft," Harris, now working for CrowdStrike, stated.
Despite the severity, Harris faced resistance from within Microsoft. A product leader expressed concerns about the financial implications of acknowledging the flaw, particularly as the federal government was poised to make a significant investment in cloud computing.
Harris's attempts to address the vulnerability were dismissed, with Microsoft promising long-term solutions while leaving cloud services exposed. His temporary fix required disabling a popular feature, which was not widely implemented. Frustrated, Harris left Microsoft in 2020, but his fears materialized soon after.
In what became known as the SolarWinds hack, Russian state-sponsored hackers exploited the flaw Harris had identified, infiltrating federal agencies, including the National Nuclear Security Administration and the National Institutes of Health. This breach, described as "an espionage campaign designed for long-term intelligence collection," compromised sensitive data, including high-level Treasury Department email accounts.
Microsoft President Brad Smith, testifying before Congress in 2021, insisted there were no vulnerabilities in Microsoft products related to SolarWinds, shifting blame to customers for not doing enough to protect themselves. However, Harris contends that users were never given the chance to safeguard against the identified flaw.
ProPublica's investigation, supported by Harris's account and corroborated by interviews and social media posts, challenges the public narrative. Microsoft’s focus on profits over security, particularly during the cloud market race, emerges as a central issue. "If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security," said Microsoft CEO Satya Nadella, following a critical Cyber Safety Review Board report.
Jeff Williams, co-founder and CTO at Contrast Security, offered insight into the challenges faced by large tech companies like Microsoft in managing vulnerabilities. "Microsoft is getting excoriated for taking a long time to respond to what turned out to be a very serious vulnerability. While it's pretty obvious in hindsight that they made a mistake, I think commentators are judging them without seeing the whole picture," Williams said. He highlighted the complexity of modern software, built from numerous components and often riddled with thousands of reported vulnerabilities. "The overwhelming majority of these reports turn out to be false, unexploitable, or low risk — but the investigation of each one takes many hours, often days, and sometimes weeks or months. Microsoft has to prioritize these vulnerability reports based on the information they have, which may be spotty, incomplete, erroneous, etc."
Williams emphasized that the broader issue lies in how society prioritizes new features over security and the lack of stringent regulatory measures for software transparency. "It may be a surprise to some that most large organizations, including your bank, your healthcare companies, and your government ALL carry huge application vulnerability backlogs... We all bear responsibility. And we are all SolarWinds."
As the Pentagon looks to expand its use of Microsoft products, federal lawmakers are scrutinizing the company's security practices. Smith is scheduled to testify before the House Homeland Security Committee regarding a separate breach linked to Chinese hackers, further highlighting ongoing concerns about Microsoft’s security culture.
Harris’s revelations provide a stark reminder of the delicate balance between innovation, security, and corporate priorities. As tech giants like Microsoft push to dominate emerging markets, the importance of robust cybersecurity measures cannot be overstated.