Whistleblower: Microsoft greed for profit instead of security

Microsoft chose profit over security and left US government vulnerable to Russian hacking, whistleblower says

Former employee says the software giant dismissed his warnings about a critical flaw for fear of losing government business. Russian hackers later used the vulnerability to penetrate the National Nuclear Security Administration, among others.

Microsoft hired Andrew Harris for his exceptional ability to keep hackers out of the country's most sensitive computer networks. In 2016, Harris worked hard on a mysterious incident where intruders had somehow infiltrated a major US technology company.

The breach troubled Harris for two reasons. First, it involved the company's cloud - a virtual warehouse that typically contains an organization's most sensitive data. Second, the attackers had done it in a way that left hardly any trace.

He retreated to his home office to simulate possible scenarios and stress test the various software products that could have been compromised.

Early on, he focused on a Microsoft application that ensured users had permission to log in to cloud-based programs, the cyber equivalent of an official checking passports at a border. There, after months of research, he found something seriously wrong.

The product, used by millions of people to log in to their work computers, contained a flaw that could allow attackers to impersonate legitimate employees and rifle through victims' "crown jewels" - national security secrets, corporate intellectual property, embarrassing personal emails - all without raising the alarm.

For Harris, who had previously worked for the Department of Defense for nearly seven years, it was a security nightmare. Anyone using the software was exposed, regardless of whether they used Microsoft or another cloud provider like Amazon. But Harris was most concerned about the federal government and the national security implications of his discovery. He pointed out the problem to his colleagues.

They saw it differently, Harris said. The federal government was preparing to invest heavily in cloud computing, and Microsoft wanted the business. Harris acknowledged that this security vulnerability could jeopardize the company's opportunities, and recalled a product manager telling him. The financial implications were huge. Microsoft could not only lose a multibillion-dollar deal, but also the race to dominate the cloud computing market.

Harris said he pleaded with the company for several years to fix the flaw in the product, according to an investigation by ProPublica. But Microsoft dismissed his warnings at every turn, telling him they were working on a long-term alternative - making cloud services around the world vulnerable to attack in the meantime.

Harris was sure someone would figure out how to exploit the weakness. He came up with a temporary fix, but it required customers to disable one of Microsoft's most convenient and popular features: the ability to use a single sign-on to access almost any program used at work.

He rushed to warn some of the company's most sensitive customers about the threat and personally oversaw the fix for the New York Police Department. Frustrated by Microsoft's inaction, he left the company in August 2020.

Within a few months, his fears became reality. US officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in US history.They used the flaw Harris identified to siphon sensitive data from a number of federal agencies, including, ProPublica has learned, the National Nuclear Security Administration, which maintains the United States' nuclear arsenal, and the National Institutes of Health, which was involved with COVID-19 research and vaccine distribution at the time. The Russians also used the vulnerability to compromise dozens of email accounts at the Treasury Department, including those of its highest-ranking officials. One federal official described the breach as "an espionage campaign aimed at long-term intelligence collection."

Harris' account, told here for the first time and supported by interviews with former colleagues and employees as well as social media posts, turns the prevailing public understanding of the SolarWinds hack on its head.

From the moment the hack surfaced, Microsoft insisted it was innocent. Microsoft President Brad Smith assured Congress in 2021 that "there was no vulnerability in any Microsoft product or service that was exploited" in SolarWinds.

He also said that customers could have done more to protect themselves.

Harris said they never got the chance.

"The decisions are not based on what's best for Microsoft's customers, but what's best for Microsoft," said Harris, who now works for CrowdStrike, a cybersecurity company that competes with Microsoft.

Microsoft declined to make Smith and other high-ranking officials available for interviews for this story, but did not dispute ProPublica's findings. Instead, the company issued a statement in response to written questions. "Protecting customers is always our top priority," a spokesperson said. "Our security response team takes all security issues seriously and reviews each case with a thorough manual assessment as well as cross-confirmation with engineering and security partners. Our assessment of this issue was reviewed multiple times and was in line with industry consensus."

ProPublica's investigation comes at a time when the Pentagon is seeking to expand its use of Microsoft products - a move that has come under scrutiny from federal lawmakers in light of a series of cyberattacks on the government.

Smith is scheduled to testify Thursday before the House Homeland Security Committee, which is investigating Microsoft's role in a breach committed last year by hackers with ties to the Chinese government. Attackers exploited Microsoft vulnerabilities to gain access to the emails of high-ranking US officials. In investigating the attack, the Cyber Safety Review Board found that Microsoft's "security culture was inadequate and in need of an overhaul".

For its part, Microsoft has said that work has already begun, stating that the company's top priority is security "above all else." Part of the effort is to adopt the board's recommendations. "If you're faced with the trade-off between security and another priority, your answer is clear: Do security," the company's CEO Satya Nadella told employees after the board's report, which found a "corporate culture that neglected both investment in enterprise security and rigorous risk management."

ProPublica's investigation adds new details and crucial context about this culture, offering a troubling glimpse into how the world's largest software provider handles the security of its own ubiquitous products. It also offers important insights into how the pursuit of profits can drive these security decisions, especially as tech giants push to dominate the newest - and most lucrative - frontiers, including the cloud market.

"That's part of the problem in the industry as a whole," said Nick DiCola, who was one of Harris' bosses at Microsoft and now works at Zero Networks, a network security firm. Publicly traded tech giants "are beholden to stock price, not always doing the right thing for the customer. That's just a reality of capitalism. You're never going to change that in a publicly traded company because at the end of the day, they want shareholder value to go up."

A "cloud-first world"

...

A clash with the "won't fix" culture

...

Business before security

...

Killing the competition

...

Another important warning

...

Defusing a ticking bomb

...

More disturbing revelations

...

SolarWinds attack

...

"Microsoft is back in the lead"

...

Found on https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers