Congress warns Microsoft about foreign hackers again — will it matter this time?

To get things done using the power of the US government, President Theodore Roosevelt used to advise, “Speak softly and carry a big stick.” No need to rage and roar to accomplish what you want — instead, rely on the considerable power of the federal government to get things done.

How things have changed. These days when it comes to reining in Big Tech, the motto of Congress has essentially become “Speak loudly and carry a small stick.” Call a public hearing, rant and rave about the untrammeled power of major tech players — then do nothing.

Take, for example, the recent mid-June hearing in which the House Committee on Homeland Security grilled Microsoft President Brad Smith about how the company allowed Chinese government-supported hackers to carry out what The New York Times calls “a devastating hack of federal government networks” while maintaining its business presence on Chinese soil.

At the hearing, Congress members demanded that Microsoft harden its security, and questioned its commercial presence in China. Then the hearing ended. Congress had spoken loudly — perhaps not nearly as loudly as it should have, but at least it was more than a whisper.

After that? No big stick. In fact, no stick at all. Microsoft continues to have the largest share of the federal government’s IT budget. And it still hasn’t faced any consequences for allowing Chinese hackers to run wild through government networks. 

However, there’s some evidence that Microsoft might finally face real pushback from the feds, including possible revenue losses. To see why that may happen, let’s first take a deeper look at the Chinese hack and Microsoft’s presence in China.

Storm-0558 runs amok

A year ago, the Chinese-government sponsored espionage group Storm-0558 conducted an audacious feat of hacking — it broke into the email accounts of high-level government officials, including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Rep. Don Bacon (R-NE), all of whom help oversee the US relationship with China.

That was just the tip of the iceberg. Some 25 US government agencies were hit; 60,000 emails from the State Department alone were stolen by the hackers.

As I detailed earlier this year, the attack was made possible by stunning acts of incompetence. The Chinese hackers used a cryptographic key to carry out the exploit — a key created in 2016 that was supposed to have been retired in 2021 but wasn’t. Why didn’t Microsoft retire it? Because the company couldn’t make its consumer keys more secure, and so rather than solve the problem, it left the key lying around in an insecure place. Storm-0558 stole it, used it to forge user credentials, and then used those credentials to hack into government email accounts.

In April, the US Department of Homeland Security (DHS) delivered a  blistering report, blaming the hack on a “cascade of Microsoft’s avoidable errors.” The report said the company “failed to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed.”

The report, according to The Washington Post, exposed Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a lack of transparency.”

Microsoft’s presence in China

Meanwhile, while China hacks Microsoft, Microsoft keeps a presence in China. Smith told Congress that the company’s commercial presence there accounts for an estimated 1.4% to 1.5% of its overall sales. That might not sound like much, but the company’s revenue for the fiscal year ending in March 2024 was $236.6 billion, meaning Microsoft took in approximately $1.5 billion from its Chinese office.

Given Chinese hacking of Microsoft and its customers, including the federal government, Congress members at the hearing asked why the company kept its presence in China, especially since the revenue represents such a small part of the company’s overall sales.

“Is it worth it?” Rep. Carlos Gimenez, (R-FL), asked bluntly.

Smith gave an answer only a lawyer could love — or understand, for that matter. The Times paraphrased the answer this way: “Mr. Smith argued that Microsoft’s business in China served American interests by protecting the trade secrets of Microsoft’s American customers operating there and learning from what’s going on in the rest of the world.”

Got it? Me, neither. The real reason is simpler: Microsoft didn’t become the world’s most valuable company (or second-most valuable company, depending on the day) by leaving money on the table, even if it’s only 1.4% of its total sales.

The ‘not-a-gotcha’ hearing

Smith’s grilling was pretty tame. Rep. Bennie Thompson, (D-MS), telegraphed that before the questioning began. “This is not a gotcha hearing,” he assured Smith.

After it was over, not much seemed to have changed. Microsoft continues to be a target for Chinese hackers, and the company still has a Chinese office. And Microsoft continues to reap billions from the federal government including, ironically, for cybersecurity services.

But there are some small signs that perhaps Microsoft could eventually face consequences for lax security practices.  Multiple tech industry groups that include Microsoft competitors have launched a lobbying campaign, arguing that having the federal government rely so heavily on a single vendor for tech products and services is inherently a cyber risk.

In a letter to top government officials and Congress, they argued that best security practices require that the government “switch to a multi-vendor environment” —  in other words, stop relying so heavily on Microsoft and let other companies in on the action.

There’s evidence that at least some in Congress are listening. In late May, Sens. Eric Schmitt, (R-MO), and Ron Wyden, (D-OR), sent a sharp letter asking the Pentagon to back off from a plan to expand its use of Microsoft products: “We write with serious concern that the Department of Defense (DoD) is doubling down on a failed strategy of increasing its dependence on Microsoft at a time when Congress and the administration are reviewing concerning cybersecurity lapses that led to a massive hack of senior U.S. officials’ communications….

“We are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity.”

The DoD, of course, doesn’t need to heed the letter. But Microsoft is clearly starting to feel some heat. Smith told Congress that in response to the Chinese hack, Microsoft launched what he calls “the single largest cybersecurity engineering project in the history of digital technology.” 

If that’s true, and if it stops future attacks like the Chinese one, Microsoft will likely be sitting pretty. I wouldn’t expect the feds to cut back on Microsoft contracts. But if he’s wrong and there’s another major hack, I’d bet that for once Congress will speak loudly, carry a big stick — and cut back on government contracts with the company.

