Microsoft President Brad Smith addressed a congressional committee on Thursday, acknowledging the company’s recent cybersecurity shortcomings while advocating for stricter government measures against nation-state hackers. Smith emphasized the need for clear “red lines” and collective action to hold cyber threat actors accountable, emphasizing the importance of collaboration between businesses and government associations in safeguarding U.S. infrastructure from future threats.
The House Homeland Security Committee’s hearing was prompted by a recent Department of Homeland Security (DHS) report on a 2023 cyber incident linked to Chinese government hackers. The report criticized Microsoft’s operational decisions, prompting Smith to accept responsibility and commit to improving the company’s cybersecurity measures.
The committee also addressed other issues, including deep-fake technology and the controversial Recall feature, with Smith pledging to review and implement additional actions to protect users.
Why it matters: While being questioned, Brad Smith admitted to Microsoft’s recent cybersecurity failures, including the specific issues cited in the DHS report, and committed to prioritizing better security practices. Smith, however, stressed the importance of collective action between the private sector, public sector, and allied governments to establish clear consequences for cyberattacks, underscoring the growing realization that cybersecurity challenges extend far beyond any singular organization.
- Operational Changes: Microsoft is implementing the 16 recommendations from the Cyber Safety Review Board (CSRB) report and plans to provide Congress with updates on progress and timelines for these changes.
- Cybersecurity Initiatives: Smith also highlighted efforts to tie executive compensation to cybersecurity performance to enhance Microsoft’s security posture. However, when questioned regarding the specifics of the compensation program, he replied that the plan was in the process of being formulated, and he would update Congress with the details in the future.
- Comparison to UnitedHealth: The hearing mirrored a recent session where UnitedHealth CEO, Andrew Witty, was questioned about a ransomware attack affecting its subsidiary, Change Healthcare, demonstrating ongoing congressional scrutiny of major corporations’ cybersecurity practices.
Microsoft President to Congress: ‘We Accept Responsibility’ for Cybersecurity Failures – CNN