The hack of US officials’ email, which included the accounts of Commerce Secretary Gina Raimondo and State Department officials, took place shortly before Secretary of State Antony Blinken traveled to China to meet President Xi Jinping. (AP)

Senator Calls on Microsoft to Take Responsibility for China-Linked Cyberattacks

Senator Ron Wyden has sent a strongly worded letter to important federal agencies, urging them to conduct several investigations into Microsoft Corp. The senator is concerned about a breach of US officials’ email accounts, which has been attributed to hackers with ties to China.

Wyden’s letter, sent to the heads of the Cybersecurity and Infrastructure Security Agency, the Justice Department and the Federal Trade Commission, said Microsoft “bears significant responsibility for this new incident.” The senator also blasted the company for its role in the SolarWinds attack, which was revealed in 2020 when Russian hackers compromised federal and private sector computer networks.

The hacking of US officials’ email, which included the accounts of Commerce Secretary Gina Raimondo and State Department officials, occurred shortly before Secretary of State Antony Blinken traveled to China to meet with President Xi Jinping. Rob Joyce, a senior official at the National Security Agency, described the breach as “China spying.”

The hacking was not distinguished by what happened, but by how the hackers got access. They did so by obtaining Microsoft’s consumer signature key, which allowed them to access officials’ emails despite security protections. Microsoft has yet to reveal exactly how the key was obtained.

“Government emails were stolen because Microsoft made another mistake,” Wyden, Democrat of Oregon, said in the letter. “Microsoft should not have had a single skeleton key that, if stolen, could inevitably be used to fake access to private communications of various customers.”

A Microsoft spokesperson said the incident “demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.”

“We will continue to work directly with government agencies on this matter, and we are sticking to our commitment to continue sharing information on the Microsoft Threat Intelligence blog,” the representative said.

Wyden’s letter was previously reported by the Wall Street Journal.

Wyden said CISA Director Jen Easterly should direct the Cyber Safety Review Board to investigate the incident. This body, created by executive order of the Biden administration, assesses cybersecurity incidents and issues and issues a report.

The SolarWinds hack was originally intended to be the first investigation by the Board of Governors under the executive order that created it. But that research never happened.

Wyden said he has been pushed to get CISA and the Department of Homeland Security to direct the government to investigate the SolarWinds breach. “Had this review occurred, it is quite likely that Microsoft’s poor security practices regarding encryption keys would have been exposed and this latest incident could have been avoided,” he said.

The letter also asks Attorney General Merrick Garland and FTC Chairwoman Lina Khan to investigate whether Microsoft is violating federal laws, including unfair and deceptive business practices laws.