​To get things done using the power of the US government, President Theodore Roosevelt used to advise, “Speak softly and carry a big stick.” No need to rage and roar to accomplish what you want — instead, rely on the considerable power of the federal government to get things done.

How things have changed. These days when it comes to reining in Big Tech, the motto of Congress has essentially become “Speak loudly and carry a small stick.” Call a public hearing, rant and rave about the untrammeled power of major tech players — then do nothing.

Take, for example, the recent mid-June hearing in which the House Committee on Homeland Security grilled Microsoft President Brad Smith about how the company allowed Chinese government-supported hackers to carry out what The New York Times calls “a devastating hack of federal government networks” while maintaining its business presence on Chinese soil.

At the hearing, Congress members demanded that Microsoft harden its security, and questioned its commercial presence in China. Then the hearing ended. Congress had spoken loudly — perhaps not nearly as loudly as it should have, but at least it was more than a whisper.

After that? No big stick. In fact, no stick at all. Microsoft continues to have the largest share of the federal government’s IT budget. And it still hasn’t faced any consequences for allowing Chinese hackers to run wild through government networks. 

However, there’s some evidence that Microsoft might finally face real pushback from the feds, including possible revenue losses. To see why that may happen, let’s first take a deeper look at the Chinese hack and Microsoft’s presence in China.

Storm-0558 runs amok

A year ago, the Chinese-government sponsored espionage group Storm-0558 conducted an audacious feat of hacking — it broke into the email accounts of high-level government officials, including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Rep. Don Bacon (R-NE), all of whom help oversee the US relationship with China.

That was just the tip of the iceberg. Some 25 US government agencies were hit; 60,000 emails from the State Department alone were stolen by the hackers.

As I detailed earlier this year, the attack was made possible by stunning acts of incompetence. The Chinese hackers used a cryptographic key to carry out the exploit — a key created in 2016 that was supposed to have been retired in 2021 but wasn’t. Why didn’t Microsoft retire it? Because the company couldn’t make its consumer keys more secure, and so rather than solve the problem, it left the key lying around in an insecure place. Storm-0558 stole it, used it to forge user credentials, and then used those credentials to hack into government email accounts.

In April, the US Department of Homeland Security (DHS) delivered a  blistering report, blaming the hack on a “cascade of Microsoft’s avoidable errors.” The report said the company “failed to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed.”

The report, according to The Washington Post, exposed Microsoft’s “shoddy cybersecurity practices, lax corporate culture and a lack of transparency.”

Microsoft’s presence in China

Meanwhile, while China hacks Microsoft, Microsoft keeps a presence in China. Smith told Congress that the company’s commercial presence there accounts for an estimated 1.4% to 1.5% of its overall sales. That might not sound like much, but the company’s revenue for the fiscal year ending in March 2024 was $236.6 billion, meaning Microsoft took in approximately $1.5 billion from its Chinese office.

Given Chinese hacking of Microsoft and its customers, including the federal government, Congress members at the hearing asked why the company kept its presence in China, especially since the revenue represents such a small part of the company’s overall sales.

“Is it worth it?” Rep. Carlos Gimenez, (R-FL), asked bluntly.

Smith gave an answer only a lawyer could love — or understand, for that matter. The Times paraphrased the answer this way: “Mr. Smith argued that Microsoft’s business in China served American interests by protecting the trade secrets of Microsoft’s American customers operating there and learning from what’s going on in the rest of the world.”

Got it? Me, neither. The real reason is simpler: Microsoft didn’t become the world’s most valuable company (or second-most valuable company, depending on the day) by leaving money on the table, even if it’s only 1.4% of its total sales.

The ‘not-a-gotcha’ hearing

Smith’s grilling was pretty tame. Rep. Bennie Thompson, (D-MS), telegraphed that before the questioning began. “This is not a gotcha hearing,” he assured Smith.

After it was over, not much seemed to have changed. Microsoft continues to be a target for Chinese hackers, and the company still has a Chinese office. And Microsoft continues to reap billions from the federal government including, ironically, for cybersecurity services.

But there are some small signs that perhaps Microsoft could eventually face consequences for lax security practices.  Multiple tech industry groups that include Microsoft competitors have launched a lobbying campaign, arguing that having the federal government rely so heavily on a single vendor for tech products and services is inherently a cyber risk.

In a letter to top government officials and Congress, they argued that best security practices require that the government “switch to a multi-vendor environment” —  in other words, stop relying so heavily on Microsoft and let other companies in on the action.

There’s evidence that at least some in Congress are listening. In late May, Sens. Eric Schmitt, (R-MO), and Ron Wyden, (D-OR), sent a sharp letter asking the Pentagon to back off from a plan to expand its use of Microsoft products: “We write with serious concern that the Department of Defense (DoD) is doubling down on a failed strategy of increasing its dependence on Microsoft at a time when Congress and the administration are reviewing concerning cybersecurity lapses that led to a massive hack of senior U.S. officials’ communications….

“We are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity.”

The DoD, of course, doesn’t need to heed the letter. But Microsoft is clearly starting to feel some heat. Smith told Congress that in response to the Chinese hack, Microsoft launched what he calls “the single largest cybersecurity engineering project in the history of digital technology.” 

If that’s true, and if it stops future attacks like the Chinese one, Microsoft will likely be sitting pretty. I wouldn’t expect the feds to cut back on Microsoft contracts. But if he’s wrong and there’s another major hack, I’d bet that for once Congress will speak loudly, carry a big stick — and cut back on government contracts with the company. Read More