DHS Cyber Safety Review Board blames corporate culture for 2023 Microsoft Exchange Online incident

Following an independent review of the Microsoft Exchange Online intrusion in summer 2023, the U.S. Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) announced that the attack had been preventable, and steps should be taken to do so in the future.

Last summer, Microsoft Exchange Online was hit by several intrusions from Storm-0558, a hacking group CSRB judged to be affiliated with China. That group secured access to numerous organizations’ mailboxes through this breach, in turn compromising hundreds of governmental as well as private accounts. While hackers will always be an issue, their crimes are often built on opportunity, and such was the case here, as the CSRB chided Microsoft for decisions that failed to emphasize security investments and risk management, despite its central role in the modern technology sector.

“Individuals and organizations across the country rely on cloud services every day, and the security of this technology has never been more important,” Secretary of Homeland Security Alejandro Mayorkas said. “Nation-state actors continue to grow more sophisticated in their ability to compromise cloud service systems. Public-private partnerships like the CSRB are critical in our efforts to mitigate the serious cyber threat these nation-state actors pose. The Department of Homeland Security appreciates the Board’s comprehensive review and report of the Storm-0558 incident. Implementation of the Board’s recommendations will enhance our cybersecurity for years to come.”

CSRB’s findings stemmed from data, as well as interviews with 20 organizations, industry experts and affected organizations. This marked the third completed review by the Board since its founding in 2022, and in addition to its findings, it also pushed recommendations for the industry to follow going forward.

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” Robert Silvers, DHS Under Secretary of Policy and CSRB chair, said. “It is imperative that cloud service providers prioritize security and build it in by design. The Board has become the authoritative organization for conducting fact-finding and issuing recommendations in the wake of major cyber incidents, receiving extensive industry and expert input in each of its three reviews to date. We appreciate Microsoft’s full cooperation in the course of the Board’s seven-month, independent review.”

This prioritization included calling on Microsoft to develop and make public a plan for security-focused reforms among it and its products. CSRB also recommended that cloud service providers undertake modern control mechanisms and baseline practices to reduce risks of system-level compromises, adopt minimum standards for default audit logging in cloud services and provide notices to victims, among others.