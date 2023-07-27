The Biden administration is facing increasing pressure from Capitol Hill to scrutinize Microsoft after the company’s latest cybersecurity failure allowed suspected Chinese hackers to penetrate the email accounts of several government agencies.

On Thursday, Sen. Ron Wyden (D-Ore.) asked several federal officials to “take action to hold Microsoft responsible for its negligent cybersecurity practices,” arguing that the tech giant “bears significant responsibility” for the authentication flaws that allowed hackers to access roughly two dozen of its customers’ email systems.

The “obvious flaws” that enabled the attack “should have been caught by Microsoft’s internal and external security audits,” Wyden wrote to Attorney General Merrick Garland, FTC Chair Lina Khan and Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. “That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”

Wyden urged Khan to investigate whether Microsoft’s cybersecurity defenses violated any federal laws that the FTC enforces, including those governing “unfair and deceptive business practices.” He asked Garland to consider whether to charge Microsoft with defrauding the government by misrepresenting the security of its products — a strategy that the government has said it will pursue when applicable through a new initiative.

Wyden asked Easterly to task DHS’s Cyber Safety Review Board — which was modeled on the National Transportation Safety Board — with investigating the email hacking incident, including whether Microsoft stored its authentication keys using the most secure practices available.



The Oregon senator made it clear that his anger at Microsoft was not solely the result of the latest hacking campaign. The tech giant “never took responsibility,” he wrote, for the way that its products enabled a much larger 2020 Russian cyber espionage campaign that began with attacks on IT management software made by SolarWinds.